Building Cybersecurity for BAS

Steps to strengthen building automation cybersecurity

By: Harry Koujaian, Principal Engineer, Siemens Smart Infrastructure USA

Cyber threats against smart buildings are on the rise. A 2019 report from global cybersecurity company Kaspersky revealed that 38 percent of smart buildings had been impacted by a cyberattack. In most of these events, hackers gained access by taking advantage of vulnerabilities in the building automation system.


The adoption of smart building technology that connects building Operating Technology to IT systems and IoT devices has exponentially increased buildings’ exposure to cyber criminals. Security-conscious building designers, owners, and operators are taking a proactive, multilayered “Defense-in-Depth” approach that strengthens building automation system security to avoid being targeted. This holistic strategy considers every aspect of building security through a hacker’s eyes, with a key focus on closing gaps in building automation controls network protocols.


Network protection starts with a cybersecurity assessment

Building automation systems are only as secure as their weakest link. A cybersecurity assessment can provide insights and identify potential vulnerabilities that could invite hackers. Understanding the building automation system’s vulnerabilities is an effective first step to strengthening security. After an assessment, organizations are better positioned to leverage new security technologies like BACnet Secure Connect (BACnet/SC), a cybersecurity update that encrypts communications between devices and the cloud, to protect their systems.


Siemens regularly conducts cyber assessments for building automation customers and provides a thorough analysis of the building's system architecture; policies, plans and procedures; disaster recovery plans, training programs, and third-party systems and services.  Although every building has unique vulnerabilities, here are some common action items for organizations who want to strengthen their building automation security.


Create a security culture. Everyone connected to an organization should be accountable for keeping it secure. Cyber criminals will find and exploit any potential attack point in a building system’s defenses. Companies that create a culture of security awareness, with strong policies that promote best practices and continual security training, can effectively reduce their risk of a cyberattack.  


Think like a hacker. The best defense against cyberattacks is a good offense. A threat and risk assessment that approaches security from a hacker’s perspective is a useful tool to identify and resolve vulnerabilities, and help organizations stay one step ahead of cyber criminals. Staging a “friendly” attack against the building security infrastructure will uncover and verify potential access paths, and provide proof points to justify additional security infrastructure investments.


Understand system configuration and usage. Properly-designed building automation systems take a holistic approach that considers critical security controls like network segmentation and segregation, boundary protections, remote access, Least Privilege, Accountability and firewall rules. Owners and operators should make it a point to understand how these security features are applied. They should also require documentation from integrators and other third parties to show what they’ve done to ensure systems are configured appropriately to support an overall security strategy that is aligned with the enterprise architecture and information security policy framework.


Provide training. People are the first line of defense against cyber attacks. Continuous training will help keep security top of mind and prepare anyone who connects to the building network to follow best practices for preventing malicious access. Training is also essential to prevent unintentional damage caused by employees who are unaware of the proper use and operation of systems and equipment.


Implement a Disaster Recovery Plan. Organizations that have a strong backup process are able to mitigate damage and recover from cyberattacks faster.  A solid plan should address roles and responsibilities, list assigned personnel and their contact information, and detail activities associated with responding to and restoring system operations after a disruption or failure. A recovery plan is only effective if it’s operational, so organizations should periodically exercise these plans to ensure the system can be recovered within the specified Recovery Time Objective and Recovery Point Objective.


Preparing for enhanced building automation security

A cybersecurity assessment provides a solid foundation for understanding the organization's current building management system communication protocol and determining how BACnet/SC fits into the security plan. Siemens experts can help organizations integrate BACnet/SC into a comprehensive defense-in-depth design.


Understanding a smart building's management systems and security features is an important step in preventing and mitigating the risks of cyberattacks. Learn more about cybersecurity assessments and available support.