ASHB Podcast - Building Cybersecurity 101

Introduction

In this episode of the ASHB Smarter Homes & Buildings Podcast, host Greg Walker, ASHB CEO, sits down with Louis Parks, CEO and Chairman of Veridify Security, for the first installment of a three-part series on Building Cybersecurity. This conversation, titled Cybersecurity 101, introduces the fundamentals of protecting building systems and connected devices, highlighting how operational technology (OT) networks differ from traditional IT systems, the vulnerabilities common to BACnet and Modbus, and why cybersecurity has become an essential part of modern building operations. It’s a practical and insightful discussion for anyone looking to understand the evolving risks and defenses shaping today’s smart buildings.


Listen: Apple Podcasts | Spotify

Key Insights

  • Buildings operate on OT networks that are fundamentally different from IT networks, with a focus on reliability and safety rather than confidentiality.
  • Most building automation protocols and devices were not designed with security in mind, creating systemic vulnerabilities.
  • Credential management, remote access, patching, and network segmentation are major weak points in current building cyber defenses.
  • Traditional IT security tools like firewalls provide incomplete protection in OT environments due to network complexity and operational constraints.
  • Zero Trust is a framework emphasizing continuous verification and authentication, highly relevant but rarely fully implemented in building systems.
  • Proactive encryption and authentication at the device level represent the next frontier in securing building automation systems.
  • Building owners have strong incentives to invest in cybersecurity: protecting assets, ensuring safety, minimizing operational disruption, reducing insurance costs, and maintaining reputation.

Transcript Summary

[00:00 → 02:56] Introduction and Guest Background

  • This episode is the first in a three-part series on building cyber security, hosted by ASHB CEO Greg Walker with guest Louis Parks, CEO and Chairman of Veridify Security.
  • The focus is on Cyber Security 101, covering fundamentals, tools, and challenges related to protecting building systems. Future episodes will address applying these methods and the state of the market.
  • Louis Parks brings extensive experience, including roles in homeland security, electronic passports, RFID standards, and cybersecurity for low-resource processors—a critical challenge in building automation systems.

[02:56 → 05:45] What is Building Cyber Security? IT vs OT Networks

  • Networks are categorized into two types: IT (Information Technology) and OT (Operational Technology).
  • Buildings operate primarily on OT networks, which connect edge devices like HVAC, lighting, and security controls. These networks have existed for decades but were historically not designed with cybersecurity in mind.
  • IT networks focus on data confidentiality (patient data, financial data), while OT networks prioritize operational reliability, safety, and uptime.
  • OT networks are typically heterogeneous with multiple vendors and varying protocol implementations (e.g., BACnet, Modbus), making cybersecurity more complex than in IT environments.

[05:45 → 09:08] Common Vulnerabilities in Building Systems

  • Many building automation protocols were designed without any security features, leaving them exposed.
  • Credential management is poor: passwords often stored insecurely or left default, e.g., found under keyboards.
  • Remote access is another vulnerability; while tools have improved recently, universal adoption is lacking.
  • Network segmentation and firewalls, standard in IT, are challenging to implement in OT without disrupting operations.
  • Patch and update management is severely lacking—many devices run outdated software installed years ago, making them vulnerable to newer attack techniques.
  • These factors combine to create a significant attack surface for hackers.

[09:08 → 12:01] Basic Cybersecurity Tools and Methods for Building Automation Systems (BAS)

  • Standard IT tools like firewalls, encryption, authentication, and network segmentation are useful and should be adopted where possible.
  • MDR (Monitor, Detect, Respond) tools exist to detect anomalies and respond to attacks, though response capabilities can be limited in OT environments.
  • Secure remote access solutions are increasingly important as many buildings are accessed remotely via cloud or VPNs.
  • Veridify Security’s approach involves a VPN-like platform that authenticates and encrypts data packets at the device level.
  • BACnet Secure Connect, a newer protocol iteration, incorporates TLS encryption and endpoint authentication, but requires new equipment and investment.

[12:01 → 14:26] Limitations of Traditional Perimeter Defenses in OT Networks

  • Firewalls provide a perimeter defense but do not protect against insider threats or unauthorized access once inside the network.
  • Facility managers often lack the expertise to properly configure and manage firewalls, increasing risk.
  • Vendors may request open ports for maintenance, which, if not closed properly, create vulnerabilities.
  • OT networks often resemble a “flat” network structure inside the firewall, lacking device-level authentication; once inside, malicious actors can move freely.
  • Firewall management and configuration are ongoing challenges in OT environments.

[14:26 → 17:34] Understanding Zero Trust Security and Its Application to Building Automation

  • Zero Trust Security is a guideline/framework (not a certification or standard) that emphasizes “never trust, always verify”
  • Key components include:
    • Identity verification and mutual authentication between devices and controllers.
    • Authorization to ensure only authorized changes are allowed.
    • Network and application protection through permissions.
    • Continuous monitoring and visibility into network activity.
  • Zero Trust principles are applicable to building automation systems but rarely fully implemented; many products only partially address these pillars.

[17:34 → 19:47] Cybersecurity Challenges with BACnet and Modbus Protocols

  • Both BACnet and Modbus were designed before cybersecurity was a concern and transmit commands in plain text, making them vulnerable to interception and manipulation.
  • Tools like Wireshark can easily capture and display these commands, allowing attackers to issue harmful commands (e.g., turning off HVAC, disabling elevators).
  • BACnet exists in multiple versions:
Protocol Version Characteristics Security Features Adoption Challenges
BACnet MSTP Non-IP, serial, long wire runs None Still widely used for cost
BACnet IP Runs on TCP/IP networks None originally, flat network Vulnerable due to flatness
BACnet Secure Connect Newer, uses TLS encryption Strong encryption/authentication Requires new equipment, costly
  • Mixed vendor environments, multiple protocols, and lack of standardization compound security challenges.

[19:47 → 23:41] Why Building Owners Should Care About Cybersecurity

  • Cybersecurity protects the value of the building asset and ensures safe, reliable operation.
  • Disruptions to building systems (e.g., elevators out of service for weeks) can make buildings unusable and impact tenants.
  • Reputational risks exist; high-profile cyberattacks (e.g., MGM Grand Hotel shutdown) highlight potential consequences.
  • Rising cyber insurance premiums create financial incentives for improving cybersecurity; insurers may offer discounts for buildings with strong OT protections.
  • Buildings with documented cybersecurity measures may attract tenants seeking operational reliability and safety.

[23:41 → 28:27] Recommended Steps for Building Owners and Facility Managers to Improve Cybersecurity

  • For new buildings, integrate cybersecurity from the design phase using the latest tools.
  • For existing buildings, start by creating a cybersecurity plan with measurable goals. Reference standards like:
Standard / Guideline Description Applicability
NIST Cybersecurity Framework Comprehensive guidelines for IT and OT systems Widely used, adaptable to buildings
ISO/IEC 62443 Security for industrial automation control systems Relevant to building automation
Department of Defense (DoD) Documentation Hardened controls for facility systems Military-grade, publicly available
  • Conduct a complete inventory of devices and network connections; schematics are often outdated or incomplete.
  • Implement and document credential management, remote access policies, and network segmentation where possible.
  • Engage IT staff or cybersecurity consultants to develop and maintain the plan.
  • Studies indicate that over 25% of buildings acknowledge cyber incidents, though actual rates may be higher due to underreporting or lack of awareness.

[28:27 → 31:28] Closing Insights

  • Louis Parks advocates for moving beyond passive monitoring to proactive device-level encryption and authentication to prevent damage rather than just detect it.
  • He compares passive monitoring to a bank account watching transactions but not requiring authentication before transfers—an insufficient defense.
  • Veridify Security offers solutions that implement zero trust principles by encrypting and authenticating all data packets within building networks.
  • The podcast series will continue to explore practical applications and market trends in building cybersecurity.
Table of Contents
Related Articles