Preventing physical damage from cyberattacks
The term “cybersecurity” typically conjures up images of digital warfare between implacable hackers bent on world domination and stalwart IT defenders determined to protect critical national defense and financial systems. Of course, there is some truth to this. All too often, though, security vulnerabilities are much closer to home, much simpler, and in some ways more concerning precisely because they can affect our everyday lives.
Energy management and control systems (EMCS) are seldom top-of-mind for the general public. More than 99 percent of the population will have never heard the term. An EMCS is in some ways a glorified thermostat that ensures the conditions within a building remain comfortable. Normally, there is no cause to worry about it. But EMCS, and similar systems called supervisory control and data acquisition (SCADA), actively control equipment whose proper operation is fundamentally critical to functional buildings.
Any modern office building, school, hospital, data center, university or military facility is served by large, complicated mechanical systems that provide heating, cooling, and ventilation. Shutting down any of these mechanical systems threatens the function of the facility. A data center, for example, cannot operate without air conditioning for more than a few minutes. Sabotaging a building does not necessarily require attacking it directly; it can be as simple as shutting down a fan or a boiler at the right moment.
How we got here
Historically, EMCS security was never an issue. These systems existed out-of-sight, tucked away deep in boiler rooms, isolated from most other operations. Most of them had limited or no connections to the outside world and operated on their own proprietary networks, separate even from the standard ethernets of the IT world. This anonymity was in some ways their best defense, since the level of security designed into the systems themselves was often low, and little attention was given to the issue by system users.
In today’s Internet-of-Things environment, where every device has an IP address and all systems could be connected to any laptop, the security of EMCS, SCADA and similar systems takes on much greater importance. Cyberattacks on industrial systems that control processes like electricity generation, refineries, data centers and gas pipelines are commonplace. In 2015, 295 attacks on such systems were reported to US authorities. By 2017, that number exceeded 1,000. Despite this, all major communication protocols for facility and industrial control systems are vulnerable. Some of them have no data security protocols whatsoever.
The problem is exacerbated by the fact that building and industrial engineers are not IT professionals or cybersecurity experts. Their focus is on ensuring the systems perform their intended tasks with security as a secondary concern. In many cases, specifying engineers, installers and building operators lack the awareness or training needed to ensure the security of these systems.
Ways to increase system security
Broadly speaking, defending these systems can be broken down into two categories: external and internal attacks. External attacks will most likely originate from the Internet. For this reason, all Internet connections should be treated as potentially hostile and secured against intrusion. Several options can be explored:
- No connection – while obviously secure, this severely limits the functionality of modern systems, which need to exchange data with a host of other applications or need to be monitored / controlled from remote locations.
- Remote desktop application – this requires a dedicated software package running on a remote computer. While effective, this in turn creates another point of vulnerability at the remote computer itself, which must likewise be protected.
- Virtual Private Network (VPN) Firewall – similar to a remote desktop but with a more secure connection. The remote computer itself still requires protection.
- Dedicated EMCS / SCADA Web Server – rather than connecting an EMCS directly to the Internet, a separate server is placed behind a firewall and access to the server itself is restricted.
Any of these, or some combination of them, will improve a system’s security. But all of them will prove useless if a hacker obtains authentication credentials from an end user. Guarding against this requires the same policies commonly found in IT departments that mandate strong, frequently changed passwords and active protection against probes such as phishing emails that try to lure users into disclosing their passwords. In addition, physically protecting the system components behind locked access is a must.