As our buildings become more complex, with the number of IoT connected devices and cloud services growing exponentially, the threat and chance of cyber-attacks becomes even greater. So, how can we understand these challenges and prevent them from happening in the future?
The Challenges of Smart Buildings
Today’s buildings systems often fall short of effectively managing any potential cyber intrusion. This is a direct result of there being an obvious disconnect between groups managing information technology (IT), who have extensive cyber-security knowledge and the groups managing building operational technology (OT), who have the building management system (BMS) operational knowledge. Previously, BMS required specialised knowledge of systems and protocols and didn’t require access to corporate network resources or the internet. Therefore, the security of a BMS network predominantly relied on obscurity and the lack of external connectivity. However, in this day and age, the evolution of BMS technology has meant that typical BMS control systems now use a combination of OT protocols, including ModBus and BACnet, as well as IT protocols such as HTTP and FTP. This has revolutionised the way smart buildings operate but it has also affected how they can be targeted from a cyber perspective.
The evolution of BMS technology is essentially a gold mine for hackers. Coupled with the disconnect between IT groups and OT groups, the de facto operational model for buildings needs to change. In recent years there have even been hacker communities and research groups that specialise in cyberattacks targeting smart buildings to retract important data. Ultimately, the problem starts with the network of a BMS. This network can be deemed as a way in to the wider IT network of an organisation. Hence, not only does the management system itself become the target but so does the whole company.
To mitigate these attacks and realise the full potential of smart buildings, operators and occupiers need to alter how smart building control systems are architected and managed from a cybersecurity perspective. Setting aside organisational barriers and acknowledging the IT/OT disconnect is the critical first step towards implementing and operating cyber secure smart building control systems. Luckily, there has already been strong support in the OT control systems industry to address the security challenges being faced today.
Better yet, industry associations have risen to the need for common OT cyber-security best practices, in particular with the development of the IEC 62443 global set of cyber-security standards. This is set to improve safety, availability, integrity and confi dentiality of systems used for industrial automation and control.
Fundamentally, there are four key ways that organisations can create a secure and operational smart building:
1. Assess and protect legacy OT building control systems
2. Choose IoT devices and vendors that follow a Secure Development Lifecycle approach
3. Implement secure OT building control system architectures
4. Bridge the secure OT building control systems through an IT Security Monitoring Zone
The vulnerability of a BMS system working with these two sets of protocols lays on the disconnect between the groups in the IT team, who have the cyber security knowledge and the OT team, who have the operational knowledge. The smarter your building gets and the less these two groups work with each other, the more vulnerable technology will become resulting in the increase of external cyberattacks. Teams need to work together to create a more secure system and organisations must adhere to certain practices to keep their building as secure as possible.
(The author, Ram Venkat, is an Energy Management Professional and Evangelist, and is currently working in the UKI Eco-Building Marketing team, Schneider Electric)