Preventing physical damage from cyberattacks

All too often, security vulnerabilities are much closer to home, much simpler, and in some ways more concerning precisely because they can affect our everyday lives.


Courtesy of Southland IndustriesThe term "cybersecurity" typically conjures up images of digital warfare between implacable hackers bent on world domination and stalwart IT defenders determined to protect critical national defense and financial systems. Of course, there is some truth to this. All too often, though, security vulnerabilities are much closer to home, much simpler, and in some ways more concerning precisely because they can affect our everyday lives.

The threat

Energy management and control systems (EMCS) are seldom top-of-mind for the general public. More than 99 percent of the population will have never heard the term. An EMCS is in some ways a glorified thermostat that ensures the conditions within a building remain comfortable. Normally, there is no cause to worry about it. But EMCS, and similar systems called supervisory control and data acquisition (SCADA), actively control equipment whose proper operation is fundamentally critical to functional buildings.

Any modern office building, school, hospital, data center, university or military facility is served by large, complicated mechanical systems that provide heating, cooling, and ventilation. Shutting down any of these mechanical systems threatens the function of the facility. A data center, for example, cannot operate without air conditioning for more than a few minutes. Sabotaging a building does not necessarily require attacking it directly; it can be as simple as shutting down a fan or a boiler at the right moment.

How we got here

Historically, EMCS security was never an issue. These systems existed out-of-sight, tucked away deep in boiler rooms, isolated from most other operations. Most of them had limited or no connections to the outside world and operated on their own proprietary networks, separate even from the standard ethernets of the IT world. This anonymity was in some ways their best defense, since the level of security designed into the systems themselves was often low, and little attention was given to the issue by system users.

In today's Internet-of-Things environment, where every device has an IP address and all systems could be connected to any laptop, the security of EMCS, SCADA and similar systems takes on much greater importance. Cyberattacks on industrial systems that control processes like electricity generation, refineries, data centers and gas pipelines are commonplace. In 2015, 295 attacks on such systems were reported to US authorities. By 2017, that number exceeded 1,000. Despite this, all major communication protocols for facility and industrial control systems are vulnerable. Some of them have no data security protocols whatsoever.

The problem is exacerbated by the fact that building and industrial engineers are not IT professionals or cybersecurity experts. Their focus is on ensuring the systems perform their intended tasks with security as a secondary concern. In many cases, specifying engineers, installers and building operators lack the awareness or training needed to ensure the security of these systems.

Ways to increase system security

Broadly speaking, defending these systems can be broken down into two categories: external and internal attacks. External attacks will most likely originate from the Internet. For this reason, all Internet connections should be treated as potentially hostile and secured against intrusion. Several options can be explored:

  1. No connection - while obviously secure, this severely limits the functionality of modern systems, which need to exchange data with a host of other applications or need to be monitored / controlled from remote locations.
  2. Remote desktop application - this requires a dedicated software package running on a remote computer. While effective, this in turn creates another point of vulnerability at the remote computer itself, which must likewise be protected.
  3. Virtual Private Network (VPN) Firewall - similar to a remote desktop but with a more secure connection. The remote computer itself still requires protection.
  4. Dedicated EMCS / SCADA Web Server - rather than connecting an EMCS directly to the Internet, a separate server is placed behind a firewall and access to the server itself is restricted.

Any of these, or some combination of them, will improve a system's security. But all of them will prove useless if a hacker obtains authentication credentials from an end user. Guarding against this requires the same policies commonly found in IT departments that mandate strong, frequently changed passwords and active protection against probes such as phishing emails that try to lure users into disclosing their passwords. In addition, physically protecting the system components behind locked access is a must.

Ken Robinson, director of operational excellence, Southland Industries. This article originally appeared on Southland's blog. Southland Industries is a CFE Media content partner.

Product of the Year
Consulting-Specifying Engineer's Product of the Year (POY) contest is the premier award for new products in the HVAC, fire, electrical, and...
40 Under Forty: Get Recognized
Consulting-Specifying Engineer magazine is dedicated to encouraging and recognizing the most talented young individuals...
MEP Giants Program
The MEP Giants program lists the top mechanical, electrical, plumbing, and fire protection engineering firms in the United States.
October 2018
Approaches to building engineering, 2018 Commissioning Giants, integrated project delivery, improving construction efficiency, an IPD primer, collaborative projects, NFPA 13 sprinkler systems.
September 2018
Power boiler control, Product of the Year, power generation,and integration and interoperability
August 2018
MEP Giants, lighting designs, circuit protection, ventilation systems, and more
Data Centers: Impacts of Climate and Cooling Technology
This course focuses on climate analysis, appropriateness of cooling system selection, and combining cooling systems.
Safety First: Arc Flash 101
This course will help identify and reveal electrical hazards and identify the solutions to implementing and maintaining a safe work environment.
Critical Power: Hospital Electrical Systems
This course explains how maintaining power and communication systems through emergency power-generation systems is critical.
Data Center Design
Data centers, data closets, edge and cloud computing, co-location facilities, and similar topics are among the fastest-changing in the industry.
click me