Three Core Points of BAS Cyber-security

By: Harrison Koll, Controls System Application Engineer

Cybersecurity is a topic that keeps executives up at night. Consumer data breaches and email hacking are constantly in the headlines. The truth is that any system connected to the internet is at risk – including your Building Automation System (BAS).

It is common for organizations to purchase (or create) a BAS, implement the solution, and then “forget about it” – leaving the entire network and its controllers alone for decades until there is a failure. This mentality can create an environment where network security needs are left unchecked.

When it comes to cybersecurity and your BAS, there are three core points that need to be acknowledged or addressed: 1) required levels of security needed; 2) engagement of IT personnel in making decisions; and 3) developing policies and procedures based upon proper network configuration, need for ongoing service of the BAS as well as using insight gained from past failures in BAS security. Evaluating these areas is absolutely crucial. An intrusion into your BAS system can lead to compromised building security and unplanned downtime of critical systems that can have rippling effects across your company’s (or your tenant’s) business processes.

1.       Required levels of security

In order to address the security needs of an organization’s BAS it is necessary to understand the required uptime of the equipment the BAS controls. For example, a plant which produces steam may require 100% uptime on the controller communicating with the boiler that is producing steam, while a heat-pump in an office building might only require 20-50% uptime in order to maintain a room’s temperature. All of this information is sitting on computers or on your organization’s network – and the more valuable a piece of equipment is, the more likely it is to be targeted in a cyber-attack. Once risk is known it becomes easier to distribute resources and protect the most critical devices.

Properly securing a network can be an expensive endeavor; knowing which devices if compromised, can cause harm tells you where to apply those resources.  Components such as a JACE should be seen as high risk because they are critical devices that can have a high amount of exposure (people placing them for access on the open web w/ static IP addresses), and a high level of threat (as they can appear on shodan.io, and if an attacker gains control of it they can control your BAS).  There are always methods to adequately mitigate risk as long as the risk is properly identified.

2.       Engaging IT personnel in BAS decisions

A network administrator knows the type of information traveling on their network, the protocols their network utilizes to communicate, which devices store valuable information, and the physical layout of the network.  Engaging IT personnel makes it easier to configure the BAS security and integrate it into an organization’s overall cybersecurity strategy.  For instance, some organizations will not want to utilize specific communications protocols as they are inherently insecure or allow certain features of a protocol.

Additionally, IT personnel’s knowledge of critical devices/information is very important when it comes to layering of network security and can help evaluate devices which may contain mission critical information. Through their evaluation they will be able to help those creating a BAS, impose network segmentation, and even help justify an entirely separate network for the BAS (highly recommended) if necessary.

Rolling out updates to a BAS can also be helped along by IT personnel.  They may be able to provide remote access in some instances for patches and updates.  Unfortunately patches and updates to most controllers are few and far between. As a result, security holes might go unnoticed for weeks or months before a patch.  The best way to help prevent a breach in between patches is to patch all devices on the BAS network incrementally as the patches come out.  It is crucial to have an IT professional engaged to coordinate patches and avoid issues with any other devices on the network.

3.       Policies and procedures

An organization needs to consider the extent of access to the BAS as well as when access will be granted. We recommend that there are independent accounts for each user or programmer and that logs should also be enabled for a BAS to keep track of access and any commands given. Logs are invaluable if and when a breach occurs and can help to prevent future intrusions.

Having a Cybersecurity strategy for your BAS is essential in today’s connected world. No more are BAS systems able to work in isolation from the rest of a company’s infrastructure. By evaluating these three areas, you have taken a giant step towards securing your system and minimizing risk.