Security essentials for BAS

Engineers should understand the three-legged stool of cybersecurity for building automation systems.

By Kevin Callahan, Alerton, and Daniel Heine, Honeywell Automation & Control November 6, 2014

Learning objectives:

  1. Understand the three crucial players in ensuring online security for building automation systems (BAS).
  2. Discuss the role building owners and facility managers play in BAS security.
  3. Learn the BAS features that isolate the system from outside networks.

Following media reports this year of several massive data breaches, building owners and specifying engineers are increasingly focused on keeping their Internet-facing systems secure. For building automation systems (BAS), cybersecurity relies on the integrated work of three parties:

  1. Building owners and end users
  2. BAS integrators
  3. BAS manufacturers and software vendors. 

Building owners, end users, and BAS integrators should engage with the information technology (IT) professionals early on and adopt a comprehensive cybersecurity and risk management program that addresses the people, processes, and technology aspects of managing risks throughout the building’s lifecycle. A good cybersecurity program will also include sustainable training at all levels.

Building owners and end users

Building owners and facility managers make up the first leg of the BAS cybersecurity stool. Their role includes creating and maintaining a sustainable cybersecurity and risk management program and a culture of security within their organizations that ensures that staff using the BAS follow cybersecurity best practices.

End users must also keep in mind that while a BAS investment should last for many years, cybersecurity threats change frequently, and therefore need constant vigilance. Anyone who interacts with the BAS should at a minimum be trained in cybersecurity awareness, and ideally should be trained and certified to properly deploy vendor systems securely. Facility professionals should also remember that the BAS will require maintenance, which might include patches to the operating system, and anti-virus software updates and management. Ultimately, end users are responsible for ensuring they have a cybersecurity and risk management program in place for their BAS, which includes keeping it up to date with the most current software version and installing security updates when they are released by the vendor.

BAS integrators

The professionals who design and install the BAS (often consulting specifying engineers) have the critical role of ensuring that the system’s security features-such as those discussed in the "BAS manufacturers and software vendors" section that follows-are fully deployed.

Because BAS by their nature are connected to numerous systems throughout buildings, and often to the Internet to enable facility managers to remotely access the building controls, it is crucial to isolate the BAS from other internal networks, such as financial management or credit card processing. Ways to accomplish this include deploying the BAS behind a firewall or on a virtual private network (VPN). As this typically requires acquiring and installing additional hardware dedicated to protecting the building networks from both external and internal attacks, the BAS integrator should involve the client’s IT experts early in the BAS selection process. For further discussion on "dealing with the enterprise IT department," see section 4.3.4 of Addendum a to ASHRAE Guideline 13-2014, Specifying Building Automation Systems (advisory public review draft as of June 2014).

BAS integrators also should document the processes and procedures they followed for designing and implementing the BAS, which will be a crucial reference for the building owner. Ideally, they will provide this information in a BAS security manual that instructs the installation contractor and end users on how best to secure the system. This will include fundamental security practices applicable to any Internet-facing system, such as disabling guest user accounts and using strong password protection protocols.

BAS manufacturers and software vendors

The companies that develop BAS hardware and software have the crucial responsibility to continually evaluate and improve their products’ security. As BAS have evolved, some of the latest features to look for are discussed below.

One of the security features some manufacturers offer is BAS control modules with multiple Ethernet ports. These units physically separate the building systems from connections to outside networks to provide "defense in depth" and reduce the vulnerability of sensitive internal systems to external attacks. "Defense in depth" means that there must also be additional layers of protection such as segmented networks using firewalls and/or VPNs.

Another important security feature available with some BAS is the ability to configure the system to use public key infrastructure (PKI) certificates for web connections. This provides the ability to encrypt the Web connection and can help to prevent "man-in-the-middle" cyber attacks whenever an authorized user logs into the server.

Vendors also have the obligation to deploy and use best practices when it comes to the security of their products. This includes:

  • If the product is not already secure by default, to continuously evaluate their products to improve their security and to address known vulnerabilities transparently and quickly·
  • Make cybersecurity a priority in all aspects and stages of their software design, including the principle of least privilege access, meaning users are granted only the level of access to the system that they need, and not more
  • Minimize the effort required of integrators and end users to configure the security of the system
  • Document the risks that can’t be mitigated in the system itself, as well as the compensating countermeasures necessary if the owner/operator deems that risk to be unacceptable (requires mitigation). 

Although some building professionals tend to think of BAS security as primarily an Internet security issue, it is also important to consider physical access to the system. Aside from the obvious issue of needing to limit access to computer systems by unauthorized personnel, some manufacturers offer BAS control modules that do not automatically execute code from USB thumb drives. While this feature would not stop someone bent on corrupting a system from gaining physical access to the BAS, it does prevent a BAS user from inadvertently introducing a virus or worm into the system when plugging in a thumb drive that has picked up malware from somewhere else.Cybersecurity can be thought of as a three-legged stool; the legs are the end users, integrators, and manufacturers. Each plays a critical role in the security of the automation system. Ultimately, the BAS is only as secure as each of the legs of that stool.

Kevin Callahan is a product owner and evangelist for Alerton, a Honeywell business. He has 38 years of experience in the building control technologies field, including control systems design and commissioning, facilities management, and user training. Daniel Heine is the chief security architect for Honeywell Automation & Control Solutions’ Environmental and Combustion Controls division. He has 39 years of experience in control systems, software development, secure communications, system engineering, and engineering management. In his current assignment he focuses on cybersecurity and product development.