How best to protect building automation systems from cyberattacks
From specialised buildings such as data centres and hospitals to hotels, office buildings and even homes, building automation can improve the energy efficiency, security, and comfort of public and private properties. Whatever the purpose of the building, its occupants always expect good air quality, comfortable temperatures, adequate lighting, and the necessary security. Modern building automation systems (BAS) can fulfil these expectations. However, because these systems are connected to the internet and to each other in networks, they are vulnerable to cyber-attacks. In its latest white paper, OT (Operational Technology) cybersecurity specialist TXOne Networks summarises four cornerstones for securing building automation systems – based on its own OTZeroTrust approach and true to its motto: “never trust, always verify”.
Dangers in building automation
BAS attacks are like industrial control systems (ICS) attacks, but there are some important differences. Like ICS solutions, building automation systems are vulnerable to malware injection and memory corruption if their code is not adequately secured. Clever attackers can, for example, craft a temperature sensor from a Raspberry Pi computer and deploy it with malware or find an unsecured UDP port on a device that still uses the default password. Most attacks on ICS systems start with an employee bringing the cyberthreat into the workplace themselves, or with the failure of IT defences. Attackers can theoretically even penetrate the BAS network without having to compose phishing emails, as searches on IoT search engines such as SHODAN or Censys reveal hundreds of thousands of IoT devices with known vulnerabilities. A sophisticated hacker could write a script based on the search results and thus use the search results to load malware onto every single device on the list. Another difference with ICS solutions is that the physical processes for maintaining a building are far less complicated than those for controlling industrial production facilities. This is because, to disrupt industrial production in a sustainable way, malware must take into account both the security measures and the timing and the respective IT environment, which are usually more regulated and better protected than in a BAS.
Four main components for securing building automation systems
The main role of building automation systems is to create a comfortable living and working environment. However, without security controls, a hacker could attack and damage the home, hotel, hospital, data centre, sports arena or even the cloud-based systems used there. TXOne Networks’ OTZeroTrust approach is based on four cornerstones for building automation system cybersecurity: Audit, Lock, Segment and Strengthen. According to the overarching approach: “Never trust, always check”.
Every digital device that is part of the building automation system should go through an audit. The most common way malware gets into a company’s BAS is by trusted individuals bringing it in, either intentionally or accidentally. Organisations also need a process to identify and address security risks for all externally acquired components. This can be done using automated vulnerability monitoring and tracking tools. For example, with a mobile security scanner, a company can detect and disable malware before the infected endpoint is put into service in BAS.
Blocking lists help to regulate the use of certain end devices and network traffic and thus improve security. These lists adapt to the current circumstances or threat situation and assess the trustworthiness of end devices and network connections in each situation. This can be a simple trust list, as used by permanently installed end devices, or a so-called trust library with common OT, BAS or ICS applications and certificates. The shielding of threatened BAS solutions works even better with the help of another layer of protection in the form of machine learning functions that can detect suspicious cyber activities without having to interrupt the non-critical processes of the trust list. At the network level, control commands and other messages can thus be forwarded using security zones on a need-to-know basis – any other communication is blocked. Blocking specific control commands requires an OT-native application that understands BAS protocols such as BACnet and prevents hackers from sending malicious commands – both by strictly limiting privileges and by specifying that suspicious or unusual control commands are blocked by default.
This approach works best in the context of network segmentation, where these privileges can be defined to meet the specific requirements of each BAS. It is critical to securing BAS solutions that the specific requirements of each endpoint are considered, i.e. the needs of both legacy systems for routine tasks and modern assets (devices) performing a variety of different tasks.
When the network is divided into individual zones, it makes it easier to defend against cyber-attacks. However, to further improve network segmentation and ensure comprehensive protection, it is advisable to adopt the concept of “zones” and “conduits” as described in the IEC62443 standard on IT security of industrial communication networks. A “security zone” here comprises a group of physical or logical assets with common IT security requirements and defined boundaries. The digital connections between these zones, called “conduits”, a type of bridge, should be equipped with security measures to control access, prevent denial-of-service attacks, shield vulnerable systems on the network, and maintain the integrity and confidentiality of communications. OT-native protocol policies help define permitted IT commands, and IP-based policies can determine which assets are allowed to communicate with each other. The basic tools of network segmentation are the OT Intrusion Prevention System (IPS) and OT Firewall applications. A next-generation OT IPS can divide critical BAS into micro-segments or groups of assets that require 1-to-1 protection. Next-generation firewalls create transparent segmentation and use a broader definition of network security policies. User-friendly “OT-native” IPS and firewalls can be deployed transparently without changes to the existing BAS architecture. Trust lists can be defined at both the network and protocol levels. Network segmentation helps isolate vulnerable IT assets in a secure zone that can be more easily kept free from zero-day attacks and other dangerous cyber threats. In some cases, assets play such an important role in the system design that they can never be taken off the network. Network segmentation with OTZeroTrust-based policies prevents attackers from moving within a network to reach these high-risk assets.
Strengthening cyber security depends on many factors. Is a security patch available and compatible? Does the OT environment allow the asset to be patched? The status of the asset and the patch status are constant factors in the maintenance process. With virtual patches, assets are protected without having to make changes to their configurations – regardless of whether the manufacturer has released a security update. IT technicians use virtual patches to mitigate risks until the right time for an update and a vendor-provided patch. The OT-native IPS and firewalls that enable this type of asset-centric cyber defence have standardised rule sets specifically designed to defend against cyber-attacks without necessarily requiring endpoints to update. This eliminates system reboots and production downtime.
Securing building automation systems with the OTZeroTrust approach makes buildings more comfortable, energy efficient and secure. The first step is a secure supply chain: Companies should require their partners throughout the supply chain to maintain an appropriate level of security. They should integrate their IT security requirements into their terms and conditions and screen IT providers for potential gaps in protection. They also need a process to identify and manage security risks for all externally purchased components. This can be done using automated IT tools to monitor and track threats and vulnerabilities.
In a second step, an OTZeroTrust architecture should be deployed. In the future, more and more IoT devices will be used in smart buildings. Companies can use four cornerstones to guide them in terms of IT security: Audit, Lock, Segment and Strengthen. OTZeroTrust plays the role of the “cyber security ghost buster” for building automation systems. This saves building technicians a lot of development time and the acquisition of expensive security expertise.
Third step: the lifelong protection of OT endpoints. OT endpoints in smart buildings need to be used for 20+ years, so for the cybersecurity team, managing older endpoints and systems becomes the new norm. If long-term cyber protection of assets is not planned, serious security issues will arise. To support the lifelong protection of endpoints, a resource-centric approach is required that protects endpoint applications, monitors legitimate processes, and prevents malicious programmes from running amok.
Author: Dmitri Belotchkine, Technical Director Europe at TXOne Networks