Cybersecurity for Building Automation Systems (BAS)

Cyber attacks on the confidentiality, integrity and availability of business data and systems are on the rise. Consider some of the more well-known recent incidents:

• Colonial Pipeline - $4.4 million ransomware plus lost revenues
• JBS – this meat packer paid $11 million ransomware
• T-Mobile – 100 million customer records stolen
• Maine small public wastewater plants – ransomware request (thwarted)
• Target Stores - 40 million credit card records stolen via HVAC vendor hack

With their large databases of customer information and critical infrastructure, energy utilities themselves may be prime targets of such attacks. Nonetheless, utilities should inform customers of their need for cybersecurity, the common business vulnerabilities to cyber attacks, how to mitigate threats and how to recover after being hacked. Since smart technology and connected energy systems leave businesses vulnerable, customers would trust their utility's advice.

Need for Cybersecurity

So, who cares if someone hacks your customer’s building automation system (BAS) and learns their setpoints (temperature, airflow, pump speeds)? Realistically, there is little to lose if that normally confidential information gets out. But what if they are a hospital, data center, hotel, or even an office and setpoints are changed (integrity) or their HVAC is shut down (availability)? The consequences of those last two cybersecurity threat vectors can be very costly.

Some threats are unintentional, caused by their own employees. Accidently turning off your BAS server, for instance. But what are typically intentional information technology (IT) threats?  Here are just a few major ones:

• Ransomware – from scam emails, server vulnerabilities, infected websites, online ads
• Malicious code – in viruses, worms, trojan horses, data files
• Distributed denial-of-service – floods a business network making it unable to access information systems, devices, or other network resources
• Phishing - solicits personal information by posing as a trustworthy organization

A company’s cybersecurity need can be estimated by multiplying the likelihood of occurrence (risk) by the cost. There are tangible costs like data loss, idle employees, and lost revenues. There are also intangible costs such as lost opportunities and damage to your brand.

Need = Risk x Cost

Company Vulnerabilities

Where are the vulnerabilities found in most businesses? The biggest vulnerabilities are internal. Lack of data and password management, for instance. According to a Google survey of 3,000 adults in the US, at least 50% of people reuse passwords across multiple sites regularly. Not surprisingly, according to Verizon, over 60% of breaches are attributed to weak, default or stolen passwords.

External vulnerabilities include networks, applications and people. Publicly exposed network IP addresses allows someone to see and manipulate the BAS system or eavesdrop (man in the middle attack). Not implementing upgrades to applications or not using public key infrastructure (PKI) certificates exposes hardware applications.

Threat Mitigation

What can you do to mitigate the threat of cyber attacks? In 2014, NIST introduced the Cyber Security Framework (CSF) reference tool which helps an organization assess and manage cyber security risk across five functions:

1. Identify – what you have and its mission; risk profile (likelihood of attack)
2. Protect – access to assets and information; regular backups; employee training
3. Detect – unauthorized entities and actions; know your data flow levels
4. Respond - make sure each person knows their responsibilities in executing the mitigation plan
5. Recover – develop a disaster recovery plan; manage public relations and company reputation

There are several other tools your customers can use for threat mitigation. The Microsoft Threat Modeling Tool creates and analyzes threat models, analyzes security designs for potential security issues, and suggests and manages mitigations for security issues. The Forum of Incident Response and Security Teams (FIRST) has developed the Common Vulnerability Scoring System (CVSS). It provides a way to capture the principal characteristics of software vulnerability and produces a numerical score reflecting its severity.

Third-party certification for cybersecurity of connected energy-using devices is also critical. Several compliance standards are available for help in procurement:

• National Institute of Standards and Technology (NIST) SP 800-82 Rev 2: Guide to Industrial Control Systems Security
• Underwriters Laboratories' (UL) Cybersecurity Assurance Program
• American National Standard Institute (ANSI)/UL 2900 Standard for Software Cybersecurity
• International Society for Automation (ISA) ANSI/ISA 62443 Security for Industrial Automation and Control Systems
• Common Criteria for Information Technology Security Evaluation ISO/IEC 15408-1:2019

There are numerous additional cybersecurity resources available to utility customers including the NIST Small Business Cybersecurity Center and Homeland Security’s Cybersecurity Resources Roadmap.

Recovery

When you are hacked (not if), how should you recover? The Secretary of Defense Cyber Command has excellent tactics, techniques and procedures to follow.

1. Turn to previously developed mitigation procedures
2. Compare with normative operational conditions of network entry points
3. Preserve evidence of a cyber attack for forensic analysis

Summary

Building operations are a target rich environment, so anything your customers can do to take them further off a hackers radar is usually worthwhile. Cybersecurity is another area where energy utilities can be the “go-to” resource to protect their customer’s investment in Building Automation Systems. Don’t stand back. Attack the hack!