Cybersecurity awareness has never been higher, but how can it be approached in a cost-effective manner in 2023? Building automation in HVAC has quickly become an IT profession, requiring technicians to work on things that previously would require some sort of network engineer to manage. Many technicians were not formally trained in how to do the things they do, but they’re curious learners, thinkers, and observers. With that in mind, here are some simple thoughts on how to approach network security from a realistic standpoint. In no way is this an exhaustive list of to-dos but rather an idea map to get engineers thinking about simple things they might have missed while trying to overcomplicate the inevitable.
Ockham’s Razor is a famous theory created by William Ockham who studied logic in the 14th century. The rough translation of his ideas were: “More things should not be used than necessary,” or, in layman’s terms, “keep it simple, stupid.” In cybersecurity, firms can dig as deep as they want, depending on their budgets, creating endlessly complicated ways of securing systems to keep the intruders out, but have administrators taken the time to assume hackers won’t win? Of course, all precautions should be taken, but the simplest way to think about network security is to assume it’s already been hacked.
One must put as much effort into preparing a system to be compromised as he or she does in securing it. A couple of years back, we had a string of car break-ins in my neighborhood, so I went online bought the best wireless security cameras I could, got them set up, set the motion alerts, and awaited the results. I woke up the next day, checked the cameras, and saw a couple of clips of animals strolling through but no intruders. I got ready for work, went to get in my car, and realized I left it unlocked all night. I was so caught up in catching the neighborhood bad guys that I forgot to cover the basics.
Don’t forget to lock the doors! Building automation systems should be somewhat isolated from the web. Depending on the type of facility, there isn’t too much of a concern allowing the system to talk out and send email alerts, alarms, and possible updates, but nothing should be able to talk in. The network firewall, at the very least, should not allow incoming connections to be made. More critical systems should be implementing VPNs, and anything that needs more security than that should simply be physically disconnected from the web.
Assuming the system may inevitably get breached, security should be designed to slow down the people attempting to break-in. Now, this is not necessarily because they can be caught in the act, it’s more so that the hobbyist hacker is filtered out and the person who legitimately is a threat to the system is not. With very limited googling, it’s quite easy to find insecure BAS networks across the country. The Shodan Search Engine is dedicated to finding exposed equipment across multiple industries that can be accessed by anyone. Web users can navigate to this site, choose industrial equipment, choose a location, and access a list of IP addresses. Typing these addresses into a browser will bring an individual instantly to an actual operating BAS system in any part of the world. It truly is that easy. Complex passwords, non-standard ports, and firewalls will prevent BASs from showing up in this search engine and start to filter out amateur intruders. Pairing those simple steps with a VPN will keep most customers’ sites fairly safe. It is not the iron padlock by any means, but it’s enough due diligence to be able to say action was taken in advance of an occurrence.
The final step is to assume the system is actually being attacked by a professional hacker, and the simplest way to think about that is to plan as though the system has already been compromised. If this was not prepared for ahead of time, operators may panic and find themselves scrambling to get the site operational again. For every site serviced, technicians should have an up-to-date contact list with the IT department, their roles and responsibilities, and who should be contacted in case of an emergency. Controller and database backups should be up to date, saved, and made available in a separate location. Do not just make a backup and leave it on the server, as technicians have to assume the computer is toast. Have windows keys, product licenses, and BAS install files ready to go. Along with these, maintain good records of network diagrams, controller drawings, etc. If the building needs to be operating in hand while the BMS is not functional, those drawings will help tremendously. Any changes made to the building operation should always be documented so they can be verified when things return to normal. Maintain good audit logs on the server so they can be reviewed after the fact to determine what happened.
When setting up a site, be conscious of what other systems are on that same subnet. Request a VLAN from the IT department to help further isolate the unit. I was given an IP address range one time on a site that was also connected to every security camera in the building, so I politely called the IT department and suggested it was a bad idea. They agreed. Sometimes, just simple conversations and awareness can bring those extra levels of security. Keep track of any temporary on-site access points (i.e., during a new project, the IT department is not ready for equipment to be added to the network, and a wireless access point to manage the equipment was already installed. If this device is forgotten about, it’s an open door to the customer’s internal network. Document these types of things and be sure to make a checklist before leaving. Server certificates should also be up to date. Accessing webpages that display that friendly red X is a clear warning that the correct steps have not been taken. Keep server- and IP-based products updated to the latest versions as, many times, vulnerabilities are patched as they come along. Keep windows up to date and not just the operating system but hardware and chipset drivers too. Lastly, put together a small list of the standards that were agreed to be implemented and hand that document over to the on-site IT department.
These are just a few reminders to get people thinking more about security in this new year. This article was not intended to downplay taking a more robust approach but to highlight there are simple, free, easy-to-implement ways to add security. I also think a holistic plan is necessary that focuses on recovery just as much as preventative measures because, inevitably, it will happen to businesses across the country this year.