Andrea Danti - Fotolia
8 ways to protect building management systems
Security threats to building management systems can come from numerous sources. Expert Ernie Hayden outlines these potential threats and how to protect against them.
Editor's note: This is the second part of a two-part series. Read part one to get an introduction to building management systems and the vulnerabilities that commonly plague them.
Like any other computer system installed in buildings and factories, building management systems are vulnerable to attackers, such as disgruntled employees, industry competitors, industrial spies or a nation-state. For instance, a fired employee of one of your building tenants may want to do something malicious that affects the entire building. Also, your tenants and their businesses may be targets for social hacktivists or political organizations.
One way an attacker can easily hack a building management system (BMS) is via the existing manuals and documentation available on the internet. These documents are full of information, such as passwords, that an attacker could use.
Other potential attacks on a BMS include the usual list: denial-of-service, phishing, spear phishing, malware injections and so on. Social engineering attacks that use USB key drops are another vector to consider.
Also, as in the Target data breach in 2013, the attackers may want to get into your primary enterprise network and quietly stay for a long period of time while they collect valuable information. These are usually called advanced persistent threats.
How to protect a BMS
There are a variety of ways to protect building management systems, but it's important to start with some key considerations.
- First, when it comes to legacy building management systems, there are often multiple retrofits and upgrades that have been planned or are in progress. It is important to build security into the new design before installing a new BMS. Take advantage of the planning and design period to consider how the BMS components and cabling are installed, protected and defended against vandalism and attack. A useful resource is the U.S. Department of Homeland Security report "The Risk Management Process for Federal Facilities: An Interagency Security Committee Standard."
- Ensure the BMS is not connected directly to the internet. Better yet, ensure the BMS is separate from the enterprise network and is separated by an air gap or firewall.
- Consider using virtual local area networks and segregated networking practices to keep BMS subnetworks separate and isolated. That way, a problem in one subnet can't affect the other networks.
- Password controls can be a challenge with a BMS, so always change the default passwords for the BMS system, workstation and field devices. Do not permit the use of shared usernames and passwords and be sure the credentials used at one facility are different than those used in other buildings. Make your passwords as complex as the system permits and, most importantly, don't write the BMS-associated passwords on notepads, control panels or under keyboards. These are not only damaging to your security posture, but they could encourage attackers to try to access the system.
- Train your staff, contractors and vendors on your security expectations, policies and procedures. Security is everyone's job, and protecting the BMS from attack or misconfiguration is important.
- Perform security assessments to locate and identify any physical or cybersecurity vulnerabilities, then correct the issues as soon as possible. In these assessments, look for easy access points, such as rogue wireless access points, open/unlocked cabinets and passwords written on cabinets. Also, use Shodan to do self-footprinting to identify if any of your current BMSes or enterprise systems are connected directly to the internet.
- When you terminate an employee, contractor or vendor, ensure that their physical access is terminated -- that card keys are deactivated and keys are collected -- and that their cyber access is turned off within an hour of the firing.
- Finally, be sure to have a security incident response plan in place. This plan should address both cyber and physical security incidents. Be sure to test this plan at least every few months and ensure it works, is up to date and that weaknesses can be corrected quickly. The incident response team and its associated processes are like an internal fire department; they may not be needed, but when they are, you want a practiced, professional response.
With the extensive deployment of intelligent BMSes, more security vulnerabilities will be identified either before or after events. You must stay on top of BMS security and work closely with your vendors to ensure the systems are patched and updated in a timely manner.
One document that can help you assess a BMS security profile is the "Intelligent Building Management Systems: Guidance for Protecting Organizations," report, published by the Asis Foundation, Boma International and the Security Industry Association. At a minimum, pass this document to your building operations/security manager and internal audit staff to help guide them on their vulnerability assessments and improve their security awareness.