Originally posted Tuesday, 15 January 2013
Written by Scott Saier and Chris Towery
With the explosive growth of computer technology in recent years, intelligent buildings are becoming increasingly common. Unlike traditional buildings that contain multiple disparate systems (HVAC, lighting, IT, security, etc), each with their own set of controls, intelligent buildings integrate many—if not all—building systems into one centralized control interface. The integration of these systems provides building Owners with huge benefits in terms of simplified operations, increased energy efficiency, and lowered costs. And as technology continues to evolve, intelligent buildings are likely to become the norm rather than the exception.
However, because modern intelligent buildings use IP-based networks and computerized building management systems (BMS) to monitor and control their systems, experts warn these structures are highly susceptible to cyber threats, such as hacking and viruses. Because cyber threats haven’t affected any intelligent buildings thus far, this type of cyber security has been largely ignored by most Owners. In fact, because many Owners consider their buildings to be highly unlikely targets for cyber attack, some structures lack even the most basic security measures. In the wake of 9/11 and recent instances of cyber terrorism, it’s vital that Owners of intelligent buildings understand the nature of the threats they’re facing and what they can do to mitigate those risks.
Intelligent buildings (IB), also called smart buildings, may seem like a fairly recent phenomenon, but primitive versions of the technology have been around for years. BMS technology from the 1960s and ‘70s, for example, used pneumatics to control elements of a building’s HVAC system. Analog electronic control systems replaced pneumatics in the ‘80’s, providing building control systems a faster, more precise method of operation. But it wasn’t until direct digital control (DDC) systems were introduced in the ‘90s that BMS became truly automated. However, since these systems had no established standards for digital communication and each manufacturer used its own proprietary communication methods, DDC systems from different vendors couldn’t be integrated into a single system. But by the 2000s, BMSs were developed that used standardized “open” communication protocols, allowing for real interoperability.
Today, many core components of intelligent buildings, such as routers and wifi transmitters, come from the world of information and computing technology (ICT). And just like most other networked computer systems, malicious software programs have the potential to wreak havoc on intelligent buildings and other infrastructure like smart grids that have ICT-based control systems.
“There is a huge Damocles sword hanging over the intelligent building and utility industry—the sword of cyber attack,” writes Anton Hofland and Bruce DeGrazia in the article “New Data SecurityGuidelines for Smart Buildings” posted on www.2024Sight.com. Hofland and DeGrazia contend that “the construction of control systems for buildings and utilities and their thoughtless connection to the internet” provide “a huge target for hackers.”
Cyber attacks would most likely take the form of viruses, which a few decades ago were easily identified and eradicated due to early BMS’ relatively slow download speeds and storage space. But with the ultra-high speed and near limitless storage capabilities of today’s broadband IP-based networks, modern BMS technology is potentially as easy to infect as most desktop PCs. Of course, anti-virus software and other cyber security measures are widely available, but since IBs feature a much more vast and complex system than your average home computer, simply installing a decent anti-virus program probably won’t be enough to ensure security. Yet despite this apparent risk, little attention has been paid to cyber security for IBs until now.
“Although overt security in the form of ‘intelligent’ entry control and fire evacuation systems have been an intrinsic part of the modern services design, the integrity of the control system itself has not until recently been discussed,” writes David Fisk, professor of Systems Engineering at Imperial College London, in his article “Cyber Security, Building Automation, and the Intelligent Building” which appeared in the July 2012 issue of Intelligent Buildings International.
Fisk notes that although there hasn’t been a successful cyber attack on intelligent buildings during the 40 years since the technology has been in use, this doesn’t mean such an attack isn’t possible—or probable.
“This is not a case of a perfect safety record being able to engender confidence that no such attack will happen,” writes Fisk. “The risk landscape for this technology has been changing by stealth from almost non-existent in the 1960’s, to the rewriting of major procurement guidance and security alerts about BMS software this decade.”
The reason for this step up in security is that with the leaps and bounds being made in BMS development—and computer technology in general—so goes the innovation and capability of malicious software development. Early BMS models were universally hard-wired, limiting would-be aggressors to a prehistoric level— a disgruntled engineer smashing the equipment with a hammer was the biggest threat. During the ‘80’s, when communication protocols enabled machines from different manufacturers to interact with each other through a communications bus, BMS technology had the ability to load and execute programs in real-time, as well as update software over an extended period of time. During this era, it was conceivable that hackers could pose some threat, but because most commercial machine code was proprietary and used by stand-alone PCs on batch mainframes, the systems were still quite difficult to tamper with, and points of unwanted entry were easily identified.
However, the advent of the vaunted Microsoft Windows platform in the ‘90’s helped incorporate server and network technology into the BMS repertoire, which in turn extended BMS capabilities beyond locally contained networks and into the World Wide Web. Windows allowed similar improvements to be made in the realm of hacking. Characteristics of the technological improvements made possible and encouraged by expanded networks and the Windows platform were exploited by both sides. One example is the use of ‘back doors’ in host systems. A back door is a means of bypassing a system or network’s authentication protocol.
It allows vendors of commercial software to enter a system, perhaps to install patches on a program’s code or fix some other bug. These back doors are sometimes left open after the software is released to the public, with the idea that the entry point is known only to the vendor. Unfortunately, hackers quickly uncover these “secret” entryways.
Outside of back doors, networked BMS technology has other weaknesses, such as inadequate password protection, the use of old software that’s easily hacked, and various unmonitored access points within the network. Given this, BMS systems should always be considered vulnerable to hacking.
“Large systems will always have entry points, so that the rate of aggression is limited only by the number of aggressors, much as the number of burglaries is limited only by the number of burglars, not the number of burglar alarms.” Fisk writes.
A False Sense of Security
Of course, many IB Owners may wonder why a hacker would bother attacking their thermostats, lighting units, and sprinkler controls, when they could just as easily go after high-profile targets, like banks or government offices, which offer a much more tangible payoff. According to Fisk, however, that kind of thinking has made IBs even more vulnerable. When Owners believe their system to be of little value, they often fail to establish even the most basic security measures.
“Indeed, it is because risk assessments fail to find an answer to ‘why would they?’ that actual system commissioning or maintenance may even fail to deliver elementary security… increasing the probability of being the focus of a successful malicious attack,” notes Fisk.
Another cause for concern is the ramped-up nature of cyber attacks. Following the horror of 9/11, we’re all too aware that terrorists are willing to go to great lengths and use extremely innovative methods to achieve their goals, and cyber attacks on buildings and other infrastructure is now considered a realistic threat. Fisk notes that risk assessments made since 9/11 have shown that cyber terrorism attacks on BMS technology are a risk that needs to be taken seriously. And because cyber terrorism can be carried out from remote locations in an anonymous manner, such attacks become even more probable.
“The anonymity of cyber aggression weighs heavily in favor of its use,” Fisk writes. “A small group could risk a large attack because their identity would remain undisclosed and so be able to attack again (albeit by a different strategy).”
As evidence of the eminent nature of cyber terrorism against IBs, look no further than the Stuxnet virus that was used to attack computer systems running Iran’s nuclear power program in 2010. While the origins of this virus have since been linked to intelligence operatives from the US and Israel, it’s certainly possible that a similar type of attack could be employed by terrorists against our own infrastructure. And the US has already seen the level of damage that can be done if a virus was unleashed on our infrastructure. Though it was not caused by a terrorist attack, when control software for a power grid malfunctioned in 2003, much of the Midwest and Northeast US suffered a major blackout for several days.
While the initial grid failure in Ohio that preceded the massive blackout was nothing unusual or malicious, the power outage was able to spread across multiple states and into Canada due to a software bug in the IT system that supported the inter-regional control system. This bug, known as a race condition, caused the power company’s controlroom alarm system to go down, which in turn, set a chain of events in motion that caused the power outage to quickly spread to all of the other areas. Fisk notes that this failure of the smart grid should be of particular concern to those involved with IBs.
“One area where this threat is fully recognized, that is especially relevant to the intelligent building, is the ‘smart grid,’” Fisk writes. “Whereas the intelligent buildings research community might require some convincing that they face a cyber threat, power engineers are much more aware because they have already experienced on a massive scale the impact of malfunctioning control software.”
Whether it was introduced through a connection to the smart grid or by a direct attack on the IB itself, it’s not hard to imagine how a bug like the one that caused the blackout could be used to damage a BMS. If a BMS is successfully infected, this could lead to a whole host of problems—some potentially catastrophic—for the building and its occupants. For example, a crashed BMS could cause the building’s sprinklers and smoke alarms to fail, or it could disable elevators in a high-rise —all of which could have potentially fatal consequences if fire breaks out. Failure of a building’s access controls or security system could allow unauthorized entry by malcontents intent on theft, vandalism, or worse. Even the failure of something as mundane as the HVAC system could have detrimental consequences.
According to the Institution of Engineering and Technology’s white paper “Intelligent Buildings: Understanding and Managing the Security Risks”: “Where a BMS became inoperable and allowed the temperature to stray outside accept- able limits, the building could become inhospitable for the occupants, damage equipment through excessive temperatures, or result in damage to stored materials.”
So what can be done to protect intelligent buildings from cyber terrorism? Although Fisk’s article is primarily focused on identifying why IBs are so vulnerable, he does offer some basic advice on security. He argues that relying on antivirus programs and other cyber security measures will never be enough to provide total protection, because even the most highly secure facilities have proven vulnerable in the past.
Moreover, employing “patches” and other malware defense mechanisms merely protect against viruses that are known, not those that have yet to be created and/or released.
“The correct strategy is to draw up a ‘plan for the worst’ rather than rely on assertions by software and hardware providers,” writes Fisk. “They will no doubt do their best, but cannot offer comfort on ‘unknown unknowns.’”
Fisk’s suggestion is to consider that all cyber-security defenses are potentially breachable, especially if the attack is specifically directed at an IB. For protection, Fisk advocates the development of a back-up plan that involves identifying a building’s minimal level of functionality and then adding hardwired, back-up equipment with hands-on controls to provide basic service. He asserts that such a strategy may be enough of a deterrent to ward off potential aggressors before an attack is even launched.
“An identified minimum level of service and hardware hardwired that can provide it is thus essential,” Fisk writes. “The very existence of such a plan may not make the reward of a targeted attack worthwhile.”
However, it’s likely that most Owners will want to institute more than just a back-up plan and employ some combination of front-line security as well as an emergency option. In 2011, the IT Security division at Schneider Electric published the white paper “Best Practices for Securing an Intelligent Building Management System,” outlining how IB Owners can create and implement a comprehensive cyber security plan. The paper made it clear that the most important factor in BMS security is for the plan to address the entire life cycle of the system, including design, installation, and operation. Creating and implementing such a plan should also feature the coordination and cooperation of a wide range of personnel, not just the primary BMS operators.
“Only by creating and executing a plan to address security throughout the entire lifecycle of the system, can an organization effectively manage risk,” the paper states in its introduction. “The creation of such a plan requires the coordinated efforts of all parties responsible for the system throughout its lifecycle; such as system integrators, network administrators, and facilities personnel.”
The paper goes on to detail an extensive number of steps that should be taken to address BMS security, including network infrastructure protection, threat detection and mitigation, device hardening, and more. While it’s not possible to list all of the actions described by the paper, a few general guidelines from each stage of the BMS lifecycle have been excerpted below:
Design for Security: The primary focus of the design phase is to establish a boundary around the iBMS and provide ways to control and monitor access. The decisions made during this phase determine many of the security options available in later phases. Therefore, it is essential to solicit input from the people who will be responsible for the installation and operation of the system. Physical security, network infrastructure, and device selection are important elements of the design process.
Install with Security: The goal in this phase of the process is to properly configure the security features of each system component. Configuring firewalls, hardening system devices, configuring user accounts, and enabling threat detection are all tasks that contribute to secure system installation. Operate with Security The need to address security does not end once a system has been installed. System monitoring, account management, patch management, and firewall maintenance are all important to operating a system securely.
To read the entire text, visit www.schneider-electric.com
The risk of cyber attacks on our country’s infrastructure is such a pressing concern that even the federal government is trying to raise red flags. A bi-partisan group of legislators introduced the Cyber Security Act 2012 in the Senate, which would create a working partnership between government agencies and private industry groups to identify infrastructure categories most at risk from cyber attacks and then develop voluntary security practices to protect against the threats. Those Owners who implement the practices would receive major incentives, such as preferential treatment in the award of federal contracts and liability protection from lawsuits arising from a cyber attacks.
Unfortunately, because of the toxic political climate surrounding this year’s elections, the Act failed to pass. But since the bill wasn’t killed—merely shelved—there’s hope it could still pass in future sessions of Congress. But regardless of federal action, it’s vital that Owners understand and act on these warnings. Technology is truly a double-edged sword—for every amazing benefit it provides in terms of building intelligence, it also creates new methods of destruction.
“If intelligent buildings are the future,” Fisk writes, “then so too are cyber threats to building services.”
To access Fisk’s article, visit www.tandfonline.com.