Cybersecurity is a moving target. What is safe and secure today may not be tomorrow. This is especially true for building technologies. Not so long ago, building devices and the systems that manage them were isolated and faced minimal security risks. At the time, physical or virtual segmentation and segregation from the information technology (IT) network was adequate to provide the necessary security for building management systems. That began to change with the introduction of the Internet of Things (IoT), which has had a profound impact on building technologies.
Thanks to IoT, building devices can now connect to the Internet and building management systems are no longer isolated. In fact, Internet-connected devices can be accessed and controlled from anywhere in the world. They can communicate with each other and with an organization’s IT systems, making them part of the larger enterprise-wide network. This drives powerful functionality but creates additional challenges.
In response, IT departments have grown increasingly concerned. With building devices communicating over the Internet, many IT leaders fear that hackers will attack an organization through its building management systems. And the fear has been justified. In the 2014 attack against a major retail chain, the HVAC system was hacked and used to infiltrate the financial system. Credit card information for over 40 million customers was stolen. Three years later, cybercriminals stole a database of high-roller gamblers from a North American casino. They gained access through an Internet-connected thermostat in an aquarium located in the lobby.
Today, building owners and operators share the concerns of their IT counterparts. During the first half of 2019, data breaches exposed over 4.1 billion records. As happened in the past, spam phishing was leveraged to gain access to building management systems, with hackers using HVAC systems as entry points into corporate IT networks and data centers.
33-Year Success Story Continues
In 1987, long before cybersecurity was in our vernacular, The American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) began developing a communication protocol called Building Automation and Control Networks (BACnet). BACnet was revolutionary because it enabled equipment from different vendors to talk to each other, which led to the seamless interoperability of devices. Today it is the leading building automation protocol, with a 60% share of the commercial building market. More than 1,000 manufacturers incorporate BACnet communication rules into a broad range of building-related products and systems, including HVAC, lighting, access control, elevators and security systems. The latest development of BACnet – BACnet Secure Connect (BACnet/SC) – is an important cybersecurity update. It is intelligently designed to be both backward compatible to the installed BACnet base and IT friendly.
The Impact of IoT Adoption
The growth of BACnet paralleled the growth of the World Wide Web and the birth of the IoT. As the demand for IoT functionality multiplied, interconnectivity and Internet access became significant features of building devices and systems. In fact, the widespread adoption of IoT across building enterprises was a game changer. It accelerated convergence of IT, which manages the flow of digital information – or data – and Operational Technology (OT), which includes building systems such as HVAC, surveillance and access control. Together, IT and OT capture key operational data that end users such as building owners and managers employ to make their facilities more comfortable, safe and secure. With IoT, systems and devices have become more intelligent and connected, creating new opportunities for manufacturers and service organizations to enhance their value.
The Need to Impove OT Security
the industry and connectivity change, the risks associated with breaches rise,
which drives the need for improved OT security. Today, BACnet/IP devices can be
easily added to any Internet Protocol (IP) network. This is good for flexible,
easy data exchange but can result in potential risks. When these devices share
the same network with the enterprise, they can open up the entire enterprise
system to data mining, tampering or unsanctioned reconfiguration. With the
threat of potential damage to building equipment, system security is a
necessity and, in more and more cases, a customer requirement.
What does it look like today? It’s a system that coordinates with IT to ensure network segmentation and segregation. It can use measures such as a Virtual Local Area Network (VLAN), firewall or Virtual Private Network (VPN) to protect its devices. But such security efforts can be complex and costly. From a building automation perspective, security needs to be at the device and building network level, providing authentication and encryption. Building better security directly into the BACnet protocol stack is a logical solution that is both standardized and powerful. If hackers attack an organization through its OT systems, a solid BACnet security solution will be the last line of defense.
The strength of BACnet/SC
BACnet/SC is a formidable defense. Encorporating the same technology used to secure online banking, BACnet/SC makes communications over a building automation network as secure as financial transactions. Instead of inventing new standalone security measures, ASHRAE employed proven cybersecurity technologies from the IT world. BACnet/SC integrates easily with IT infrastructure because it is inherently IT friendly and doesn’t call for extra VPN equipment or software. But what makes BACnet/SC most significant is its ability to provide security at the equipment level so that communication between devices both across the cloud and within facilities is protected using Transport Layer Security (TLS) and X.509 certificates, the same as used for online banking connections and other critical applications.
At this time, the standard for BACnet/SC has been defined but certification testing is not yet available. BACnet/SC is designed to be backward and forward compatible with all existing and future BACnet deployments and devices. The alignment of BACnet/SC with existing IT standards and best practices gives organizations a more robust security solution for their building automation infrastructure. It will also allow organizations to unlock new cloud-based applications and future-proof their investments in building automation as new security innovations become available.
Want to hear more? Listen to me discuss BACnet/SC on the Buildings of Tomorrow podcast – search for “Buildings of Tomorrow” on your favorite podcast platform or use the links below:
- Building communication protocols and cyber security (video, audio)
- BACnet, the master of building protocols (video, audio)
- The different features of BACnet Secure Connect (video, audio)
- How is the security of building protocols impacting the stakeholders? (video, audio)