The summary below are highlights from a podcast video about cybersecurity basis for building automation systems. This is a good overall video and is valuable information related to BAS cybersecurity. The podcast does not address the implementation or benefits of zero trust, and that is one area that should be explored further.

[00:00:00]

Introduction and Episode Overview

• This podcast focuses on cybersecurity basics specifically tailored for building automation professionals.

 

[00:01:08]

Context and Importance of Cybersecurity in Building Automation Systems (BAS)

• Increasing use of remote connectivity to access BAS due to global circumstances.
• Raises questions about how tightly BAS need to be secured, too tight, too loose, or balanced.
• To answer this, the hpst begins by defining what cybersecurity means, what a reasonable cybersecurity level is, and introduces the CIA triad (Confidentiality, Integrity, Availability).
• The episode aims to clarify how to protect BAS effectively, regardless of one’s cybersecurity background.

 

[00:02:21]

Defining Cybersecurity and Its Scope

• Cybersecurity is securing information systems from both intentional (malicious) and unintentional threats.
• Includes considerations like disaster recovery and redundancy, which ensure system availability.
• External threats may not always be malicious but can still disrupt BAS operations (e.g., server relocation, IP changes).
• Keeping systems available is a critical component of cybersecurity in BAS.

 

[00:03:30]

Reasonable Cybersecurity: Risk Assessment Approach

• Industries like finance and healthcare assess cybersecurity by evaluating:
  • Likelihood of threat occurrence
  • Potential financial impact
  • This risk-based approach helps determine cost-effective cybersecurity controls.
• In BAS, this approach is complicated by the lack of regulatory reporting requirements for breaches or compromises, unlike in healthcare or finance.
• BAS attacks often remain unreported publicly unless they are very high profile or disclosed by ethical hackers (white hats).
• Agencies like ICS-CERT and US-CERT track incidents but many remain unknown to the public.
• This often creates a false impression that BAS are not targeted, which is inaccurate.

 

[00:06:04]

Impact of BAS Cybersecurity Incidents: Varying Levels of Criticality

• Not all BAS compromises are equally severe:
  • Low-level nuisance: Altering set points in a small commercial office building causes inconvenience but no major harm.
  • Moderate risk: Manipulating stairwell pressurization can jeopardize occupant safety during emergencies.
  • High risk: Shutting down chillers in data centers or hospitals can have serious, potentially life-threatening consequences.
• The cybersecurity response level should be proportional to the criticality of the facility.

 

[00:07:10]

The CIA Triad in BAS Cybersecurity

• The CIA triad stands for:
  • Confidentiality: Keeping data private and secure from unauthorized access.
  • Integrity: Ensuring data and commands are not altered or tampered with.
  • Availability: Ensuring systems and data are accessible and operational when needed.
• In BAS, the main focus is on integrity and availability; confidentiality is often a lesser concern.
• Common BAS protocols like BACnet and HTTP are not inherently secure, and much BAS data (e.g., space temperature, chiller set points) is not sensitive or confidential.
• Exceptions exist in industrial or manufacturing plants where environmental data can be proprietary.
• Integrity example: A controller should receive the intended set point (e.g., 72°F) without interference changing it to an incorrect value.
• Availability example: Controllers and servers must remain accessible and functional.

 

[00:09:35]

Cybersecurity Controls: Definitions and Approach

• Controls are mechanisms to mitigate or neutralize cybersecurity threats.
• They can be:
  • Hardware devices (firewalls, physical locks)
  • Software tools (encryption, access controls)
  • Administrative policies (password policies, user account management)
• Controls are implemented based on the risk assessment of threat likelihood multiplied by impact, balancing cost and effectiveness.
• Sometimes controls exceed the assessed risk due to potential long-term impacts.

 

[00:10:51]

Three Primary BAS Protection Points: Network, Application, Physical

1. Network Security
2. Application Security
3. Physical Security

 

[00:11:23]

Network Security: External vs Internal Networks

• Focus initially on securing external network access, as it is the most likely entry point for attackers.
• Internal network security is important but considered a secondary line of defense.
• The concept of defense in depth (layered security): attackers must penetrate multiple layers, external network, physical access, device access, to reach critical systems.
• Internal attacks often stem from administrative policy failures rather than purely technical vulnerabilities.
• Example: A fired hospital security guard retained unauthorized access to BAS due to poor account and authentication policies.
• Use of protocols like LDAP and Active Directory for centralized authentication is recommended.

 

[00:13:32]

Critique of “Hard Shell, Soft Interior” Network Security Model

• Some criticize the practice of heavily protecting the external network but leaving internal networks less secure (like a turtle with a hard shell but soft inside).
• For most commercial buildings (low-risk), this approach is usually sufficient. [Editorial note: The disruption of any building system, especially life-safety systems (e.g. fire alarms), can have serious consequences or disruption.]
• High-criticality facilities (government, skyscrapers, hospitals, campuses) need more comprehensive internal network security.

 

[00:14:04]

Network Access Control Recommendations

• Assess whether remote access to BAS is necessary; if not, avoid it.
• For remote access, use routers or appliances with:
  • VPN capabilities for endpoint encryption
  • Access control lists (ACLs)
  • Encryption standards to protect data integrity and availability
• Many consumer-grade cable or DSL modems have these features built-in.
• Lack of basic IT knowledge in BAS professionals leads to underutilization of available security features.

 

[00:16:04]

Segmentation and Logical Separation of Networks

• BAS networks should ideally be air-gapped (physically separate) from business networks.
• If physical separation is impossible, logical separation can be achieved using:
  • Virtual LANs (VLANs)
  • Access control lists (ACLs)
  • Boundary firewalls
  • Intrusion detection and prevention systems (IDS/IPS)
• Allows granular control, e.g., only allowing HTTPS traffic from specific hosts to specific devices.
• Collaboration with the enterprise IT group is crucial to implement these properly.

 

[00:17:57]

Summary of Network Security Best Practices

• Secure external access using VPNs, firewalls, encrypted tunnels, and packet logging.
• Prioritize external network protection before extensive internal network hardening.
• Work with IT teams for enterprise-level security.
• Consumer-grade equipment often suffices if configured correctly.

 

[00:18:31]

Application Security Measures

• Use server virtualization to:
  • Facilitate redundancy
  • Enable quick failover and rollback to previous working states
• Maintain software patching for both BAS software and underlying operating systems to mitigate vulnerabilities.
• Limit access by:
  • Avoiding direct use of servers as user interface devices
  • Using encrypted communication protocols such as HTTPS, TLS 1.2+, and certificates to validate server identity
• These measures protect system integrity and help prevent man-in-the-middle attacks.

 

[00:20:12]

Administrative Security Policies

• Implement policies for:
  • Password management
  • Patching schedules
  • User account lifecycle management (e.g., maximum account duration, timely account closure upon employee dismissal)
• Temporary access protocols
• These administrative controls are relatively easy to enforce and critical for overall cybersecurity hygiene.

 

[00:20:48]

Physical Security Controls

• No cybersecurity measures are effective if physical access is uncontrolled.
• Examples of physical risks:
  • Unauthorized individuals plugging devices into network ports (e.g., UDP ports)
  • Accessing BAS panels or controllers in ceilings or plenums without detection
• Physical security best practices include:
  • Locks on panels with varied keys (not universal keys)
  • Security cameras and monitoring
  • Access control policies for restricted areas
• Physical security is often the overlooked weakest link.

 

[00:21:50]

Recap and Risk Management Approach

• Cybersecurity efforts aim to control and mitigate threats based on risk.
• Likelihood of BAS being compromised is hard to quantify due to limited public data.
• The impact of a compromise varies significantly based on facility type and operational criticality.
• The CIA triad framework guides prioritization, with emphasis on integrity and availability in BAS.
• Employ encryption for external communications (VPNs, TLS 1.2+, certificates) while acknowledging some protocols like BACnet or Modbus TCP may be exposed.
• Keep systems patched and virtualized for availability and integrity.
• Establish strong administrative and physical security policies.

 

[00:24:37]

Closing and Further Resources

• This episode provides a basic primer on BAS cybersecurity, terminology, and best practices.
• The host thanks listeners and invites them to return for future episodes.

Terminology Glossary

• VPN – Virtual Private Network; encrypts network traffic
• TLS – Transport Layer Security; protocol for secure communications
• LDAP – Lightweight Directory Access Protocol; used for authentication
• VLAN – Virtual LAN; network segmentation technique
• ICS-CERT / US-CERT – Cybersecurity incident response teams for industrial control systems and US government
• Man-in-the-middle – Attack where communication between two parties is intercepted
• Failover – Automatic switching to backup system if primary fails

Final Recommendations

• Evaluate necessity of remote BAS access before enabling it.
• Implement VPNs and strong encryption for all external network connections.
• Segment BAS networks logically or physically away from business networks.
• Regularly patch BAS and server software; virtualize BAS servers when possible.
• Establish and enforce administrative policies related to account and password management.
• Secure physical access to BAS equipment with varied locks and surveillance.
• Collaborate with IT professionals to align BAS cybersecurity with overall enterprise security.
• Educate yourself continuously on cybersecurity concepts relevant to BAS.

This comprehensive overview equips building automation professionals to understand and begin addressing cybersecurity risks within their facilities.