BAS System Security for Tridium Systems

Reflections in a glass fronted buildingAs technology continues to improve we are finding more reasons to integrate related systems like BAS, lighting and shade systems, security/card access, video, fire alarm, etc. And with these integrations the ability to have remote access to those systems is moving past desirable to essential.

But for many users, they have not secured their systems in even the most obvious ways, much less what is required and recommended for these system. The reason for this cover a wide range from just being lazy, to not knowing how, too trusting, or maybe even intentional.

Handling a BAS Security Breach

Whatever the reason, BAS systems are becoming less and less accessible remotely because simple and effective security is not employed. Tridium is to BAS systems much like Microsoft is to computer operating systems. Tridium is becoming the most utilized BAS “operating system” in the industry. It is available from Tridium, Siemens, JCI, Honeywell, Siebe, Distech, and probably hundreds of other distributors. So when a security breach is found suddenly “Tridium” is immediately blamed and the sometimes the solution is to not use Tridium any longer. Really? That is the solution?

Well it makes sense to a certain extent. If BAS systems used another manufacturer the security access credentials and methods would be more difficult to find. The reason hackers and malware target Microsoft systems and software (Microsoft Outlook) so often is because they can effect so many more potential users. Thus, Tridium suffers from the same “popularity” effect in though the truth is that Tridium systems have more security options than most other competitive system available today.

It is easy to blame Tridium for your security issues but you should really consider how easy some BAS users make it to access their BAS system both internally and externally. So consider the following security enhancements listed below to reduce the possibility of someone gaining access to your network or Tridium (and other) BAS systems.

Security Enhancements for Tridium or BAS Systems:

1.  Change the Platform Credentials! We can’t tell you how many Tridium systems still contain the stock platform credentials that shipped with the original Tridium system. Those credentials are so easy to find that a simple Google search for “Tridium Platform Credentials” will turn up the correct credentials on the first page. This is not unique to Tridium. Do the same search for any popular network router and you will get the same result. So if your IT department set up their super secure network with firewalls, IP restrictions, port blocking, etc. and left the stock router access credentials in the router, and your system got hacked, would you think that was the fault of the router manufacturer or that of your IT department? Buying a lock and leaving the key in the door is your fault…not the lock manufacturers. And once you have the Tridium platform credentials the station “user credentials” are child’s play.

2.  Remove stock User Credentials! For the same reason as above. Access to the Tridium “Station” is gained through “User Credentials” and the default credentials will only take a few tries to figure out even without a Google search.

3.  Only utilize “Strong” username and password credentials: If your username is anything close to your email address you are giving the hackers an easy place to start. Even if your password is strong, why give them the 1st pass so all they need to do is hack the password? Strong usernames and passwords contain a minimum number of character, special characters, upper and lowercase letters, and numbers but you still should be diligent even with these. Avoid obvious birthdays, initials, address, street names, building names, etc. Make it difficult if not impossible. Once this feature is switched on within Tridium, all users will be required to utilize a “strong” password and it will no longer be optional. Tridium provides the tools and we can choose to use them or to not use them.

4.  Expire all users on a regular basis: If you choose to “never expire” the users then all of your ex-employees and contractors will retain access to your system after they leave if you forget to remove them. And many time these people do not leave voluntarily and might wish your system some harm.

5.  Never allow a general username/password to be shared among many users. There is no way to track responsibility this way. Internal audit logs track user activity and can point to problems and solutions very quickly.

6.  Link users/access to your corporate user database so they are created, managed, and deleted as employees are added and removed. (e.g. LDAP)

7.  Create a separate BAS network or a BAS “VLAN” on your internal network. These networks within your network have restricted inbound and outbound access. There is seldom any reason to allow access to the BAS and related system by everyone that has access to the client’s internal network. This access should be restricted to only the people who need that access and severely restricted to others that only need partial access. This is very easy to implement but very often overlooked. It is much easier to blame the Tridium system for letting you do this rather than your IT department for allowing it.

8.  The same applies to your wireless network. Would you really want the students in a university to have access to your internal system like the BAS system? However, the maintenance staff and some contractors might need and be granted this access. A “VLAN” can provide this solution or you could blame Tridium for not being secure enough.

9.  Don’t allow external access at all. This is a solution that works well but at the same time prevents the system from being all that it can be. External communications allow maintenance and facility staff to monitor and correct problems without having to be onsite at all times. It also allows access to experts who might be needed to help diagnose system problems, reduce energy use, increase building performance, reduce downtime, and a host of other positive results. Few facilities have these resources internally and even fewer on a 24/7 basis. Even this can be circumvented by the persistent hacker.

Identifying BAS Security Issues

Data Centre Storage Array

We can go on with more solutions to specific problems but the point is that there are solutions to every problem as long as you want to recognize them. It is easy to blame Tridium for security issues but much harder to look inward and recognize that the security issues are not theirs. Tridium gives us the tools for us to use to create a very secure system without much effort at all. More often than not, it is the end users or their contractors that choose not to use those tools and leave the system open for unwanted access. Just recognize that this same problem exists on every system manufactured today. Tridium is just the easy target. Tridium is a technology leader and continues to develop and improve their product and security as technology improves.

MACC can help you solve all of your security issues and put you on a path that will allow the access and security you need but reduce or eliminate the possibility of unwanted access to your BAS and related access to your secure network through your BAS. Contact us and let us show you how to secure your BAS system.

Contact Us to Learn More