Fixing the cybersecurity blind spot in building management

Almost every large building has systems to control and monitor power and lighting, temperature and ventilation, elevators and more, known collectively as building management systems, says Lani Refiti, Regional Manager from Claroty ANZ.

Historically, building management systems (BMS) were siloed with their own control facilities, connected on separate dedicated networks. Increasingly, BMSs are integrated and connected to IT systems used for business management and administration.

Additionally, with the rise of the Internet of Things (IoT) over the past decade, the number of “smart buildings” has increased dramatically, requiring far more monitoring and control devices than their larger counterparts. older and simpler. The number of IoT devices installed worldwide for building monitoring and management was estimated at 1.7 billion at the end of 2020 and is expected to exceed three billion by 2025.

Interconnecting the BMS with IT systems is just one aspect of the digital transformation journey that nearly every organization goes through. While digital transformation allows organizations to increase efficiency, gain insight into their operations, and leverage those gains for competitive advantage, it also presents some challenges.

When a BMS is connected to the Internet, it becomes potentially accessible to a multitude of cybercriminals looking to disrupt or steal data for commercial purposes. Unfortunately, BMSs can often be an easy target for malicious actors: thanks to their long history of isolation, many BMSs do not integrate common security features into modern computing systems and devices.

In a high-profile example, the American chain of stores Target was hacked through its air conditioning monitoring system which was connected to the computer network. The attacker was able to access the credit and debit card information of 40 million customers by exploiting a weakness in the security of the air conditioning system, which then provided a gateway to the rest of the computer network.

The researchers then estimated that there were tens of thousands of similar air conditioning systems around the world that were vulnerable. The list included systems installed for the Sochi 2014 Winter Olympics arena, among other notable names.

In 2017, thousands of critical systems and services around the world were brought down by the notorious WannaCry ransomware, which exploited a Windows 7 operating system vulnerability widely used in many legacy BMSs.

Compromising a BMS offers malicious actors more opportunities than just exfiltrating data for ransom. An unscrupulous actor might seek to disrupt a competitor’s production by altering environmental controls in its factory or other production facility. A nation-state attacker could disrupt another country’s healthcare system by altering environmental controls in hospitals.

In short, BMSs require robust security measures that protect the critical functions they serve and prevent an organization’s broader IT systems from being compromised.

Why is the protection of BMS more difficult than that of computer systems?

There are several reasons why today’s BMSs are more vulnerable to cyberattacks than computer systems:

• In the past, BMSs were functional and isolated: the system controlling the air conditioning, for example, was separate from the one used for access management. In today’s smart buildings, each BMS function is part of an integrated system connected to the Internet. This makes the potential impact of any compromise much greater.
• Many BMSs rely on legacy software that is rarely, if ever, patched to remove security vulnerabilities. This means that it is often relatively easy for an attacker to gain access by performing a simple action, such as resetting a password.
• The isolation-secure nature of the old BMS created a culture of complacency among technical staff who routinely shared passwords (or created very weak passwords).
• The typical BMS for a large installation today is often very complex with many devices from different vendors. It is quite difficult to keep a complete inventory of all these devices and the software versions they use. Ensuring that each of these devices is secure and free of vulnerabilities is even more difficult. Additionally, all vendors typically require remote access to their products for ongoing management purposes, meaning each of these access channels is another potential attack vector.

Fortunately, there are solutions to each of these challenges, which can ensure a very high level of security for any BMS.

Four-step guide to securing your BMS

Step 1 – Create a map of the network and all connected devices. It is essential to have a complete inventory of any BMS in order to secure it. This involves knowing exactly how many connected devices are on the network and the communication paths between them. There are a number of network mapping and asset discovery solutions on the market, which can automatically collect and analyze the details of every device within the BMS, regardless of make or model, and maintain a list up to date.

Step 2 – Know your risk level. Knowing which devices are on the network is only the first step in securing a BMS; the next step is to assess the security risk each presents. Fortunately, there are software capable of automating this task. Some more sophisticated tools will also offer advice on how to fix any of the detected security weaknesses.

Step 3 – Provide secure remote access. The multitude of tools used to access the BMS remotely creates a tempting invitation for attackers. Today, it is possible to implement a single complete remote access solution suitable for the BMS, which can meet the needs of building management and device suppliers for monitoring, management and updating. regular days.

Step 4 – Detect and respond to threats. Sooner or later, an attacker is likely to break through even the best BMS defenses. It is imperative to detect a breach as early as possible and take appropriate action to minimize the damage. This requires tools that can continuously monitor the entire BMS for suspicious activity and issue the appropriate alerts to technical staff and management. Many tools are available to do this, and some providers also complement them with human services: investigation, risk assessment, incident investigation and response.

The transformation of old-world BMSs into intelligent building systems and their integration into computer networks is ongoing and inevitable. It is therefore essential that facility managers pay greater attention and devote more appropriate resources to BMS security.

© Scoop Media