Fixing the cybersecurity blind spot in building management


Almost every large building has systems to control and monitor power and lighting, temperature and ventilation, elevators and more, known collectively as Building Management Systems, Claroty ANZ Regional Director Lani Refiti says

Historically, Building Management Systems (BMS) were siloed with their own control facilities, connected over separate dedicated networks. Increasingly, BMS are being integrated and connected to the IT systems used for business management and administration.

Furthermore, with the Internet of Things (IoT) gathering strong momentum over the last decade, the number of ‘smart buildings’ has grown significantly, which require far more monitoring and control devices than their older, simpler counterparts. The number of IoT devices installed globally for building monitoring and management was estimated at 1.7 billion at the end of 2020 and is forecast to exceed three billion by 2025.

The interconnection of BMS with IT systems is just one aspect of the digital transformation journey that almost all organisations are going through. While digital transformation enables organisations to increase efficiency, gain insights into their operations and leverage these gains for competitive advantage, it also brings some challenges.

When any BMS is connected to the internet, it becomes potentially accessible to a host of cyber criminals who seek to cause disruption or steal data for commercial gain. Unfortunately, BMS can often be an easy target for bad actors: thanks to their long history of isolation, many BMS do not incorporate the security features that are common in modern IT systems and devices.

In one high-profile example, US retail chain Target was hacked through its air conditioning monitoring system that was connected to the IT network. The attacker was able to gain access to the credit and debit card information of 40 million customers by exploiting a weakness in the security of the aircon system, which then provided a gateway to the rest of the IT network.

Researchers subsequently estimated there were tens of thousands of similar aircon systems around the world that were vulnerable. The list included systems installed for the 2014 Sochi Winter Olympics arena, among other notable names.

In 2017, thousands of critical systems and services worldwide were shut down by the notorious WannaCry ransomware, which exploited a vulnerability in the Windows 7 operating system widely used in many legacy BMS.

Compromising a BMS offers bad actors more opportunities than just data exfiltration for ransom. An unscrupulous player could seek to disrupt a competitor’s production by tampering with environmental controls in their factory or other production facility. A nation-state attacker could disrupt another nation’s healthcare system by tampering with environmental controls in hospitals.

In short, BMS require robust security measures that protect the critical functions they serve and prevent an organisation’s wider IT systems from being compromised.

Why is protecting BMS more difficult than IT systems?

There are several reasons why today’s BMS are more vulnerable to cyber attacks than IT systems:

  • Once upon a time, BMS were function-specific and isolated: the system controlling air conditioning, for example, was separated from the one used for access management. In today’s smart buildings, each BMS function is part of an integrated system that is connected to the internet. This makes the potential impact of any compromise much greater.
  • Many BMS rely on legacy software that is rarely, if ever, patched to remove security vulnerabilities. This means it is often relatively easy for an attacker to gain access by performing a simple action, such as resetting a password.
  • The secure-by-isolation nature of legacy BMS has created a culture of complacency among technical staff who routinely share passwords (or create very weak passwords).
  • The typical BMS for a large facility today is often very complex with many devices from different vendors. It is quite challenging to keep a comprehensive inventory of all of these devices and the versions of software they operate. It’s even harder to ensure every one of these devices is secure and free from vulnerabilities. Furthermore, all the vendors generally require remote access to their products for ongoing management purposes, meaning every one of these access channels is another potential attack vector.

Thankfully, there are solutions to each of these challenges, which can ensure a very high level of security for any BMS.

Four-step guide to securing your BMS

Step 1 – Create a map of the network and all connected devices. It is essential to have a comprehensive inventory of any BMS in order to secure it. This involves knowing exactly how many connected devices sit on the network and the communication paths between them. There are a number of network mapping and asset discovery solutions on the market, which can automatically gather and analyse details of every device within the BMS, no matter their make or model, and maintain an updated list.

Step 2 – Know your risk level. Knowing what devices are on the network is only the first stage of securing a BMS; the next step is assessing the security risk each one presents. Fortunately, software is available that can automate this task. Some more sophisticated tools will also offer guidance on how to remediate any of the security weaknesses detected.

Step 3 – Provide secure remote access. The multitude of tools used to remotely access BMS creates a tempting invitation for attackers. Today, it’s possible to implement a single comprehensive remote access solution tailored for BMS, which can serve the needs of both building management and device vendors for regular monitoring, management and updating.

Step 4 – Detect and respond to threats. Sooner or later an attacker is likely to get through even the best BMS defences. It’s imperative to detect a breach as early as possible and take appropriate action to minimise damage. This requires tools that can constantly monitor the entire BMS for any suspicious activity and issue the appropriate alerts to technical staff and management. There are many tools available to do this, and some suppliers also supplement these with human services: investigation, risk assessment, incident investigation and response.

The transformation of old-world BMS into smart building systems and their integration with IT networks is ongoing and inevitable. It is therefore essential that facility managers pay greater attention to and devote more appropriate resources to BMS security.