By Ronald Kovach, managing editor Building Automation
The advent of building controls that are out on the Internet is a reminder that even the best of intentions can also produce potentially bad side effects. Facility managers have grown accustomed to the power of networked building automation systems (BAS) and are exploring the rapidly expanding Building Internet of Things (IoT).
Networked controls have provided convenience, connectivity, better operational efficiency, occupant comfort, and remote control ability. But they have also introduced a new world of vulnerability to computer hackers, whose job, at least right now, is usually a cakewalk, according to cybersecurity experts.Ask some of these experts how easy or difficult it is to penetrate building control systems at present and you hear laughter — not to make light of the situation, but to indicate how easy it is. Billy Rios, whose Silicon Valley-based company WhiteScope works on embedded security problems, says the general state of building control protection and readiness is very poor. Fred Gordy, director of cybersecurity for the consulting firm Intelligent Buildings, estimates only about 15 to 20 percent of BAS are “fairly substantial and resistant” to intrusion. “Some of the guys I respect through the industry — we’re all basically waiting for ‘Cyber 9-11,’ ” he says. “We know it’s coming.”Rios also sees a growing brazenness in hackers, with ransomware and denial of service.
“They want you to know that they’re there, because they’re telling you to pay a ransom or fee,” he says. “Gone are the days when you could just kind of silently ignore this and your business continues to function. Now these attackers are disrupting your business, taking away your communications, your IT assets, your patient data. What’s different is the way they’re now trying to monetize this.” While some facility managers might take comfort in thinking a hacker would have little interest in playing around with their lighting, elevator, or HVAC systems, there’s a bigger potential problem — that the BAS is simply a fairly easy entry point and that, once the BAS has been breached, the hacker can “pivot” into the corporate network, and do far greater damage there.Another tricky part of the challenge is that a single weak link in the long chain of protection — which ranges from integrators and other vendors to facility managers and building occupants — can expose the system to an intruder. For that reason, it is crucial that every link follows best practices, and stays up to date as these evolve, says Ronald Zimmer, president and CEO of the Continental Automated Buildings Association (CABA). “There are so many parts to it,” he says, “that it’s staggering to know the potential vulnerabilities of systems.” He expects many more intrusions to occur.
“The reality is that the majority of buildings do have vulnerability that can be hacked.”The picture is not all bleak, though. The means of better protecting building control systems from intrusion are, for the most part, not terribly expensive or sophisticated, the experts say. And while building owners and operators need to be more aware of the dangers, the number of attacks their building may be receiving, and the consequences of a successful attack, Zimmer says that, overall, the level of knowledge, company protections, and BAS quality are improving rapidly. The growing involvement of the insurance industry in cyber damage policy-writing could, in effect, enforce best practices. And it is conceivable that the spate of major computer hacks in the last few years — such as Target, Operation Stuxnet, and a German steel mill, which did not involve building controls — has thrown enough of a spotlight on vulnerabilities that it is beginning to raise the cyber consciousness of many facility managers.
© Copyright Building Automation Magazine 2017