Prior to reading this article I HIGHLY RECOMMEND you view the video below. This video will give you foundational knowledge of the building automation security topics I will discuss below.
After seeing so many systems penetrated over the years, it brings one question to mind: How many systems are being accessed that no one knows about? Having worked in the BAS field for many years now, I have had the privilege to work on a lot of different control systems. While the old adage, "Your installation is only as good as the installer," still rings true, more recently, I would have to say - with some of the systems I have seen - that there should be a new saying: "Your security is only as good as the IT knowledge of your installer".
Installers are known for having a grasp of mechanical systems equal to that of most PE's, as well as having intimate knowledge of their controls platform and integration strategies. Unfortunately, most of the installers that are any good now, had cut their teeth during the time of client-server architecture when - right, wrong, or indifferent - security was not a big issue.
This article seeks to provide fundamental knowledge to bridge the gap between BAS knowledge and fundamental IT security.
- Local or Remote Access
- Public or Private Access
- Access Lists
- Port Forwarding/ Blocking
- VLAN Segmentation
- Password and Username Practices
- LDAP Integration
- Network Monitoring
- Risk management / analysis
- Patch management
- Incident information management
Local or Remote Access
When determining how to access your building automation system you must begin with the end in mind. If you have a single building with no thoughts of expansion then you will most likely be able to survive with only local access. However, if you have a multi-building environment or have a distributed maintenance staff then you will most likely want to have remote access to your system. This then brings us to the next topic.
Public or Private Access
There are some specific benefits to having a system with a public IP address these are as follows:
- Ease of access
- Ease of sharing access
- Not having to deal with the IT department
- Ease of Access
- Lack of or weak security
- System is visible
- Lack of IT knowledge
Now on the flip side you have private access. Private access can include but is not limited to: Private addressing with address translation, VPN Access to a protected LAN, Stand alone systems, Local Network access only
- Secure Regulated Access
- Reduced Security Risk
- In house IT can manage
- In house IT will most likely manage
- Difficulty gaining remote Access
- Local access only in some cases
With that being said, based on your vertical market, security needs, and IT department, you will determine what kind of architecture you pursue. I have had customers who literally had me use separate network supervisors for a BAS system because they were worried that someone would be able to utilize the MS/TP trunk to pickup radio frequencies and voices (not sure how) as the cable ran from their office to their production labs in the same building.
That being said, decide who needs access, how will they access the BAS, how often will they access the BAS, and from where will they access the BAS. This will help you determine which logical and physical topology to utilize.
As briefly summarized in the video, access lists allow you to determine which devices, communicating over a specific protocol, at a specific time are permitted or denied access to the system. This is a IT centric topic but in highly secure buildings it can be important to use dynamic time sensitive access lists to add another layout of security.
Port Forwarding/ Blocking
Port forwarding is when a specific piece of network traffic either at the packet, frame, or application level is forwarded through the network. You can allow or block access to certain ports from certain devices. For example, you can setup a VLAN for your automation system and then allow traffic to enter that network only if it is for ports 443 (secure HTTPS) or 47808 (sometimes the BACnet port, if I remember the port right...). On the flip side, you can block access from non approved ports. Leaving ports open is one of the security flaws that hackers exploit to enter or perform reconnaissance on your network.
VLAN,s or Virtual LANs, allow you to segment to create a logical LAN across multiple physical LAN's. This essentially puts the devices in the VLAN on their own network, thing back to the IP Basics Video. What happens is that devices outside the VLAN cannot access or communicate to devices inside the VLAN unless they are setup to communicate through a router. Furthermore you can utilize access lists and port forwarding to add further layers of protection. An additional note is that you can take the VLAN and apply different IT policies upon devices in that LAN so that the devices themselves do not receive updates that would cause the BAS software to no longer function.
Password and Username Practices
Pass/pass, yournamehere/12345, the list goes on and on. People use some really bad passwords. Ideally the BAS system should require you to have an uppercase character, lowercase character, number, symbol, and no common words in your password. However, some systems do not require this, some enterprises choose to create one username and password and to share it with everyone. These are educational issues, if you are reading this article then I now dub you a Password Protector! Ok, just a little cheesy, but seriously you should be just as protective of your BAS system as you are the password to your email. You do not want to be the guy who used pass/pass when a disgruntled employee decides to shut off an Air Handler serving the Data center or closes all the boxes in the OR during open heart surgery... Last note on passwords: Require your staff, at a minimum, to change their passwords every 90 days. Most BAS systems on the market have this option - it is a simple check box for you - and the BAS handles the rest.
LDAP or (Lightweight Directory Access Protocol) allows you to link your devices, groups, and users to network policy servers. This is a BIG DEAL, if done right you can set up groups that are allowed access to certain devices at certain times, you can log all access and usage, you can push password requirements, you can lock multiple devices from using the same user name and password. If your device supports LDAP and you're not using it, then shame on you!
Ok we are going a bit deeper here but its good stuff nonetheless. There are multiple methods to monitor the network, while this is not a Network management article I will layout the basics for you. The network monitoring software falls into three categories:
- Standalone-Freeware, Paid Software, Etc. - In this bucket you have my personal favorite Wireshark, you also have protocols like SNMP (use V3 of course) that allow you to pull data from devices.
- Server Software - Here you have your basic server monitoring software depending on the server OS you can track group and user access, device utilization, and services (email, FTP, ect) utilization.
- Networking Software - Networking software falls into a couple different categories. You have IPS (intrusion Protection Software/services) for example firewalls, proxy servers, ect. You also have network monitoring (netflow for Cisco). This software typically tracks at the OSI Layer 4 and below.
The last four categories really fall under one big category called organizational policies. The items below are not necessarily technical in nature but rather procedural.
- Risk management / analysis
- Patch management
- Incident information management
Your team, at least at a high level, needs to be aware of what we discussed up until now. They need to know the impact of installing software on a server: "Well Bob it was just this free poker software I got on the internet...". They also need to know the impact of sharing passwords or leaving their login page open when they login from the school library while checking a VAV box. It comes down to laying out some clear expectations for the end-user and these need to be driven by the organization. Users need to be held accountable for their misuse.
This is more of an auditing feature, this ideally will be done by your IT department but if it is not you or your BAS provider, should have a clear set of IT standards that are followed on every project. I will say to date the number of specifications and scopes that I have read which included the IT requirements for a BAS system has been less than 10.
We briefly covered this in LDAP and VLAN's. If you are going to ride your local IT network then you MUST communicate with your IT department around the impact patching will have on your production environment. Let IT know and make it a defined step in their update policy for them to check with you on compliance for whatever patches they may push. At a minimum require that they provide 5 business days notice prior to Patching.
Incident information management
Stuff happens, well maybe it's said a little different then that but even if you follow all the items I have laid out so far there still is the chance that someone can damage your BAS network. In case of a network penetration or simply a mistake by an employee you need to have your network resources mapped out, you should have a network map of how your devices communicate, what their addresses are, and what they serve. If you have followed my recommendations then your detection system should have found and isolated the threat prior to a complete network failure. Now it is up to you to work through what happened and to look at how it happened in order to take precautions against future failures.
No system is 100% secure but after the previous recommendations you can definitely make your network more secure.
In an ideal world you would have:
- Your BAS server protected on a virtual machine with strict access requirements
- Each user will have their own password integrated with the LDAP platform requiring strong passwords that reset every 90 days
- Your network will not be exposed to the public and will have a strict defined process for permitting remote access. This remote access will have a time-limit and will expire after a certain period of time and will instantly lock itself if multiple IP addresses try to login at the same time.
You have been primed with the foundational knowledge for IT security, now it is up to you to take what you learned and apply it to your platform. But I realize you may still have questions, that is what this blog is here for.
Let me know your thoughts and questions below!