Security Issues with Integrated Smart Buildings

Transcription

1 Security Issues with Integrated Smart Buildings Jim Sinopoli, Managing Principal Smart Buildings, LLC The building automation industry is now at a point where we have legitimate and reasonable concern regarding the security of building control systems, especially in smart buildings where advanced technology is deployed. We see stories in the news regarding malicious cyber-attacks on private companies, government networks and internet sites and there are questions as to what such an attack would mean for building control systems, building operations, occupants and owners. The apprehension is amplified in newer buildings because there have been increased penetration of IT infrastructure in building control systems and greater integration and interconnection of building controls with other systems. The potential security vulnerability of a building can extend to the smart grid as we move to implement two-way communication between buildings and the grid, and of course could also impact corporate business systems. The overarching security concern is more about network security and less about physical security, although the two are certainly related. Network Attacks Interception Network Sniffing Fabrication Insert Malformed Messages Insert Correct Messages Replay Old Messages Modification Man-In-the-Middle Attacks Alteration Interruption Denial of Service Network Flooding Redirection BAS Security Attacks Device Attacks Software Code Injection Exploiting Algorithm Weakness Availability Attacks Configuration Mechanism Abuse Side-Channel Time Analysis Power Analysis Fault Behavior Analysis Physical Eavesdropping Microprobing Component Replacement The threat simply is that someone can penetrate a building s systems via an unsecured network to cause damage, disruption, theft or possibly even loss of life. For traditional IT systems, the threat may be loss of communications, unauthorized access to sensitive data, theft of intellectual property, disruption of equipment which may include physical security systems such as access control and video surveillance, loss of data, and impediments to business continuity. For the other building systems such as HVAC control, electrical distribution, lighting, elevators, etc., the threat is disruption of critical 1

2 building infrastructure which also impedes or can halt normal operations. Depending on the building use and building control system, a security threat may be related to life safety, for example disrupting emergency power, lighting and HVAC in a critical healthcare space. The threat to building systems is not hypothetical; the infamous Stuxnet cyber-attack in 2010 eventually affected programmable logic controllers (PLC), a controller that is often used in industry, commonly in buildings elevators, pumps, drives, and lighting equipment. In general the building automation industry and facility management have treated the security of building control networks as a secondary or tertiary issue, if at all. The most popular security approach for a building management system (BMS) is to isolate the BMS; not letting it connect to any other networks. But that alone is a false sense of security; the BMS at a minimum will have fire systems, HVAC, access control, elevators and possibly lighting connected into it, potentially allowing access from one of those networks or one of the devices on those networks. Minimal or partial security measures may be in place for some buildings but not the comprehensive security measures required to minimize network vulnerability. It s fair to say that most traditional building management systems are not secured. In fact, many legacy BMS systems have back doors allowing the BMS manufacturer or local control contractor to monitor, manage or update the systems. It is interesting that while oftentimes the recent security concern is about newer buildings, it is older buildings with legacy BMS systems that are probably much more vulnerable to attack. The legacy systems are likely to be running older operating systems, databases, and web browsers, some of which may no longer be updated with security patches. In addition, the vulnerabilities of older systems are public knowledge and well known to hackers, thus minimizing the effort and time for an attack. The automation industry has rightfully strived for standards for systems, moving from proprietary implementations by manufacturers to open and transparent communication protocols. There are many benefits to open standards: compatibility of products, customization, avoiding being locked-in to one manufacturer, interoperability, competitive costs, more support options, etc. At the same time open and transparent standards would seem to increase 2

3 the vulnerability of BAS networks, basically providing all the information hackers would need to assess vulnerabilities and potential approaches for an attack; this may look like something akin to giving the car thief the keys to the car. It is important to note that having a proprietary protocol does not inherently make a system secure. If the attack is performed on the BAS server or workstation rather than directly on a controller then the protocol is irrelevant. There are also tools such as gateways which are used for integration to such systems and which can also provide an avenue for attack. However, one of the upsides of the open standards movement is that it allows those communication protocols to incorporate network security related attributes. Most major BAS standards have incorporated some security mechanisms. The security aspects of BACnet are probably the most advanced, at the other end of the spectrum is Modbus, which has no inherent security capabilities. There are two main attack scenarios to consider: a remote attack originating from outside the building LAN and a local attack from inside the LAN. The first is much more likely but also much easier to mitigate, while the second is potentially much more dangerous and difficult to deal with. A cyber-attack on a BAS network is either going to go after the network, trying to access or disrupt the communication or exchange of data, or the BAS devices, namely the controllers, actuators and sensors. The BAS network could be accessed physically, possible via wireless communication, but also through a network device, such as a compromised controller. The attacks on the devices are likely to emanate from the network or physical manipulation of the device. Tips on Preventing a Security Breach Developing, testing and deploying security measures in buildings needs to be an ongoing process actively built into the operation of the building. Here are some suggestions for the first steps: 3

4 Assign a dedicated network administrator for building control systems with responsibility for ongoing network security. The network administrator should coordinate security efforts and responses, as well as internal and external assistance. In the event that Facility Management is spearheading the effort coordinate with the IT department early on. Take a comprehensive approach assess every building system, its vulnerabilities and what the loss or disruption of the systems will mean to building operations and occupants as well as the financial impact. Identify probably avenues of attack and monitor for telltale signs of an ongoing attack. Start with the use of IT security measures on the building automation networks. Typical IT Security Measures Strong firewalls User authentication Secured wireless Awareness about physical security Use VPNs in enterprise situations Back-up policy Strong encryption of BAS data communication Network hardware is in secured data center Intrusion detection systems Devices that can capture IP packets Understand that while the IT security measures are valuable they may not apply to all systems or portions of building control systems. For example, at the field or application control level you may find controllers with limited processing power and memory, and utilizing a limited bandwidth network. Not likely candidates for IT-type security. Provide physical security in areas or spaces where BAS equipment is located and BAS network cable runs. Encrypt your network traffic. Secure any wireless network Take into consideration the human aspects of security; the greatest threat is from the inside ; disgruntled employees, those taking shortcuts or bringing in their own laptop, etc. Develop policies regarding passwords, configurations, settings, and a comprehensive training program. 4

5 Make sure you have secure backups of all databases that cannot be accessed or deleted from the network. In most cases an attacker will start with the easiest targets, so consider creating honeypot systems that are purposely insecure and monitor them for signs of attack in order to let you know when someone is targeting your systems. Perhaps even more importantly, you should also make plans for what to do in case prevention fails and an attack is underway. Develop strategies for identifying ongoing attacks and shutting off web access, VPNs, servers, even ports on network switches that are used by BAS network controllers in response to an attack. In most cases controllers will continue operating on schedules and sensor inputs when disconnected from a management server, which may be a better option than letting the attack continue. There is no point in deploying a security program that only addresses a limited portion of the vulnerabilities; that s simply an admission that some systems are not safe. Comprehensively securing a building not only involves access control and video surveillance or an IT security program, it must also include the building control and automation systems. The control systems are different types of networks and have never had any comprehensive security measures. But the new and changing technology as well as system integration requires the control systems be brought under a security umbrella. If you have comments or feedback about this article, we would like to hear from you at [email protected]. 5

6 6