Network Security in Building Automation
Most discussions on the topic of Network Security in Building Automation focus solely on cryptography, cybersecurity standards and other technical security topics. Standards like TLS communications, TLS certificate distribution and registration authorities are all important concepts for anyone involved in large office networks. However, such discussions only address modern TCP/IP networks, computers and devices. They often ignore the numerous smaller devices, legacy networks and physical security measures required in a real-world Building Automation System (BAS). Unlike office networks, the typical modern BAS is a mixture of inexpensive wiring that connects smaller controllers and sensors, as well as larger network devices like equipment controllers and computers.
In this article, we’ll review network security topics, but focus primarily on those issues that are specific to building automation systems. Over the course of this article, we’ll cover TLS communications for large networks, security categories for smaller networks and devices, as well as tools for managing security in a BAS. In this article, we begin with the most basic concept in network security: Physical Security.
Physical Security in Communication Endpoints
There is a basic assumption for network security in building automation:
Strong Physical Security must exist at Communication Endpoints.
This principle is so fundamental that it is rarely discussed, as it is often assumed that everyone knows this. However, those new to network security may not be aware of this requirement. As we begin to analyze Network Security in Building Automation Systems in large buildings, physical security of controllers, networks and equipment becomes extremely important. So let’s begin with this basic concept as it pertains to the BAS network.
Cybersecurity techniques were developed based on the assumption that the miles of wire and equipment between the communicating endpoints could never be physically secured. You don’t believe this to be true? Imagine you would have to physically secure a communication network stretching from the east coast to the west. Would you deploy armed security officers to guard the thousands of miles of wires in your network, 24 hours a day? Even well-funded border patrols are insufficient to eliminate every possible intruder. Physical security on this scale is impractical. If the physical security of such a network were practical, we would have no need for cybersecurity techniques (or this article).
So cybersecurity techniques were designed to secure the long and vulnerable communication pathways that connect people and computers. To begin, however, one must assume that those computers, people, and equipment at the endpoints of communication are safe from physical attack. The computer in your office must be locked at night. This basic assumption of physical network security is shown in the diagram below:
Note: physical security is one of the many advantages of large and professionally run data centers. Computers in the typical home or small office are actually more susceptible to physical attack than those in large data centers.
If you’re not convinced of the need for physical security at communication endpoints, let’s consider a simple example of how a physical attack on an endpoint might be effective.
Imagine an attacker has gained physical access to a user’s home. He proceeds to mount a camera where an unsuspecting person will be using a computer. To be clear, there are more effective attacks for those who gain physical access to an endpoint. We use this example for illustrative purposes only.
In this example, an attacker could record and transmit the user credentials as the user logs into an account. Even if the password was not displayed on the screen, the camera could record his fingers physically hitting the keyboard. Once the user’s password has been compromised, attackers could use it to log in and gain access to his accounts. The example highlights that physical security (in addition to cybersecurity) is required at the endpoints of secure communication.
Note: This would be ineffective if the user’s account enforced 2-factor authentication, like sending a verification code as a text message. The physical attacker would also have to steal the user’s phone.
Physical Security in Large Buildings
In our diagram above, we show a simple and clear delineation between single endpoints inside small physically secured spaces, and long vulnerable communications networks outside of these secure spaces. However, in large building networks–especially building automation systems–this delineation is not so clear. Unlike our simple diagram above, BAS wiring inside of large buildings can be vast and complex. Each part of the BAS network has varying levels of vulnerability and risk. Each of these parts should be scrutinized separately before assessing the overall risk. In a future article, we’ll formally break the BAS up according to (5) Cybersecurity Levels (CSL). For now, we’ll just highlight physical security considerations for different portions of the network. Consider the BAS network architecture diagram below:
Large Standard Networks
Let’s start with large standard networks, shown in the diagram above the dotted blue line. The devices included here are the larger BAS controllers and computers, as well as the devices throughout the building’s shared network. These networks and devices would typically be managed by IT security staff and would leverage the best in modern security, such as TLS communications. IT staff in large buildings typically treat the network wires leaving one office suite and traveling through the building as vulnerable and insecure. This is true even though the communications have not yet left the building and traveled onto the Internet. Large buildings accommodate thousands of people. Although in-building networks are not as vulnerable as the entire Internet, trust among all occupants cannot be assumed. Typically, cybersecurity techniques would be employed inside the building network infrastructure to protect the communications of the occupants.
You should note that the larger components of a modern BAS often reside on the building’s network infrastructure using standard connections like Ethernet or Wi-Fi. Accommodating the BAS on a building’s existing network infrastructure has many advantages:
- It is less expensive than installing a dedicated BAS network.
- It allows for consolidated network management and security.
- It allows for easy sharing of data between different building systems.
Especially when using a shared building-wide network, it is generally not assumed that these networks enforce physical security throughout the building. The good news is that they can take advantage of modern security techniques, just like is used on the Internet.
Our diagram shows two such techniques in use:
- VLAN (Virtual Local Area Network), shown on the left BAS Server with orange and blue wiring.
- Native TLS Communications, shown on the right BAS Server with green and blue wiring.
Most older BAS components don’t natively communicate using cryptography. For example, the secure version of BACnet (BACnet Secure Connect) was first released in 2016, and still has work to be done. For this reason, many IT departments will create a Virtual Local Area Network (VLAN). VLANs use various protocols and switching techniques to isolate them from the rest of the network. This VLAN protects against attacks to the BAS that originate from within the building.
In the diagram above, even though the large BAS devices are not natively secure, they can be secured by network managers through a VLAN.
TLS stands for Transport Layer Security and represents the best security for modern networks. When connecting to your bank account from your home computer (knowingly or not), you are using TLS communications. Common amongst internet-connected computers, many newer BAS controllers are beginning to natively use TLS communications.
In our diagram, we show that the BAS Server computer and the associated larger AHU Controllers as being connected through TLS. This represents the most secure implementation for BAS systems today. With such communication built into BAS products, there is no need for building IT staff to create VLANs, provide physical security, or do anything else. Other than endpoint physical security, the building network is secure.
Smaller BAS Networks
Moving down in our diagram, you’ll see all of the smaller wire networks and associated controllers and sensors. Although not shown here, these devices can number in the thousands and often make up most devices on the network. Even if the microprocessors on such devices could implement TLS security, the physical layer protocols on which they rely (like RS-485 wires) do not support it. However, just because these devices shown can’t take advantage of high-security techniques like TLS or VLAN, that doesn’t necessarily mean that these networks are insecure. The good news is that at least one of the following typically is true:
- Physical security is already provided. The equipment is physically secure, therefore so are the embedded wires and controllers.
- The narrow scope of the communications reduces the risk and value of an attack. For example, an attacker can mess with only a single piece of equipment or sensor value.
- Controls are dedicated and largely isolated from the rest of the network. That is, attacks on the smaller network will not propagate onto the larger network.