Safeguarding Smart Buildings: Cybersecurity for Cybersecurity for Building Automation Systems (BAS)

The rapid digitization of our economy and society has sparked a boom in Operational Technology (OT) and Internet of Things (IoT) adoption. As more industries rely on OT/IoT to streamline processes and enhance connectivity, they reshape how we manage physical environments, making automation and control more efficient and accessible.

Building Automation Systems (BAS) are at the heart of this transformation. These systems are essential in optimizing energy efficiency and facilities management for commercial buildings, hospitals, schools, and residential buildings. However, this pivot has exposed BAS to myriad cyber threats, and it’s no longer just the physical security of a building that’s a concern but the integrity of the entire building automation network.

Cybersecurity for Building Automation Systems (BAS)

As modern buildings become increasingly “smart,” they rely on BAS to manage building functions that previously were not connected— HVAC, lighting, security, and access control. BAS uses IoT technology like smart sensors, thermostats, cameras, and lighting systems to collect real-time data on environmental conditions, energy usage, and occupancy patterns. For example, a smart HVAC system can monitor a building’s temperature and make adjustments based on room occupancy or external weather conditions.

While undoubtedly convenient, the pivot toward IOT can expose BAS to myriad cyber threats that pose a risk to information and physical safety. A cyber attack on a BAS can result in unauthorized access to sensitive information or building functions, potentially causing disruptions to occupant safety.

Securing BAS against cyber threats is a collaborative effort. Building owners and facility managers must understand and mitigate cybersecurity risks against BAS. Effective protection requires continuous monitoring of the BAS, a comprehensive understanding of potential vulnerabilities, and robust security controls appropriately layered together to ensure system safety and availability.

The Emergence of Cyber Threats in BAS

BAS have evolved into fully networked entities, subject to the same cyber risks as any IT environment. While these systems can (and do) manage many occupant conveniences like air temperature and lighting they may also be connected with other buildings or campuses, creating a highly interconnected infrastructure. While IoT connectivity improves the efficiency and control of modern BA, it also increases their attack surface.

A successful cyber attack on a BAS could have severe consequences, such as data breaches exposing sensitive information like access control codes and detailed floor plans. Notably, in 2014, the Department of Homeland Security (DHS) issued a warning about increased cyber risks to BAS, calling it an “emerging issue.” Given the wide breadth of environmental systems BAS control, threat actors could damage critical equipment, disrupt essential operations, or even turn off safety systems like fire alarms and security cameras.

What puts BAS at risk of Cyberattacks?

Realistically, any connected device that’s accessible over the open internet is a target for threat actors seeking a way into a network, and BAS are no different. Some of the most common cyber risks for BAS include:

1. Legacy systems: Many buildings use outdated BAS that lack modern security features, leaving them vulnerable to new threats.
2. Third-party risk: External vendors and applications can create gaps in even the best security posture, providing attackers with an entry point.
3. Lack of IT oversight: BAS typically falls outside the oversight of traditional security or IT teams, creating gaps in security protocols. Instead, facility or building managers are often responsible for managing a BAS.
4. Device management challenges: IoT technology can easily create device sprawl, leading facility and building management teams to struggle to locate and secure all connected devices, increasing the attack surface.

When cybersecurity in BAS is neglected, it can open the door to unauthorized access. In addition to gaining control over essential business functions, once an attacker has access to a network, they can move laterally within the network and access other information, potentially resulting in data breaches or even ransomware attacks.

Some high-profile examples of cyber attacks related to BAS include:

• Discovered in June 2010, the Stuxnet worm primarily targeted industrial control systems (ICS), but BAS often integrate with ICS, which exposes them to similar risks.
• In 2013, Target suffered a data breach when attackers exploited a third-party HVAC vendor connected to their network.
• In 2021, threat actors used the KNXlock vulnerability to compromise a German engineering company’s BAS over the internet and lock the owners out of the system. New exploits were discovered in 2023.

Best Practices for Enhancing BAS Cybersecurity

When BAS are discoverable on the public internet, they are at risk, as evidenced by the KNX attack. Facility and building managers can adopt several key best practices to safeguard BAS from cyber attacks.

1. Device visibility and monitoring: Step one of any security program is always an inventory of all network-accessible devices. This foundational step provides insight into which OT/IoT devices or systems are discoverable and identifies software or hardware vulnerabilities.
2. Monitor for anomalous traffic or behavior: A BAS should only communicate with well-known IP addresses in well-understood ways. Implementing continuous monitoring enables the detection and response to emerging threats in real-time.
3. Network segmentation: Once a threat actor gains access to a network, they typically try to move laterally and gain access to other systems or sensitive information. Isolating BAS networks limits exposure to potential threats.
4. Control access to the system: Access to the BAS should be limited to only authorized personnel. Additionally, all BAS accounts should use authentication controls such as multifactor authentication (MFA) for an added layer of security.
5. Vulnerability management. An effective BAS security program includes monitoring for critical vulnerabilities and resolving those that require immediate attention to minimize the greatest threats to your environment.

Building and facility managers should also develop and maintain an incident response plans to ensure teams are ready to act swiftly and effectively when a security breach occurs.

How Asimily Helps Defend Building Automation Systems

As the world continues to digitize and technology continues to evolve, modern buildings will face new cybersecurity challenges. Building owners, operators, and facility managers must understand the critical importance of securing BAS to protect their assets and ensure the safety and well-being of occupants.

The Asimily platform is designed expressly with IoT devices in mind. Asimily’s inventory and vulnerability detection capabilities are built to monitor traffic to and from IoT equipment and proactively identify security fixes. Those fixes are often simple and quick, reducing the load on facility management teams.

In the event of a cyberattack, our platform, with its rapid response features, quickly captures packets to aid incident responders. With Asimily, teams can keep a handle on their IoT attack surface and ensure they are as safe as possible, providing a sense of reassurance and security.

To learn more about Asimily, download our whitepaper, IoT Device Security in 2024: The High Cost of Doing Nothing, or contact us today.