Building Automation and Control (BAC) systems run some of our most critical infrastructure in contemporary society, and whilst we’ve been vocal at Awen regarding the cyber security of Industrial Control Systems (ICS) traditionally being overlooked, BAC systems are probably the least thought-about subset of ICS.

You can find BAC systems throughout large-scale buildings in various critical areas of our infrastructure, including transport-related buildings like airports, train stations, underground/subway stations; utility-related buildings like electricity, oil and gas and water generation/treatment sites and offices; digital infrastructure-related sites such as data centres and financial institutions; and throughout vital office buildings like government entities. The impact of a cyber attack on any of these systems would be very significant and costly.

Traditionally they have comprised of systems that run key building services including heating, ventilation and air conditioning. More recently, especially due to the proliferation of Industrial Internet of Things (IIoT) devices, this has expanded to include networked physical security, access control, fire and flood safety, lighting and humidity controls. You can think of BAC systems as the industrial equivalent of your “smart home” devices found in the consumer market.

Unlike consumer Internet of Things (IoT) smart home devices which usually rely on proprietary protocols to communicate, most industrial applications have used known robust protocols like BACnet. Whilst BACnet has been in development as far back as 1987 and is well known, it’s still not without vulnerabilities…

BACnet’s back alright…

• BACnet is a well established protocol. First produced in 1995 and official standard as of 2003.

• It can be adapted to some existing, non-connected devices to allow more control over building control

• It has native functionality for life-critical messages and in-built prioritisation for incoming messages (vital in areas where automation of building control is safety critical - hospitals for example)

• As of Summer this year (2019), new addenda to the BACnet standard have been added, with one of the most notable additions being standardisation of IP level connectivity, allowing for more effective management across Operational Technology (OT) and Information Technology (IT) networks

• Also added was supported for Transport Layer Security (TLS) encrypted communication between client and devices. However, since this relies on a more recent version of the protocol, the responsibility rests with the vendors to implement these features along with providing support for existing devices in the form of firmware patches

• Following on from the previous point, the BACnet standard itself is updated and created with some regularity (every 2-3 years seems to be the case). Vendors are often slow to implement and actively support these (in our expert opinion critical) features, with few vendors actively supporting older devices etc. Even if they did, customers need to also be security conscious with regards to their devices, but this mindset can contrast with some business attitudes; e.g. the perception that updating firmware across a large section of a building may cause disruption to business continuity (production/output etc) leading to the potential of loss of sales/profits/other metrics in the short term

Smart Buildings, BIM and Smart Cities

Before closing off this blog post a word should be said about a few other concepts. We are seeing a greater number of “smart buildings,” for commercial and for residential use. These smart buildings, if constructed correctly using Building Information Modelling (BIM) to level 3, should deploy a network of interconnected devices to assist the workers/residents to be safer, more secure and more efficient in their working/living. This naturally will use standardised protocols such as BACnet, and we hope that they will be used in a secure manner with digital forensics & incident response in mind.

A collection of smart buildings will naturally be placed within a smart city, which brings its own set of questions over safety, security and privacy.

With Awen software, buildings and cities can be made to be safer and more secure - by understanding the threat landscape in greater detail using Dot, and by ensuring compliance to the Cyber Assessment Framework with Profile.

This post was collaboratively written by CEO Daniel, CTO Jules and Software Engineer Jamie.

October was Cyber Security Awareness month, established across the European Union, USA and in other nations with various events and initiatives to promote general cyber security best practices. If you participated in an event, we hope you enjoyed it and feel free to let us know your experiences.

November, this month, is Infrastructure Security month, and this was established in the USA by the Department of Homeland Security (DHS) - although its goals are certainly honourable enough to be recognised internationally. Let us know if you will be participating in some way, and how.

The goal of Infrastructure Security Month 2019 is to “enhance resilience through preparedness and exercises and promote smart, secure investment in resilient national infrastructure.”

Let’s try to explain that goal in ways that we can understand:

• Enhance resilience in this context, means that infrastructures are reliable and strengthened, but if you/they receive some incident then you/they will be prepared to go through incident response processes

• Preparedness means that organisations will need to know exactly what is on systems, that everything is patched and protected, and there is an incident response plan in place

• Exercises are for the people side - do employees know what to do, what to approach, how to respond? There might be external players involved to audit against standards, to perform penetration tests or to bring in outside expertise during “table top” exercises. All this should be mapped out in case of emergency

• Promote smart, secure investment - means:

  1. Ensuring that cyber is on the agenda at board-level, and a consideration in the Operational Technology engineering teams

  2. Promoting those organisations which follow not only regulation but good-practice standards such as ISO27001 and the NCSC Cyber Assessment Framework (CAF)

  3. Spending cyber security budget in the right places. First make sure that the risk profile is fully understood, then improve the cyber security resilience, and then consider what the best approaches will be. Be practical, be pragmatic

• National infrastructure includes a variety of sectors (defined in different ways in different countries): electricity, oil & gas, water, transportation, chemicals, communications, defence, dams, food & agriculture, financial sector, healthcare & pharmaceuticals, critical manufacturing, government and emergency services

Thankfully at Awen we were founded specifically to address all the points above:

• Profile ensures that critical national infrastructure is not only are aware of compliance levels to particular cyber security regulation in industrial organisations, but also ensures that improvements are being made - even with tight budgets in mind

• Dot provides much needed clarity over the assets and vulnerabilities in the Operational Technology (OT) systems found on the factory floor and in building automation & control systems. It gives much finer granularity of detail within a risk profile, so that budget can be spent wisely in order to improve cyber security and general resilience

If this sounds of interest, and you would like to have a chat do just contact us by sending over an email to hello@awencollective.com and we would be happy to schedule a call or meet face-to-face. We never “hard sell”.

The concepts of safety and security are quite well defined to those who speak English as a first language, or with sufficiency. They are distinct concepts and distinct terms:

• Safe comes from the Latin word salvus, which means “whence whole” and indicates that something is not in danger of being harmed or broken up. We would often talk about people being safe from harm. Safety is strongly linked with integrity. An image search for safety" will return pictures of hard hats and boots.

• Secure comes from the Latin word securus, meaning “free from care” and indicates more of a protection to enable something to be free to exist. We would often talk about assets being secure (although interestingly we might store something securely in a safe). An image search of security will return pictures of locks and CCTV cameras.

However, if we translate safety and security into other contemporary languages we often get the same word meaning both (in no particular order):

• Welsh: Diogelwch

• Spanish (Castilian): Seguridad

• Basque: Segurtasun

• German: Sicherheit

• French: Sécurité

• Swedish: Säkerhet

• Italian: Sicurezza

Of course, this is not the case in every language (Arabic for example), and even those where safety and security are translated to the same word there may be other words which could be used to differentiate the two subtle meanings.

However, we highlight this to show that when we talk about cyber security it is often to easy to talk about the protection of things. Too little thought is sometimes given to the safety and integrity aspect of cyber security.

This is especially important in our domain of cyber security of industrial control systems (ICS) / operational technologies (OT), where a cyber threat to these systems can cross from the digital into the physical. Actual physical damage could be caused to machinery, property or even human life. We have seen cases of this before, and it provides us at Awen Collective drive to do what we do. We want to protect people and businesses from cyber attacks, when the manifest in just the digital world, or in both the digital and the physical.

Contact us today if you are owners/administrators of industrial control systems or operational technologies. We would like to discuss with you how to dissipate any fears you might have regarding cyber threats to your environment.

Mission

The mission of Awen Collective is to reduce the costs of cyber-threats to critical national infrastructure and advanced manufacturing.

Rationale

Cyber attacks are able to cross digital/virtual boundaries into the physical world. These attacks have the potential to shut down our water, electricity and gas supplies, stop train travel, or cause havoc on our roads and at our airports.

Awen exists to reduce the risk of these attacks happening, and to minimise the disruption they can cause.

Values

There are four central pillars to Awen Collective:

Agility in our working. We acknowledge that requirements are not always well defined, and we adapt to the ever evolving needs of the market.

Warmth towards all. Empathy is powerful, and often overlooked in the world of technology. We strive to show the highest levels of empathy towards those inside and outside of the company.

Equality is essential. We believe that all people should have the same fundamental rights and opportunities. We do not judge or discriminate based on identity or background.

Next-level innovation. We are always innovating, thinking about the future needs of the market. Innovation is at the heart of everything that we do.

These are the values of Awen Collective, as founded in 2017, and right here and now.

From the 20th - 21st November 2019, Awen Collective will be exhibiting at the Basque Industry 4.0 Meeting Point event in the Bilbao Exhibition Centre.

Our CEO will be in attendance representing both Awen and also the Cyber Wales ecosystem, with support from the Basque Cybersecurity Centre. For those attending he will be able to share details of the products and services on offer by Awen, which are uniquely tailored to improving the cyber security of industrial organisations whether they have the latest Industry 4.0 technologies, legacy industrial control system networks, or a mix of old and new.

The Basque Country is a great place for us as it has a great industrial environment, with many small, medium and large manufacturers and critical national infrastructure providers having facilities in the region. We have some interest from various organisations in País Vasco / Euskadi, and the surrounding area, and so this will be an opportunity for us to begin working with those organisations.

The Meeting Place event itself will see around 2000 attendees, over 130 exhibitors and around 100 speakers talking about Industry 4.0, connecting industrial organisations to suppliers of additive manufacturing, collaborative robotics, cyber-physical systems, augmented reality, cloud computing, big data, virtual reality and cyber security.

It will be a great two days, and we are looking forward to meeting some great new people and companies from the Basque Country, Spain and the wider Iberian Peninsula.