Manage the Cybersecurity Risks of your BMS
Building management systems (BMS) and building automation systems (BAS) are great innovations, but present latent cybersecurity and operational risks to organizations. The consequences of a cyberattack on a BMS or BAS could result in operational disruption from the denial of use of the building.
Over the past decade, there have been several examples of attacks on BMS and components. Weaponization and operationalization of vulnerabilities in BMS by threat actors with tools such as ransomware is likely to occur in the next three years. BMS owners and managers can act today to reduce the risks and build on established cybersecurity frameworks to protect their assets and operations.
There are unique considerations involved in assessing the cybersecurity of operational technology (OT) like BMS and BAS. Therefore, it is imperative to work with experts and firms with considerable experience in assessing OT systems and the security of your BMS supply chain.
Background
BMS and BAS offer great promise in improved efficiency, comfort, security, and occupant experience. However, these complex cyberphysical systems also expose the building and occupants to new risks and threats, with negative consequences that in the past required physical access to realize. Today it’s possible for a building manager or staff to control these systems from a mobile application or a cloud-hosted application.
Key Concepts and Terminology
Staff responsible for a BMS or BAS may have extensive engineering or facilities experience, but no exposure to cybersecurity beyond general cybersecurity user awareness training. Unfortunately, in today’s threatscape, that leads to the BMS posing a latent risk: a risk that is present but unknown and unmanaged.
A BMS is one type of Operational Technology (OT), digital control systems that manage physical processes. These systems typically consist of the same types of components that you would find in a traditional information technology (IT) or information and communication technology (ICT) environment, such as servers, switches, routers, firewalls, databases, communication protocols, and applications. Generally, these are specialized variants of the components, but over the past decade we have observed a strong trend of convergence between IT and OT components.
Often these types of systems will be referred to as cyberphysical systems and may be abbreviated as CPS. Simply, a cyberphysical system is one in which a digital computer or microcontroller manages equipment that can produce a physical effect. Cyberphysical systems are vulnerable to the same types of cyberattacks and exploitation of vulnerabilities as IT systems.
Cybersecurity vulnerabilities are defects in the environment such as software or hardware, which can be exploited by a threat actor (attacker) to produce a cybersecurity impact. For IT systems, this generally means it impacts the administration or the business by affecting systems like email, web servers, or systems such as customer billing or enterprise resource planning (ERP) systems. For OT systems, the impact can be more consequential since it can shut down the core operations of a business. For example, in the case of a pipeline company, a cyberattack on an OT system, such as a ransomware attack, can shut down the operations of the pipeline with cascading effects to customers and others downstream who rely on the timely delivery of product through the pipeline. This exact type or attack occurred in 2021 on Colonial Pipeline.
Consequences
A compromised BMS would allow the attacker to control the BMS and cause effects that are only limited by the physical constraints on the building management systems. These types of effects could render a building unoccupiable for short- or long-term periods, due to the intentional manipulation of building environments like temperature, air quality, and humidity. Power, fire suppression, and other high-impact building services could be made inoperable or used to cause physical damage to a building. These risks are especially high in facilities that have very tight environmental requirements necessary to support the intended use, such as precision manufacturing.
In the case of an office building, reasonable business and operational continuity can be realized through its organization enabling work from home. However, in the case of a precision manufacturing plant, production would cease and goods in the production process may be damaged or spoiled due to the disruption. Likewise, a hotel or hospital would experience significant operational disruption and considerable costs in reaccommodating guests or patients at other facilities.
Threat Intelligence
Cybersecurity threat intelligence informs stakeholders about the extent to which threat actors are actively researching, developing, or exploiting cybersecurity vulnerabilities, and seeks to identify the approximate identity of those threat actors. For example, as a defender, it’s often helpful to know whether the threat actor is a malicious individual, organized crime group, or nation-state actor.
The following are examples of real-world attacks on BMS devices:
- In 2015, a cybersecurity expert disclosed to me that a nation state had compromised the home thermostat in the expert’s residence. In this case, the threat actor’s objective was to use the thermostat to ensure they retained a presence or persistence in the target’s home network for surveillance purposes rather than to produce a cyberphysical effect.[1]
- In 2021, unknown attackers took control of many of the BAS devices that controlled the lighting, motion detection system, and other operations in an office park in Germany. The intruders were able to gain control of the devices and set a password that prevented anyone else from accessing them. They also bricked many of the affected devices and it took third-party security consultants quite a while to remedy the situation, and they were only able to do so after managing to retrieve the key that locked the systems down from the memory of one of the devices.
- In April 2023, Schneider Electric proactively issued a security advisory disclosing that it had become aware of a publicly available exploit targeting the KNX product. This exploit would have enabled an attacker to access admin functionality without a password through a directory traversal attack, or to use a brute-force attack to access the administration panel.
We assess that within the next three years, threat actors will develop ransomware payloads specific to BMS and BAS deployments. Threat actors have already developed ransomware to specifically target medical devices, another type of OT, in hospitals.
Suggested Course or Action for BMS Managers
Following a mature cybersecurity management framework like the US National Institute of Standards’ Cybersecurity Framework (NIST CSF) is a wonderful place to start. There are recommended levels appropriate to organizations with any level of cybersecurity maturity.
The following is advice contained in most frameworks, distilled to eight high-level recommendations:
-
Know your suppliers and look upstream. Select BMS suppliers with established product security programs who do not build hardware or develop software in hostile countries like the People’s Republic of China (PRC).
-
Conduct a risk assessment. Once you have identified partners and suppliers, properly assess each product’s cybersecurity posture so that you know the risks they may pose to your organization. Consider where each device or component was manufactured and who exactly did so. Is there a possible backdoor or counterfeit part, or could more common software quality issues result in a breach?
-
Utilize third-party testing. Hire a third-party firm to test your system and those of your key suppliers, to provide actionable results on what you need to fix first. Ideally this should be performed in multiple steps through the design and build process, with the final security assessment completed as part of the site acceptance test.
-
Regularly scan and patch all vulnerable systems. Here it is important to have chosen vendors who provide regular security patches. Be careful with older systems, which may experience a denial of service through improper use of automated scanners.
-
Use strong passwords and credentials. Teach your employees about the importance of using strong passwords and credentials and not reusing them across accounts.
-
Use multi-factor authentication (MFA). Ensure that your staff has set up secure MFAeverywhere possible. SMS MFA solutions are not adequately secure.
-
Conduct regular security awareness training. Teach employees how to identify phishing scams, update software, and become more security conscious. This training should focus on those who have privileged access to the BMS.
- Harden the security of the devices connected to your networks. Ideally, your suppliers and partners will provide recommendations for device configuration and security best practices.
Key Assessment Considerations
Third-party cybersecurity testing comes with specific risks of production impacts, outages, and other unintended consequences. It is critical to choose experienced, expert team members or third-party assessor organizations. It is absolutely necessary that any assessor or penetration tester working in an OT environment have extensive experience in those environments. OT environments with older programmable logic controllers (PLCs) can experience outages when those devices are pinged or scanned by a tool, due to limited resources or poor TCP/IP software stack implementations. Experienced assessors and OT-aware cybersecurity tools know how to achieve the same testing goals in OT environments using passive analysis methods such as analysis of network packet captures.
Unique OT Considerations
Given the very long useful life of many OT assets, including BMS and BAS deployments, frequently one may find several non-patchable vulnerabilities in that type of environment. Consequently, you should focus on a layered security approach, which makes it very difficult for a threat actor to get to the vulnerable, unpatchable components before they are detected and evicted from the environment. As such, heavy emphasis should be placed on assessing the segmentation, access controls, sensors, and detection capabilities between IT and OT environments.
Supply Chain Considerations
The recent supply chain attacks targeting Hezbollah operatives demonstrate how even organizations with mature counterintelligence capabilities can still fall victim to a supply chain interdiction. This demonstrates the high likelihood of successful attacks against companies and organizations with less defensive capabilities, including BMS users and suppliers. It is critical to buy BMS from trusted suppliers and countries.
Since it is uneconomical to assess every product an organization integrates into their operations, a risk-centric approach should be taken to use the limited resources available to focus on assessing the highest-risk and highest-consequence products and suppliers. Specifically for OT, the focus should be on those suppliers and products that if compromised could bring a complete halt to operations.
Asking a key supplier to show some type of summary of their secure development policies, as well as a summary of the results of an independent cybersecurity validation and verification by a qualified third-party assessor, is a great way to know whether your supplier takes product cybersecurity seriously and assesses the risk exposure their products bring to their customers’ organizations.
[1] Proprietary intelligence. Additional details are withheld to protect those involved and are not necessary for the example.
