Recent news of the CCleaner malware incident highlights yet again the need to be vigilant with computer security. A few months ago, there was also an exploit discovered in the BMS software used in Australian government facilities. Oftentimes the security of the BMS or SCADA head-end PC and network infrastructure is an afterthought. In these cases, the original specification for the project will lack any guidelines for BMS security and the contractor has this omitted in their scope of works, and fair enough too. It can often be difficult coordinating with the end-customer’s IT department, especially in new construction where they are on the distant horizon.
These days, almost every device wants an internet connection to phone home. We’re in the age of online devices – call it the “Internet of Things” if you wish! We all understand that security has never been more important.
However, if you’re providing a system to spec, you may assume that this security is someone else’s problem, or not important to the end customer.
If something goes wrong though, you can bet that there will be a lot of finger pointing, and mostly towards the BMS contractor and the product manufacturer. Even if you’ve followed the specification to a tee. This will be damaging to the end customer and your reputation. That’s why it’s worth taking a more active approach to BMS security. Take control and ask questions early in the project. Here I’ll share a few ideas to get you started.
A simple security risk assessment
Completing this basic risk assessment can help you understand what’s at risk in your building. I won’t be going too deep in this blog post, but this will provide a quick starting point.
Level of risk
The level of risk assesses how exposed the BMS is to interruption or attack. In the computer security world, this is often called the attack surface. We want to keep it as small as possible.
The following significantly increases your level of risk:
Is the BMS PC or any part of the BMS network infrastructure connected to the Internet?
Is the head-end PC or network infrastructure (including switches, hubs, and LAN terminations) accessible to unauthorised personnel? How is this protected? How is this monitored?
Is the BMS network infrastructure integrated with the end customer’s IT infrastructure? What isolation measures are in place? Who controls this and how is it monitored?
What operating system and software is installed on the head-end PC? How is this maintained? How is this monitored?
What software measures and training is in place to minimise human error?
Give this some honest thought. Can you identify any immediate risks in your system?
Level of damage
The level of damage assesses the seriousness of a security breach, in terms of equipment damage, downtime, and financial damage.
Does the BMS control or integrate with any of the following:
Backup power generators
Air conditioning for server rooms
Other essential services and infrastructure
If you answered yes to any of these, it’s important to understand how they are currently being protected.
Improving BMS security
You should have an idea of your system’s level of risk and damage. Hopefully there’s nothing too alarming, but it’s better to know now instead of after a serious incident! This can be daunting, but an effective plan can be implemented.
This may include:
Policy and training for users
Implementation of network firewalls and isolation
Installing low-level redundant systems
Including security measures and reporting in regular maintenance and service
With building automation becoming more connected, it’s important to keep up to date with security measures. Putting a plan in place and regular auditing allows you to effectively manage BMS system security.