Building Management System Cyber Security

July 6, 2022 By Mid-Atlantic Controls 5 minute read

building system icons connected over a skyscraper representing the importance of BMS cyber security

Hackers, cybercriminals, and other malicious actors are increasingly targeting building systems to access companies’ critical enterprise systems. Keep reading to learn why building management system cyber security is the new front line in protecting companies from online attacks.

Mind the Door: BMS Building Management System Cyber Security

Smart building technology is meant to open the door to increased safety and energy efficiency. At the same time, increasingly complex interconnected systems offer new pathways for criminals, terrorists, and state-sponsored hackers to access information or even hijack control of systems. Here’s why upgrading your building management system’s (BMS) cyber security is critical.

Front and Center

Savvy facilities managers have long known that connecting more of their building’s systems to the Internet comes with a higher risk of malicious intrusions. Until now, however, that risk has been seen as a threat mainly to the building itself. Operators worried that hackers would be able to set off alarms, open doors, turn off lighting or ventilation, or even access surveillance systems.

While very serious, an even greater risk is that hackers gain access to your occupant’s corporate networks, making it possible to:

  •    Steal assets or data
  •    Seize control of systems and demand ransoms, or
  •    Disrupt essential operations and services.  

A study by the Harvard Business Review found that 60% of cybersecurity breaches at publicly traded companies in 2017 were through computer systems belonging to suppliers and contractors of the companies, up from 25% in 2010. Many of those systems are by definition tied directly to BMS infrastructure.

Separately, a study by Kaspersky Labs of 40,000 servers used for building automation operations found that 37.8% of these computers had been targeted by malware, phishing, or ransomware attacks. These findings put you, as a building owner or facilities manager, front and center in the cybersecurity war, with increased responsibilities and added liabilities.

Hackers’ Paradise

This increased exposure is being driven by a number of trends, including:

  • The Internet of Things (IoT)—more individual devices, often with inadequate security or known vulnerabilities, are directly connected to the Internet.
  • Increased automation—BMS systems are connecting previously siloed functions to allow control of multiple systems through a single interface.
  • Open-source systems—Devices from different vendors can increasingly be accessed and controlled using open system standards such as OpenADR.
  • Cloud computing—More and more companies’ critical systems and data are being stored and operated remotely by third-party contractors.
  • Higher safety and efficiency standards—Ironically, increased security concerns, as well as the climate crisis, are driving increased integration of smart building technology, increasing touchpoints between BMS infrastructure and corporate enterprise systems.

Playing With a Full Stack

A recent paper by the Department of Energy’s Pacific Northwest National Laboratory (PNNL) has highlighted the risk posed by the increased integration of operational technology and information technology. The paper also laid out a reference architecture showing how systems interrelate. This “stacked” architecture model includes:

  • Levels 0-1: Basic control and automation equipment such as smoke or temperature sensors, thermostats, elevator motors, and sprinklers.
  • Level 2-3: Local and building-wide controllers and subnets automating large parts of a building’s processes.
  • Levels 4-5: Company-specific IT systems holding sensitive data as well as the routers, VPN portals, and mail servers connecting these with remote and cloud-based resources.

The paper suggests that level 3.5, where high-level building OT processes interface with external and enterprise IT systems, is critical, and should be treated as a cybersecurity “demilitarized zone “ (DMZ) — meaning that it be shielded from both internal and external systems by firewalls and that it includes only servers that provide services to both layers.

Points of Entry

The PNNL paper also identifies several points in this architecture that are at particular risk and that should be hardened or secured against unauthorized access. These include:

  • Any device with a routable IP address
  • Serial to ethernet connections that bypass enterprise firewalls
  • Cellular gateway services that bypass hardwired cybersecurity requirements, and
  • Servers that share OT and IT data.

In fact, any system that shares information that was previously siloed poses a potential threat. 

For example, sophisticated HVAC or access control systems that use video surveillance to optimize climate control or deploy elevators could also be used to track the movement of key employees, providing valuable information for targeted “spear-phishing” scams.

Welcome to the Front Line

Consider the example of a typically connected process management unit. This unit alone could use remote connections to allow it to:

  • Send and receive utility grid signals such as OpenADR to optimize energy use
  • Integrate with cloud-based regulatory and energy monitoring service
  • Provide access, comfort, and location services through occupant's cellular devices, and
  • Provide vendor monitoring and fault detection, sometimes through their own cellular or cloud-based networks.

Each of these separate integrations represents an access point for malicious actors to not only hijack control of aspects of your building management system but to potentially access sensitive corporate data or operations systems. Your building’s systems must be integrated, up-to-date, and secure.

MACC Supports BMS Integration to Improve Cyber Security

Legacy BMS components that have been connected to the cloud without updating security protocols pose a particular cybersecurity risk. MACC can help you upgrade existing systems to fully secure and integrated infrastructure that is both safe and future-ready.

Despite the risks, increased BMS integration, standardization and interoperability are not going away. In fact, using these tools right is the best way to guarantee your building’s security.

Click below for more on BMS integrations and services to meet your cyber security needs.

Learn More About Protecting Your BMS