Cyber Security for Building Automation and Control Systems

Building Automation and Control (BAC) systems run some of our most critical infrastructure in contemporary society, and whilst we’ve been vocal at Awen regarding the cyber security of Industrial Control Systems (ICS) traditionally being overlooked, BAC systems are probably the least thought-about subset of ICS.

You can find BAC systems throughout large-scale buildings in various critical areas of our infrastructure, including transport-related buildings like airports, train stations, underground/subway stations; utility-related buildings like electricity, oil and gas and water generation/treatment sites and offices; digital infrastructure-related sites such as data centres and financial institutions; and throughout vital office buildings like government entities. The impact of a cyber attack on any of these systems would be very significant and costly.

Traditionally they have comprised of systems that run key building services including heating, ventilation and air conditioning. More recently, especially due to the proliferation of Industrial Internet of Things (IIoT) devices, this has expanded to include networked physical security, access control, fire and flood safety, lighting and humidity controls. You can think of BAC systems as the industrial equivalent of your “smart home” devices found in the consumer market.

Unlike consumer Internet of Things (IoT) smart home devices which usually rely on proprietary protocols to communicate, most industrial applications have used known robust protocols like BACnet. Whilst BACnet has been in development as far back as 1987 and is well known, it’s still not without vulnerabilities…

BACnet’s back alright…

  • BACnet is a well established protocol. First produced in 1995 and official standard as of 2003.

  • It can be adapted to some existing, non-connected devices to allow more control over building control

  • It has native functionality for life-critical messages and in-built prioritisation for incoming messages (vital in areas where automation of building control is safety critical - hospitals for example)

  • As of Summer this year (2019), new addenda to the BACnet standard have been added, with one of the most notable additions being standardisation of IP level connectivity, allowing for more effective management across Operational Technology (OT) and Information Technology (IT) networks

  • Also added was supported for Transport Layer Security (TLS) encrypted communication between client and devices. However, since this relies on a more recent version of the protocol, the responsibility rests with the vendors to implement these features along with providing support for existing devices in the form of firmware patches

  • Following on from the previous point, the BACnet standard itself is updated and created with some regularity (every 2-3 years seems to be the case). Vendors are often slow to implement and actively support these (in our expert opinion critical) features, with few vendors actively supporting older devices etc. Even if they did, customers need to also be security conscious with regards to their devices, but this mindset can contrast with some business attitudes; e.g. the perception that updating firmware across a large section of a building may cause disruption to business continuity (production/output etc) leading to the potential of loss of sales/profits/other metrics in the short term

Smart Buildings, BIM and Smart Cities

Before closing off this blog post a word should be said about a few other concepts. We are seeing a greater number of “smart buildings,” for commercial and for residential use. These smart buildings, if constructed correctly using Building Information Modelling (BIM) to level 3, should deploy a network of interconnected devices to assist the workers/residents to be safer, more secure and more efficient in their working/living. This naturally will use standardised protocols such as BACnet, and we hope that they will be used in a secure manner with digital forensics & incident response in mind.

A collection of smart buildings will naturally be placed within a smart city, which brings its own set of questions over safety, security and privacy.

With Awen software, buildings and cities can be made to be safer and more secure - by understanding the threat landscape in greater detail using Dot, and by ensuring compliance to the Cyber Assessment Framework with Profile.

This post was collaboratively written by CEO Daniel, CTO Jules and Software Engineer Jamie.