Report on a Private Round Table Discussion
On August 31, 2016, Optigo Networks hosted an online round table to provide for a peer exchange on trends in cybersecurity of Building Automation Systems (BAS). Participants included building operations security officials from a major North American government agency, bank, university, and municipality, as well as two volunteers with BACnet International. “Cybersecurity is a hot topic in the building automation systems industry right now,” said Optigo Networks CEO Pook-Ping Yao, who moderated the forum. “Our round table discussion was very informative and provided some interesting insights that we’d like to share with the larger BAS security community. While respecting the privacy of the participants who wish to remain anonymous, we believe the entire sector can benefit from our exchange and we are pleased to provide the following highlights.”
Changes to the BACnet Protocol
BACnet recently released additions to its standard for advisory public review. BACnet’s Dave Robin and Carl Neilson of the Network Security Working Group, commented on some of the challenges the communications protocol is trying to address. “We’re trying to make it so BACnet vendors can simply flip a switch at both ends and the security aspects are built in as a point of commissioning,” said Robin. “It’s not something you have to learn to navigate through Linux manuals and figure out how to turn on some obscure feature.” Robin also commented on the protocol’s proposal regarding tunneling sites. “You see raw BACnet traffic that is running across the internet unprotected… the users know it and they know it’s bad. This aspect of protecting the tunnel from point A to point B is a deployment scenario I can see being quickly adopted. There’s a strong demand for solutions when information has to go across the public internet.” “The solution that’s currently out for public review rides on IT technologies,” added Neilson. “That was one of our fundamental goals. We’re not security experts, so let’s focus on what we’re good at and let the security aspects be dealt with by the people who are good at that. Our industry has to become more responsive and provides those types of updates.”
“We need a new version of PTP [point-to-point] – a secure route between routers. Something BACnet people can turn on without needing to understand the IT stuff.”
Enforcing security in an insecure world
Written into the BACnet services standard specification is the requirement that users change the default username and password after their product is set up. However, this condition is not enforceable and is beyond the capability of the protocol. Too many times, companies deploy their products with default passwords and never change them. This is exacerbated when organizations hire other companies to install equipment for them. There is currently no mechanism to audit sites or the product implementation to ensure these vendors are doing the work properly. “Customers need to specify all the way down that things need to be properly secured in VLAN or VPNs or whatever. You don’t want someone to walk off the job and have something out on the public internet and not realize they’ve left behind a security risk,” said Robin.
“BACnet products can’t be tested to what the user does with it once they get their hands on it.”
BAS vulnerability
The building automation system industry is used to a long lifetime for its communicating devices. However, once these systems have IP addresses, security becomes an issue. One round table participant identified BAS’ as the next targets for hackers, particularly large runs of devices that are manufactured with the same embedded version of Linux and the same version of SSL stacking. “They need to be patchable. We’re entering a new era where everything we put on the network uses secure technology. Everything that claims to be secure must be upgradable… must be patchable,” he said.
“Just as printers were once the favourite attack vector, building automation systems are going to be the next targets.”
The segmentation solution
Segmentation was advocated for organizations with many distinct sites. The round table’s banking representative’s company, for instance, has thousands of locations across the United States. “While we’d like some of our building technology devices to be able to share some information, we’re looking at segmentation relative to our corporate network and even further segmentation between our corporate security devices and our building technology devices,” he said. Diverse portfolios rely on integrators and VARs. Boiler plate language is needed so integrators take ownership of how the systems are configured. Otherwise, organizations are left with open systems that are vulnerable to anyone with a browser who can discover them. “We’re having to change an industry here,” said one round table participant. “This is not an IT industry where these security components have been built into these systems from the start. We have to address the security risk of the highest profile areas initially. We can’t get to everything and we may even have to disconnect some things and go back to manually operating these systems until we can get controls in place.” Specification control is another challenge. The banking participant’s company has created a comprehensive inventory for every asset that has an IP address. The issue of who does this work arises: should it be your real estate people; the people in the field; maintenance teams? Often these people do not understand the difference between an IP address and a DNS. Yet, IT staff typically do not understand the myriad of building controls and would never think to look at a boiler, for example, to see if it has an IP address. “When we look at this industry and the changes that are occurring, it may be that the building technology or property manager/maintenance manager of the future comes out of networking engineering school,” suggested Neilson.
“If your security team has its eyes on your datacenter where your building technology device is and they notice an alarm or an alert, how do they know whether to send someone with a gun or someone with a wrench?”
Adding to your BAS inventory
Another participant remarked that everything added to his organization’s network has to be part of its documentation process. The system inventory is altered and additions must be certified to conform to its standards. “It’s important that organizations go through the process of defining the rituals they undertake when they bring a new device online,” he said. “Before a contractor can even put it on our network, they have to coordinate with us and our employees actually document that. It’s not left to the contractor.” This is the perspective that more organizations need to take. Many people running buildings think they have security but do not have people who are technical enough, the time, or the money necessary to actually put in place the types of controls that are needed.
“This is all pretty well established in the NIST guidelines.”
Keep Devices Up-to-date
Having security staff understand that BACnet devices are not general purpose computers is another challenge. Trying to balance updates (which typically do not happen frequently) and implementing these can be problematic. “You’re not just going to reboot it; there’s a repercussion to that,” said one participant. “There’s also the cost, the staffing, and the planning to roll out the updates. Verification is needed that everything is functional. It’s a very complicated issue. Our mindset right now is that it’s just better to build a bigger wall around the garden… wall it off as best as you can and try to use those IT technologies to segregate ourselves from the outside world.” “Our mindset right now is that it’s just better to build a bigger wall.”
