Why building management system cybersecurity is critical [Q&A]

Building management systems (BMS) are responsible for controlling and monitoring various building services such as HVAC, energy, elevators, escalators, surveillance and access control.

They're crucial for service delivery across industries, including critical infrastructure such as energy, utilities, and healthcare. But they're also a significant of an organization's cyber risk due to their integration with IT networks and the internet.

As cyberattacks continue to evolve in complexity and frequency, understanding the significance of BMS cybersecurity issues is vital to safeguarding the integrity, safety, and privacy of both occupants and overall infrastructure. We talked to Mohammad Waqas, CTO of healthcare at Armis, to learn more about critical BMS cybersecurity issues and find out how teams can address them.

BN: Why has building management system cybersecurity become increasingly important?

MW: Building management system cybersecurity has become increasingly crucial for several reasons. Nowadays, buildings are highly interconnected and 'smart,' integrating with IT networks and actively connecting with internet resources. While this connectivity brings numerous benefits, it also exposes the systems to cyber threats. Without proper cybersecurity measures in place, attackers can exploit vulnerabilities to gain unauthorized access or disrupt critical building operations. From here, they can also potentially move laterally throughout the network to gain access to other connected assets.

Buildings and their associated systems play a vital role in critical infrastructure industries, such as healthcare, transportation, and utilities. Consider the Mirai malware botnet that continues to exploit vulnerabilities in office WiFi routers or vulnerabilities that allow hackers to take control of building security systems. A BMS cyberattack could have far-reaching consequences–from operations disruptions to individual safety risks.

BN: What are the challenges of BMS cybersecurity?

MW: There are myriad challenges when it comes to securing building management systems. Most BMSs lack built-in security controls and can't host security agents. Software patches are often incredibly difficult to apply, if patches are even available. Plus, new smart devices are continuously coming to market -- creating new attack vectors and an ever expanding attack surface.

To compound the issue, IT and security teams are not always aware that a new BMS has been installed, as the teams that maintain these systems -- like HVAC technicians and building managers -- do not know to make them aware. With that, it's not uncommon to find several building systems go undetected and unmonitored. Until you walk around and point out everything you see on a wall -- which by the way doesn't even account for what may be within the walls or ceiling ducts -- you wouldn't realize how much risk there actually may be. Given all of the security blind spots, it's no surprise that ransomware targeting physical infrastructure is on the rise.

Because of this combination of a lack of visibility, difficulty in vulnerability mitigation and threat management, BMS devices have created a unique challenge for security teams faced with understanding and securing devices that are not the traditional enterprise devices which have been their focus for the past few decades. This becomes multiplied greatly when there are hundreds of types of legacy and new innovative devices that account for tens of thousands, if not hundreds of thousands, of unsecured and unmanaged assets in an organization.

BN: What are the risks of not having adequate cybersecurity measures in place for building management systems?

MW: First, unauthorized access becomes a concern. Hackers may attempt to gain entry into the system, compromising controls and operations. If the BMS is connected to the corporate network, it can create vulnerabilities for attackers to gain access to other IT systems. These lateral intrusions represent a growing risk in increasingly connected building networks. Moreover, BMSs can be targeted by malware or ransomware attacks, where hackers cause costly disruptions in operations or demand ransom payments for system restoration. Data breaches may also jeopardize sensitive information stored or transmitted by the system, such as user credentials or building system configurations. Moreover, there's a potential for physical safety threats to occupants as cyberattacks can compromise critical systems like fire alarms or access control.

BN: What can be done to protect BMS from cyber threats?

MW: The first key step is gaining full visibility into the potential attack surface. This involves conducting a real-time, full asset inventory, inclusive of hardware, software, peripheral devices, owner and context of each device. Remember: You can't protect what you can't see.

Next, a holistic risk assessment of devices is critical in formulating a prioritized risk reduction effort. Understanding what vulnerabilities exist, identifying insecure configurations, which devices may be end-of-life, and overlaying that with business impact are all needed to be understood for an effective remediation plan.

It's also important to assess the controls that can be deployed. Collaboration with vendors is a good starting point, in understanding whether there are any patches available that can be applied - whether at the operating system level, the application level, or updated firmwares.

If devices do not have applicable patches, and cannot leverage other means of securing configuration, then the next best effort involves segmenting the network. Devices should be grouped into subsystems according to their functions and prioritized by risk. Connections across subsystems should be monitored closely, especially internet connections. Segmenting a network can prevent unauthorized access, reduce cyber attacks, and help minimize disruptions by allowing devices to only communicate with the assets that are required to maintain functionality.

Deploying intrusion detection and prevention systems can also help monitor network traffic, detect suspicious activities, and block unauthorized access attempts. Encryption should be used to secure data transmitted between assets.

A common mistake is relying on default device and system credentials. Ensuring these are updated soon after installation can prevent unnecessary risks. Secure authentication and access control mechanisms should also be implemented to prevent unauthorized access.

Lastly, IT and OT should work collaboratively together to address BMS cybersecurity risks. The traditional barriers that exist between IT and OT teams only hamper success. Organizations should plan, execute, and invest in information-sharing platforms.

BN: Are there any industry standards or guidelines to follow for securing building management systems?

MW: Yes, these include:

• The ISA/IEC 62443 standard offers a framework for implementing cybersecurity in industrial automation and control systems, including building management systems.
• The NIST Cybersecurity Framework developed by the National Institute of Standards and Technology (NIST) provides guidelines for improving cybersecurity risk management across various industries, including building automation.
• The BACnet Secure Connect (BACnet/SC) protocol is specifically designed to enhance cybersecurity in Building Automation and Control Networks (BACnet).
• The ASHRAE Guideline 13 focuses on managing the cybersecurity of building automation and control systems throughout their lifecycle.

Adhering to these standards and guidelines can help organizations establish effective BMS cybersecurity measures.

Image credit: aa-w/depositphotos.com