Cyber Protection for Building Automation and Energy Management Systems IT and Network Operations Managers Perspective
PROTECT YOUR INVESTMENT Reinforcing the Integrity of Enterprise Networks The intersection of the Building Automation Systems (BAS) and IT over the past decade has revealed the exponential potential of networked building controls. The sophistication of building automation (BAS) and energy management (EMS) networks makes it possible to not just share data with the enterprise, but to interpret trends and introduce operational and building performance strategies that save money, resources and time valuable benefits that impact all facets of an organization. However, the transition from standalone systems to the highly connected world of Ethernet and cloud-based computing has put these networks on equal footing with the IT network in their shared need for a vigilant cyber protection strategy. When it comes to cyber security and threat protection, BAS, EMS and IT networks should not be treated differently. BAS networks are abundant in today s modern buildings, and security through obscurity is not a solution. If a device is on the network, then it can be discovered. Threats and breaches to building and energy management systems can be entry points into a company s network, becoming a pivot point that can bypass existing network defenses. A hacker or unauthorized person can use a simple thermostat, lighting controller or the HVAC system as a launching pad to infiltrate other devices and systems, introduce malware, viruses and worms, or engage in other detrimental activities.
The Moment a Malicious Hacker Exploits a BAS, the Countdown to Chaos Begins From a business perspective, the negative consequences that BAS/EMS-initiated cyber incidents cause are potentially catastrophic. Such events may impact occupant productivity and personal safety, disrupt critical processes, and shut down business operations entirely. The potential theft and loss of intellectual property can be as equally devastating with negative publicity and loss of customer confidence while the financial ramifications may be compounded with lawsuits and equipment replacement and repair. Responsible & Efficient Network Citizenship IT managers must continuously defend their domain from vulnerabilities, viruses and threats that mutate on a regular basis to outwit encryption methods. It is their responsibility to know exactly what systems and devices exist on the network, how they communicate, what type of data is shared, and who has access rights. Thus, the addition of new control networks and their devices to the enterprise s central nervous system creates further complexity, adding more layers and tangents that require the same level of watchful protection as their IT counterparts. From an IT point of view, the management of these integrated control systems can require additional time, money and resources. Simply adding a device to the system without the knowledge of the IT department can be detrimental, introducing unsecured portals that can jeopardize the entire enterprise. Pervasive connectivity and integration of BAS networks necessitates a comprehensive cyber security solution that enables organizations to extend their corporate IT strategies to allow them to exist and interoperate with traditional IT management tools. Such a solution must not drain resources of the IT department; it should enable facility personnel to manage their own systems in a secure environment without continued involvement from IT. Physical Repercussions Uninhabitable facilities Uncontrollable and locked-out systems Equipment damage and replacement Inefficient systems Sprinkler and smoke alarm failure Disabled elevators controls system Lighting failure Compromised building access and intrusion systems Business Repercussions Interruption of business and operations Exposure and compromise of intellectual property and sensitive information Introduction of malicious files, viruses to the corporate IT network Negative publicity, loss of customer confidence Brand damage Litigation Occupant harm, loss of life An effective BAS cyber security program will enforce responsible network citizenship with policies and procedures that are continually addressed and maintained to the highest standards.
LYNX CyberPRO Real time, Continuous Cyber Protection for Building Automation and Energy Management Systems Cyber-threats remain one of the most insidious issues within the building automation industry today; threats are becoming more frequent, becoming increasingly sophisticated and are now at a point where we have legitimate and reasonable concern Terry Swope President, CEO of Lynxspring Lynxspring s LYNX CyberPRO is a cyber-threat protection solution designed specifically for building automation and energy management networks. Lynxspring has partnered with Netop, the premier developer of secure remote access solutions for complex global IT environments, to create a simple, cost-effective and multi-layered security solution for the mechanical and electrical devices and systems that reside on the enterprise network including HVAC, lighting and energy measuring systems. LYNX CyberPRO establishes pre-emptive threat protection for the devices and systems across a building network by securing, managing, controlling, tracking and monitoring all account access and activities. LYNX CyberPRO creates shields of security, tailored protection for groups of devices and systems, in addition to layers of cyber protection that reinforce firewall authenticity by eliminating attack surfaces created by exposed devices on the Internet and within the network. Comprised of a CyberPRO Key and an encrypted LYNX CyberPRO Secure Connect Cloud connection, LYNX CyberPRO is simple to install, configure and operate, and does not require any changes to a device s existing network settings. The CyberPRO Key is installed on the network behind the firewall and configured to the CyberPRO Cloud. This is the single access point into the network and becomes a forensic tool for the entire building control network with an auditable access trail. The solution supports leading building automation protocols with TCP/IP networks, open and legacy systems and can be accessed anywhere without exposing building system devices to the public internet.
1 Lynx CyberPRO consists of a CyberPRO Key and an encrypted LYNX CyberPRO Secure Connect Cloud connection. It is simple to install, configure and operate and does not require any changes to a device s existing network settings. There are three simple steps with setting up a key: 1. The Key is plugged into the corporate network. 2. Devices needing secure remote access are added to the Key. 3. Users are added to the Key. How it Works LYNX CyberPRO Ladder Diagram INTERNET AX Supervisor Firewall Remote WorkPlaceAX or Browser CyberPro Key Remote Applications Building Automation LAN/WAN Energy Management Building Security DVR 2 3 4 5 6 HVAC Plant Control Open ADR & Generation 7 8 9 0 # * Lighting Asset Monitoring Utility Metering Card Access & Intrusion CCTV
CyberPRO Addresses Multiple Areas of Cyber Protection Reduces the Attack Surface CyberPRO removes all devices from the public Internet, closes all ports on the corporate firewall, and eliminates the need of having to add and manage authorized users to the VPN access directory. It hardens and maintains the integrity of the corporate firewall and allows authorized users--including third-party contractors--secure remote access to the appropriate systems. Provides one single access point into the corporate IT network versus multiple points Restricts access to specific, authorized systems only Minimizes the number of devices on the Internet; avoids a proliferation of direct-to-internet devices LYNX CyberPRO Protects & Connects Secures the Connection Sophisticated encryption is used to protect the confidentiality and integrity of data transmitted between the user and the devices. To gain secure remote access to these systems, the user logs into the encrypted LYNX CyberPRO Cloud and is authenticated via distinct checkpoints. After positive verification a list of available keys is presented. Consists of two layers of verification (device and cloud) Features SSL encryption and enterprise-grade administration capabilities LYNXCyberPro Cloud (Router) Manages User Access & Rights Users must log into the selected key, and once authenticated, are presented with a list of devices and randomly generated ports to use during the session. At no time does the user use IP addresses for the devices, only the randomly generated ports the key provides. Ability to isolate remote users and their traffic, policies and administrative interfaces from all other users using the same platform All communication interactions require authentication and authorization Prevents automated Internet port scans Documents Occurrences An audit log is created for each session and records all user activity. When the session is over, the key closes all ports. Automated collection of events are stored for future analysis LYNXCyberPro Connect (Remote Client) Encrypted Tunnel LYNXCyberPro Key (Network Client)
Benefits of CyberPRO for IT Professionals Single, unified access and view Secures connections through high encryption; authentication via distinct checkpoints Reduces the number of devices exposed to the public Internet; ports remain closed Creates secure remote access without firewall exceptions, proxies or special configurations Restricts device connectivity and authorizes devices on the network Enforces trusted change policies Meets compliance requirements Allows for patch management in a trusted, secure environment Frees up VPN licenses for concurrent users for corporate personnel use only Centralized accountability In combining efforts with Lynxspring on LYNX CyberPRO, we have created a single, secure, monitored and audited access point to building control systems. This will give authorized personnel timely and secure access to building data while reducing external threats to building automation systems Kurt Bager CEO, Netop
About Lynxspring Lynxspring is changing the way devices and systems communicate and collaborate across enterprises. Our technologies enable users to manage and operate their facilities and equipment smarter, safer, more efficiently and at peak performance levels within a secure IT environment. Embracing open framework platforms, Lynxspring designs, manufactures and distributes JENEsys brand Internet-based automation infrastructure technology and device-to-enterprise integration solutions for Building Automation, Energy Management, Cyber Security, Equipment Control and other Specialty applications. www.lynxspring.com About Netop Netop develops and sells market leading software solutions that enable swift, secure and seamless transfer of video, screens, sounds and data between two or more computers. Used by half of the Fortune 100, Netop s solutions help businesses provide better customer service, reduce support costs and meet security and compliance standards. Headquartered in Denmark, Netop has offices in the United States, China, Romania and Switzerland. The company sells its solutions to public and private clients in more than 80 countries. Netop Solutions A/S shares are listed on the Copenhagen Stock Exchange. www.netop.com Lynxspring GO FURTHER. For more information on Lynxspring s National Account Services, please contact us at 816-347-3500 or at www.lynxspring.com. LYNXCyberPRO is a trademark of Lynxspring