The connectivity that enables integrated, automated and centralised building management could be also used as a conduit for a cyberattack on buildings, but Maritz Cloete explains how to keep your BMS and data safe.
04 September 2018 | Maritz Cloete
IP networks enable a BMS to monitor and control key building systems such as HVAC, lighting, access controls, fire and safety systems, and energy monitors. They also provide internet connectivity so buildings can be managed remotely or from central locations.
The downside is that cybercriminals can also access these networks to hijack a vulnerable BMS, disrupting operations and stealing data.
There may be multiple actors behind such attacks:
- Activist groups wanting to break up organisations with which they take issue.
- Terrorists who want to disrupt national functions or government operations.
- Nation states wanting to harm organisations they consider a competitive risk or a threat to their security.
- Companies who wish to sabotage competitors.
- Aggrieved former employees.
- 'Bored teenagers' testing their hacking skills.
In 2017, attackers took control of an Austrian hotel's electronic key system and locked it out of its own computer system, leaving guests stranded in the lobby, causing panic. A ransom email demanding a large sum in Bitcoin followed and, against expert advice, the hotel paid up.
Attacks are not necessarily targeted, as 2017 's WannaCry ransomware strike showed by indiscriminately attacking any vulnerable system in its path, including BMSes, many of which are still running on unsupported operating systems such as Microsoft Windows XP.
A vulnerable BMS could also be used as a conduit for an attacker to access the corporate network where data theft and operational disruption may be the much more lucrative goal.
In 2013, US retailer Target fell victim to large-scale theft of credit card details. Attackers stole corporate network credentials from one of Target's HVAC suppliers, and used these to gain access to Target's servers.
Cybersecurity is high on BMS vendors' priorities and, while not perfect, modern systems provide capabilities to guard against attacks. Most vulnerabilities are a result of installers who do not follow the manufacturer's guidelines.
Here are five steps to protect your BMS:
Follow the manufacturer's security guidelines
Use only authorised BMS installers and review your BMS configuration regularly to ensure that the secure baseline is maintained. Train your FM staff in the secure configuration of the BMS and in cybersecurity awareness.
Keep your BMS patched
Monitor vulnerability and security patch notifications from the BMS vendor and apply updates promptly. If the BMS is installed on a computer with a standard operating system, such as Microsoft Windows or Linux, ensure it is still supported by the vendor.
Restrict access to the BMS
Issue unique accounts with strong passwords to users. If a user does not perform administrative duties, don't issue them administrator privileges. Monitor user activities to identify behaviour which might indicate that user credentials have been hijacked.
Avoid connecting your BMS directly to the internet
If there is a business need for remote access to the BMS, consider either using dedicated private network links, Virtual Private Network technology or a firewall with rules to secure the external connection and prevent unwanted access to the BMS from the general internet.
Isolate your BMS network from corporate networks
Do this either by not connecting the networks, or through a network firewall that restricts general access to and from the BMS network.
Maritz Cloete is director at CS Risk Management.