As building automation systems (BAS) become more connected and complex, they also become more vulnerable to cybersecurity threats. The convergence of operational technology (OT) and information technology (IT) in modern buildings has unlocked tremendous potential for efficiency and control, but it has also opened new avenues for cyberattacks. As we head into 2024, cybersecurity in building automation is not just a technical necessity; it’s a critical component of operational continuity, data protection, and overall safety.
The Growing Threat Landscape
The modern BAS controls a building’s HVAC, lighting, security systems, elevators, and even energy management systems. Traditionally, these systems were isolated and operated independently. However, with the advent of IoT and cloud-based platforms, they are now interconnected, often accessible remotely via the internet.
This increased connectivity brings significant risks. Cybercriminals see these systems as lucrative targets for several reasons:
Data Theft: Building management systems handle sensitive data, from employee personal information to confidential business operations. A breach could expose this data, leading to severe financial and reputational damage.
Disruption of Services: A compromised BAS can lead to operational disruptions, such as shutting down HVAC systems in the middle of a heatwave or disabling access control systems, which could result in chaos or even physical harm.
Ransomware Attacks: Hackers can take control of building systems and demand a ransom to restore functionality. Given the critical nature of these systems, building owners may feel pressured to pay the ransom, making this a highly attractive target for attackers.
Espionage and Sabotage: In more severe cases, particularly for government or critical infrastructure buildings, cyberattacks can be motivated by espionage or sabotage, with the goal of causing long-term damage or stealing highly sensitive information.
Recent Incidents Highlighting the Risks
Several high-profile incidents have underscored the vulnerabilities in building automation systems. For instance, in 2021, a ransomware attack targeted a water treatment plant in Florida, attempting to alter the chemical levels in the water supply. While this was not a building automation system per se, it highlights the broader risks associated with connected infrastructure.
In another incident, a European energy company suffered a cyberattack that disrupted its building management systems, leading to significant downtime and financial loss. These examples illustrate that as BAS become more integrated and interconnected, the risks of cyberattacks increase, making cybersecurity a top priority.
Best Practices for Cybersecurity in Building Automation
As the threat landscape continues to evolve, building owners and managers must adopt a proactive approach to cybersecurity. Here are some best practices to safeguard your building automation systems in 2024 and beyond:
1. Implement a Layered Security Approach
A layered security strategy, often referred to as “defense in depth,” involves multiple levels of security measures to protect against different types of attacks. This approach includes:
Perimeter Defense: Firewalls and intrusion detection systems (IDS) to protect the network’s entry points.
Internal Segmentation: Separating the BAS network from the corporate IT network to limit lateral movement in case of a breach.
Access Controls: Implementing strict access controls with multi-factor authentication (MFA) for anyone accessing the BAS, whether on-site or remotely.
Encryption: Encrypting data both at rest and in transit to protect it from unauthorized access or tampering.
2. Regular Software and Firmware Updates
Outdated software and firmware are among the most common vulnerabilities exploited by cybercriminals. Manufacturers regularly release updates to patch security flaws, and it is crucial that these updates are applied promptly. Establishing a routine schedule for updates, and using automated tools where possible, can significantly reduce the risk of vulnerabilities being exploited.
3. Monitor and Audit System Activity
Continuous monitoring of network traffic and system activity is essential to detect potential threats early. Advanced threat detection tools can identify unusual patterns or behaviors that may indicate a security breach. Regular audits of system logs and access records also help in identifying suspicious activities and ensuring compliance with security protocols.
4. Conduct Regular Security Assessments and Penetration Testing
Proactively identifying vulnerabilities before attackers can exploit them is a key component of a robust cybersecurity strategy. Regular security assessments and penetration testing by third-party experts can help uncover weaknesses in the system. These assessments should cover all aspects of the BAS, including hardware, software, and network configurations.
5. Train Staff on Cybersecurity Awareness
Human error remains one of the leading causes of cybersecurity incidents. Building staff, including facilities managers and IT personnel, should receive regular training on cybersecurity best practices. This includes recognizing phishing attempts, understanding the importance of strong passwords, and knowing how to respond in the event of a suspected breach.
6. Establish a Cybersecurity Incident Response Plan
Despite best efforts, breaches can still occur. Having a well-defined incident response plan (IRP) in place is critical to mitigating damage. This plan should include steps for containing the breach, assessing the impact, notifying relevant stakeholders, and restoring normal operations. Regular drills and simulations can help ensure that all team members are prepared to execute the plan effectively.
Integrating Security into Building Management Systems
For building automation systems, cybersecurity should not be an afterthought but an integral part of the design and implementation process. When selecting a BAS or working with vendors, building owners should prioritize systems that offer robust security features.
Key considerations include:
Security by Design: Systems that are built with security in mind from the ground up, rather than as an add-on feature.
Vendor Transparency: Working with vendors who are transparent about their security practices and provide regular updates and support.
Interoperability: Ensuring that security measures can integrate smoothly with other systems within the building, creating a cohesive security architecture.
Aligning Cybersecurity with Operational Continuity
In the context of building automation, cybersecurity is closely tied to operational continuity. A breach can do more than just expose data—it can disrupt critical systems that affect the safety and comfort of building occupants. For example, if a cyberattack disables the fire alarm system or emergency lighting during an evacuation, the consequences could be catastrophic.
Building owners must, therefore, view cybersecurity not just as a technical issue but as a core component of their operational strategy. This involves collaboration between IT and facilities management teams to ensure that all aspects of the building’s operations are protected against potential threats.
The Role of Regulation and Compliance
As cybersecurity becomes increasingly critical, regulatory bodies are starting to introduce standards and guidelines specifically for building automation systems. For example, the NIST Cybersecurity Framework provides a comprehensive set of guidelines that can be adapted for BAS environments. Compliance with such standards not only enhances security but can also provide a competitive advantage by demonstrating a commitment to best practices.
The Future of Cybersecurity in Building Automation
Looking ahead, the integration of AI and machine learning into cybersecurity will likely play a significant role in defending against increasingly sophisticated threats. Predictive analytics can help identify potential vulnerabilities before they are exploited, while automated response systems can contain and mitigate attacks in real time.
As building automation systems become more advanced, the need for robust cybersecurity measures will only grow. By adopting best practices and staying ahead of the evolving threat landscape, building owners and managers can protect their systems, data, and, most importantly, the safety and well-being of their occupants.
In 2024 and beyond, cybersecurity in building automation will be a defining factor in the success and resilience of modern buildings. With the right strategies in place, we can create secure, efficient, and reliable environments that stand the test of time.
Building automation systems (BAS) or “smart buildings”, are increasingly popular in commercial and industrial buildings. Why? Because they improve energy efficiency and reduce costs by integrating and automated systems such as lighting, HVAC, and security. While these systems of systems are often associated with larger commercial or industrial facilities, advances in technology are lowering price points enough for smaller building owners to access the benefits. But before you invest, consider the pros and cons of a building automation system.
What is an Building Automation System?
Building automation systems use a combination of sensors, controls, and algorithms to monitor and manage building systems. These systems can be integrated with a building’s existing infrastructure, such as HVAC and lighting systems, to create a centralized control system that can adjust and optimize building operations in real time. For example, a BAS can automatically adjust the temperature and ventilation in a building based on occupancy levels and outside weather conditions or turn off lights in unoccupied areas to reduce energy waste.
Building Automation System Pros
Automated building systems have the potential to significantly improve energy efficiency, reduce costs, and improve building comfort and productivity.
Greater Energy Efficiency
AS can use occupancy sensors and time schedules to control lighting and HVAC systems, ensuring that they are only running when needed and at optimal levels. By reducing energy usage during periods of low occupancy, such as nights and weekends, a BAS can help to significantly reduce energy costs.
Better Occupant Experiences
By optimizing building systems for comfort, such as temperature and lighting, BAS can help to create a more comfortable and productive work environment. This can lead to improved employee satisfaction, reduced absenteeism, and increased productivity.
Reduce Maintenance Repair and Costs
By continuously monitoring and optimizing building systems, a BAS can identify and diagnose issues before they become major problems, allowing for timely maintenance and repairs. This can help to extend the lifespan of building systems, reduce repair costs, and minimize downtime.
Real-time Analytics
One key feature of a BAS is its ability to provide real-time monitoring and data analytics. By collecting and analyzing data from building systems, such as energy usage and occupancy levels, a BAS can help building owners and managers identify areas of inefficiency and opportunities for improvement. This can help to inform future decisions around building upgrades, retrofits, and maintenance, allowing building owners and managers to optimize their operations and save money over the long term.
Energy Regulation Compliance
With energy codes and regulations becoming increasingly stringent, it is becoming more important for building owners and managers to optimize their energy usage and reduce waste. By implementing a BAS, building owners and managers can demonstrate their commitment to sustainability and energy efficiency, and potentially qualify for tax credits and other incentives.
Building Automation System Cons
Despite the many benefits of automated building systems, there are some potential drawbacks to consider.
Upfront Costs
Building owners may need to invest a significant amount of money to purchase and install the necessary hardware and software to create a fully integrated BAS. This cost can be a barrier for some building owners, particularly for smaller facilities with limited budgets.
Complex Installation
Building owners may need to work with a team of engineers and technicians to design, install, and configure the system, which can be time-consuming and require specialized expertise.
Technical Issues
While BAS systems are designed to be reliable, there is always a risk of technical issues and system failures. These issues can cause downtime and disrupt building operations, which can be costly and frustrating for building owners and occupants.
Staff Training
Adopting a BAS may require building owners to train their staff on how to use the new system. This can be time-consuming and may require additional resources to ensure that staff members are properly trained and understand how to use the system.
Security Concerns
As with any technology, there are potential security concerns with adopting a BAS. Building owners need to ensure that the system is properly secured and protected against cyber threats, as a security breach could have serious consequences for building operations and occupant safety.
While there are pros and cons to adopting an automated building system, building owners and managers should also consider the effects their decisions have on broader issues like climate change. Buildings make up an enormous amount of the world’s energy use and green house gas emissions. Reducing emissions takes collective action. Lower your building’s carbon footprint is doing your part.
Information Technology (IT) and Operations Technology (OT) are two distinct yet interconnected fields that play critical roles in modern organizations. IT deals with the use of technology to support business processes, while OT focuses on the use of technology to control and monitor industrial and commercial processes in facilities. By looking at IT vs OT systems, it’s easy to identify their major differences.
What are IT Systems?
IT systems are primarily used to support business processes, such as data storage, processing, and communication. These systems include things like enterprise resource planning (ERP) systems, customer relationship management (CRM) systems, and enterprise-wide networks. They are responsible for maintaining the flow of data within an organization, and provide important services such as email, file storage, and data analysis. IT systems are also responsible for maintaining the security of an organization’s data, including firewalls, intrusion detection systems, and encryption.
What are OT Systems?
OT systems, on the other hand, are used to control and monitor industrial processes. These systems include things like programmable logic controllers (PLCs), distributed control systems (DCSs), and supervisory control and data acquisition (SCADA) systems. They are responsible for controlling and monitoring the physical processes within an organization, such as manufacturing processes, power generation, and water treatment. OT systems are designed to operate in real-time and are often required to operate 24/7.
When we look at IT vs OT systems, trends show they are increasingly being integrated to improve the overall efficiency of companies and facilities. For example, a building owner might use data from an OT system to optimize their HVAC systems, or an energy company might use data from an IT system to identify and respond to potential power outages.
The difference between IT and OT system components. Note that IT and OT must interface with one another.
Network Security
One of the major differences between IT and OT is in the level of security required. IT systems are typically more connected to the internet; hence they are more exposed to cyber threats. These systems need to comply with industry-specific standards like the Payment Card Industry Data Security Standard (PCI-DSS), HIPAA and SOC2. Organizations need to maintain regular backups, have intrusion detection and prevention systems, as well as have strong and regularly updated access controls in place.
OT systems on the other hand, are typically more isolated from the internet and have fewer connections to external networks. These systems need to comply with standards like IEC 62443 which are specific to industrial environments. Because of the real-time nature of their operations, organizations need to have redundancy in place and maintain backups that can be restored within minutes, have detailed incident response plans, as well as maintain physical security of the systems.
Conclusion
IT and OT systems play critical roles in modern organizations, with IT systems primarily focused on supporting business processes and OT systems focused on controlling and monitoring industrial processes. The two fields are becoming increasingly integrated, with organizations leveraging data from both types of systems to improve overall efficiency. However, they are also vastly different in terms of the level of security required, with IT systems being more exposed to cyber threats, and OT systems being more isolated and needing to comply with industrial specific standards.
Properties need effective cybersecurity measures. Cybercriminals don’t just attack high profile companies and governments; they target small to medium businesses too. Computer viruses range from annoying adware infiltrating your browser to costly ransomware attacks. In 2021 the world saw a 105% jump in ransomware attacks. Healthcare alone saw a 755% increase! Businesses are paying out billions each year to save their proprietary and/or customer data—and paying only makes things worse.
The sharp rise in ransomware has forced building owners to take a serious look at their IT infrastructure. This is alongside adapting to the challenges of the pandemic and managing a remote workforce. Interestingly, some security experts point to remote work as one cause for the increase in ransomware. Since employees are no longer behind corporate firewalls, their home-based laptops and mobile devices become “attack vectors” for gaining entry to company networks.
Remote entry points are also an issue for building control systems. As buildings become more connected and “smart”, the threat of data breaches increases. That’s because system integration, IoT devices, and building automation systems (BAS) increase connectivity and wireless operation. It’s a problem the U.S. government has known about since 2015 after the GAO warned of a 74% jump in cyber incidents involving government-owned industrial control systems.
Building control systems like BAS/BMS connect hundreds of devices and sensors that make up systems like fire, access, HVAC, electrical, and lift. Connectivity makes it easier for cybercriminals to make their way to more sensitive data because there are more paths to follow. Wireless and IoT devices make networks vulnerable to remote Wi-Fi exploits and password hacks. These potential data breaches and financial losses from malware are why property teams need to practice effective cybersecurity habits.
Setup Multiple User Accounts
One good security habit to adopt is proper account creation and assignment to your team. To save time and hassle, some building managers create and share one master admin account amount their team members. It’s tempting when someone needs to make a few quick changes to simply email your login and password. However, this puts your BAS at risk of cyberattack if those credentials are misplaced or abused. To be cyber safe, create both admin and user level accounts and assign them to each employee.
Almost all BAS software lets you create multiple accounts and at various levels of access. Individual account creation does three key things:
It ensures inexperienced members aren’t given access to critical controls.
It makes sure user actions are recorded by the system.
It helps users work more effectively.
Modern BAS systems track what users do, which is helpful when things in the system are improperly changed. If everyone signs into the system with the same account, then you can’t tell who did what and when. This can slow down repairs and troubleshooting because you must rely on faulty human memory instead of an accurate digital record. Also, when inexperienced or new users sign into an admin account, they may spend an inordinate about of time searching for the tool or feature they need. User-level account interfaces are simplified for this reason. Too many options can tank productivity by forcing workers to waste time navigating a complex interface looking for a single item.
Password Creation
Creating strong passwords is one of the most impactful cybersecurity habits you can adopt. Too often folks continue to use highly predictable pass codes (e.g., “123455” or “Qwerty”) to secure their most sensitive data. What’s worse, most of us also use these same flimsy passwords for all our accounts. It’s behavior that’s too predictable, and predictability is the Achille’s Hill of security.
Make sure your team knows password best practices. When it comes to password creation, length and complexity matter. Passwords should be at least 8 characters long, include special characters (e.g., @!&), and numbers. The longer the password the better; however, there’s a limit to how many characters a person can hold in long term memory. To combat the memorization problem, use passcodes instead.
Passcodes are acronyms made from random words or long sentences. To create a passcode, use the first letter of each word to form your password. For example: “My cat whiskers is 3 years old and likes to have her belly rubbed.” This sentence (which is personal and easy to remember) becomes the password: “mcwi3yoalthhbr”. Then, swap out a few special characters, and you’re good to go.
If passcodes seem too complex, make your life 100% easier by simply using a password manager. These cloud-based apps create and store complex passwords in the cloud for you. They will even fill in the form fields for you, saving you valuable time. Most apps have free or inexpensive annual plans, so investment is minimized, while time savings and security are maximized.
Suspicious Link Detection
A building’s devices aren’t its only weak spots. In fact, occupants are often the major sources of malware. Cybercriminals can use social engineering to trick employees into opening phishing emails and navigating to fake websites. The tactic is called a “pharming attack” and is a common way for hackers to steal an employee’s username and password. The fake website looks and feels like the authentic one, but it’s a duplicate. Employees unwittingly enter their username and password, which is recorded and used to gain entry to the account.
Hackers design phishing emails and fake websites to look like official corporate digital assets, often using the same branding, logos, language, etc. Most are convincing enough to fool an employee who’s under a bit of stress and/or not paying attention. However, there are a few tell-tale signs to look for:
Salesy Language. Cybercriminals often employ high-pressure sales language or scare tactics. Phishing emails may claim “suspicious activity” or fake “charges” to user accounts to entice holders to hastily move to fix “issues” without first confirming the source of the emails.
Grammar mistakes. Often cybercriminals don’t speak your native language, so look for any grammar mistakes or misspellings. These are extremely rare in authentic corporate emails and are a sure sign of a fake.
Pixelated logos. Hackers use official logos to trick email recipients, but often these logos are hastily copied and pasted from websites and may be incorrectly sized resulting in pixelated or strange looking images.
Strange URLs. URLs have two parts: the hypertext (e.g., “Contact Us”) and the address (e.g., https://7nox.com/). Never trust the hypertext to tell you where the link goes. Always check the URL address. To do this, hover your cursor over the text without clicking and read the URL displayed in the bottom left corner of your browser. The URL should contain the company’s address. If it’s simply a long string or strange characters, it may be a pharming attack.
BAS Backups
Make sure your BMS provider backs up your BAS/BMS system on a regular basis. Backups keep your system secure against ransomware attacks, which rely on businesses not having copies of their data. Plus, system backups ensure redundancies when your system goes down or when you shut your building down for changes. If controller settings aren’t “persistent” they may not be saved during a reboot of your BMS. It’s critical that you have backups to ensure these changes are saved.
Conclusion
While building automation and connectivity brings many wonderful things to the built environment, they do require owners and managers to make their IT and OT more resilient. However, without proper training of staff, these technical efforts may prove fruitless. In cybersecurity, humans are often the weakest link. That’s why cybersecurity shouldn’t be simply a training box to tick at the end of the year. It should be an ongoing attitude and effort by all employees. Focus your training on seasoned staff, who may be laxer in their habits, and on newcomers who may have few habits at all.
Ransomware attacks are now a global threat. Between 2019 and 2020, attacks rose by 62% worldwide according to the 2020 Internet Crime Report. Attacks like the Colonial Pipeline in May 2021 are high profile cases that garner media attention, but SMBs and facilities of every size are now targets of cyber thieves.
Hospitals and medical facilities are favored targets because they house sensitive medical records. Facilities like these are in no position to bargain with cyberthieves, and they end up paying hefty ransoms to recover sensitive information. And the financial fallout from ransomware attacks is significant, with security experts estimating global ransomware losses to hit $20 billion in 2021, which is 57 times the cost just five years ago.
There’s a lesson to be learned for facilities managers: letting your properties become vulnerable to a ransomware attack is costly. Instead of paying cyberthieves, invest resources into mitigating your risks: shoring up your IT services, educating staff and creating response plans.
What is Ransomware?
Ransomware is a type of malware that enters your computer system and/or network and encrypts your data. Users lose access to files, applications and/or their databases. To decrypt the data, cyberthieves demand a ransom, and if the ransom isn’t paid, the data is destroyed.
Ransomware finds its way into most systems through direct attacks on software weaknesses or by exploiting human error through phishing emails. Once it infects your system, ransomware is programmed to spread to connected devices, encrypting more documents, spreadsheets and photos as it grows.
Train Staff on Cybersecurity Best Practices
Cyberthieves exploit human weakness to gain access to your data. It only takes one staff member clicking on the wrong email link to put your building data and tenant info at risk. That’s why beefing up your team’s cybersecurity skills is a top priority. Cybersecurity habits like these help you avoid many types of computer viruses and malware.
Updating Operating Systems
Operating system (OS) updates include the latest virus signatures and definitions. Older versions don’t, which makes them more vulnerable to cyber attack. Have your team set up auto updates for their Windows and Mac OS and installed programs. That way, forgetting isn’t an issue.
Identifying Phishing Emails
Email is a common entry point or “attack vector” for cyber criminals to deploy malware, and humans are notoriously susceptible to their exploits. Train your staff how to identify a phishing email to keep your network free of ransomware.
Creating Strong Passwords
Weak passwords let cyberthieves walk right into your facility network. Unfortunately, too many employees opt for weak, yet popular, passwords like “123456” because they’re easy to remember. Teach your team the simple steps of creating a strong password or consider investing in a password manager, which automates the process of creating and remembering strong passwords.
Turn on Two-Factor Authentication
Remind your team to implement two-factor authentication when possible. Turning this feature on adds an extra layer of security by requiring the users to identify themselves with a mobile device or an authentication app. Each user typically authenticates their sign in through a PIN number or biometric scans like a fingerprint.
Backup Your Data
Since ransomware targets your data, backing it up can help mitigate losses from encryption. Still, data backup has its limitations and can’t protect you like an anti-malware software, for example, but it does offer the insurance of data replication. In other words, it’s an after-the-fact solution rather than real time protection.
Data Assessment
The first step in building effective backup is making sure you are backing up ALL your data. Some FMs may manage multiple facilities, each having separate databases and devices. Do you know where your critical info is stored? What about your team members? Are those with assigned devices backing up their data correctly? Critical data can easily be overlooked, which is why experts suggest conducting a data audit.
3-2-1 Rule
Data storage experts often advise business to follow the 3-2-1 Rule:
Make 3 copies of your facility data: a production copy and two backups).
Store your copies on 2 different media types (e.g., USB Drive, CDs, magnetic tape).
Keep 1 copy offsite from your facility.
Ransomware moves throughout your system, and any connected devices are susceptible. The intention of the offsite rule is to “air gap” your data, removing it from the network completely. Cloud storage is considered “off site” but is also susceptible to the same attack if backups are updated too quickly. In other words, your cloud storage could begin backing up already encrypted data before you became aware of the attack. This is a risk for most backup systems, which is why physically disconnected storage is essential.
Get Ransomware Detection Software
Cloud-based companies like Microsoft build ransomware detection into their online storage platforms (i.e., OneDrive), but if you’re not using cloud-based storage, this doesn’t help. For an added layer of protection against malware, invest in a cybersecurity software that meets your needs and budget. Most major cybersecurity software brands include ransomware protection and decryption tools within their plans. While malware software isn’t a replacement for good cybersecurity habits and data backups, it does add redundancy to your system.
Include Ransomware in Your IRP
Ransomware attacks are high-pressure situations. Time is critical, and decisions have to be made on the fly. So preparation is key. Ensure your incident response plan (IRP) includes ransomware mitigation strategies. There are several basic steps most experts agree businesses should take when attacked by ransomware:
Don’t pay the ransom. Experts say paying only puts you at risk of being targeted again. Plus, acquiescing only makes the problem worse for everyone else by financially incentivising the criminals.
Disconnect devices. Your first move is to stop the malware infection. Disconnect your devices from your network and the internet. Unplug ethernet cables. Remove storage devices like thumb drives. Disable wireless connection (wifi) on your mobile devices.
Get evidence. Take photos (with an uninfected phone) of the ransom notes and any correspondence with the thieves.
Run a malware scan. Use the Task Manager on your Windows 10 devices to run a scan for ransomware. Shut down any Apple devices.
Reset passwords. Change your passwords for your admin accounts.
Get help. Solicit professional IT services for advice or help. You will likely need their services to ensure your network and devices are free of malware before reconnecting.
Report the incident. Government cybersecurity agencies like CERT (NZ) can help you navigate the incident, record the attack and notify other businesses of the threat. Other reporting agencies include IC3 (US) and ActionFraud (UK).
At some point, you may want (or be legally required to) notify your tenants of the data breach. If there is a potential for the malware to spread to your tenant’s networks, early notification will help their office managers execute their own IRP’s. If cross-contamination is a low risk, you might move notification to a lower priority. Consult legal experts around your specific reporting requirements and adjust your IRP accordingly.
When protecting your facilities from malware attack, think in terms of “layers” of protection. You and your team members are the first layer of defense. Your virus software is another. The more stopgaps you have, the better your chances of avoiding infection. It pays to invest a little time and money up front than to deal with the fallout from a successful hack. And remember, when it comes to ransomware, you’re not an island. Successful criminals go on to rip off other businesses, so your action or inaction directly affects the profitability of others.
