The recent CIBSE conference lead with the issue of cyber security and the potential vulnerability of building services to criminal activity. Hywel Daviesconsiders the problem for owners and operators
June 17th was an important date for building owners and operators.
On that day in 2010, the Stuxnet malware (malicious software) was identified.
Unlike conventional malware, which wreaks damage in the virtual world, Stuxnet targeted the software controlling pumps, valves, lifts, lighting and machinery. It was the first computer virus with the potential to cause real-world damage.
Stuxnet was designed to specifically target programmable logic controllers running Siemens software through a vulnerability in the Windows operating platform.
The internet is awash with theories as to where the virus originated. The most popular is that the US government introduced the virus to target the centrifuges used by Iran in its Natanz nuclear enrichment facility, the output of which was ostensibly for the county’s nuclear power stations but which could also be used for nuclear weapons.
The malware, which now supposedly has been fixed, shows how building systems can be compromised and highlights the damage that can be done by viruses infecting process controllers and even building management systems.
It is a threat that is likely to increase with the greater integration and interconnection of building controls and other systems because the BMS is often networked with data centres, remote access servers and even utility providers through open protocols.
Imagine the impact on an organisation if hackers were to take over control of the lifts in its HQ building, or simply did something malicious such as turning up the heating or turning off the AC. The building would soon be unusable and normal business operations would have to halt.
In the past, the issue of cyber attacks on building systems was less of a risk because each building service had its own dedicated cabling system and controls protocol.
Over time, however, these systems have migrated onto a common IP-based cabling system. A single IP communications cable (such as a Cat 6) might now carry everything from business systems such as voice, data and video, security, energy management, access control, lighting, lift controls, HVAC and fire and life safety systems.
There are many advantages to this convergence from a building operation point of view, in that it enables increased interaction between systems to maximise efficiency and to provide real-time information on how buildings are being used, often with the ability to access and manage multiple buildings remotely.
The downside of having such an external access facility is that it can be exploited by cyber criminals.
This was the case with the Target chain of retail stores in the US. In November 2013, attackers gained admittance to Target’s IT network by stealing access details from the company’s HVAC contractor, which was authorised to access the system to enable it to monitor energy consumption and temperatures in the firm’s stores.
Once in the system, the attackers then went on to steal payment card details for the retailer’s customers.
The Target attack not only demonstrates the potential cyber-vulnerabilities but also the vital importance of managing personnel security, not only within the directly employed team but also the wider supply chain. It also shows the importance of maintaining total separation between building-related systems and business-related systems.
According to BSRIA research, more than 90 per cent of all larger buildings (those above 50,000 sq m) in the US have some kind of BACS “and many are to some degree at risk”.
While the attack on Target was confined to a single business, the UK government is concerned that vulnerability to cyber attacks can extend outside of buildings and into the electricity network or other key infrastructure.
Its Science and Technology Committee in its report Resilience of the Electricity System describe this threat as “significant”. It is a threat that is likely to increase as the grid becomes smarter and ever more dependent on IT and two-way communication between buildings, their management systems and the Grid.
Until the Stuxnet attack, the security of building management systems was not considered a high priority. While security protection of computers and servers was considered, much less attention was given to the protection of HVAC equipment and lighting controls, for example.
This is no longer the case; experts now warn that if a device is on a building’s network it can be discovered and used as a launch pad to infiltrate other devices and systems.
It is not simply newer buildings with fully integrated building systems that are under threat – older buildings running legacy BMS systems, which are based on older operating software, are perhaps even more susceptible to attack.
This is because the system’s vulnerabilities are well known to hackers and the software provider may have stopped updating the system with security patches, providing an open back door for malicious attacks on a building.
For businesses, developing, testing and deploying security measures in their buildings should be an ongoing and even continuous process.
To help prevent cyber attacks, building operators should assess the vulnerabilities of every building system and determine: what its loss will mean to the ongoing operation of the building; its impact on the occupants; and its impact on the business.
This will allow measures appropriate to the threat to be implemented, addressing both the systems and the people with access to them.
Even with comprehensive security measures in place, experts are warning that building occupiers should still assume that all the preventative measures will fail. As a consequence, they should design the building services to operate for this worst-case scenario.
This is far from straightforward: if there was a power failure in a building and the standby generators’ control protocols had been hacked, which meant the control system failed to recognise a power failure, how easy would it be for a business to manually override these controls and start the generators manually?
David Fisk, professor of systems engineering and innovation at Imperial College London and a past president of CIBSE, says it is critical for building services to have some basic hardwired ‘black-start’ functionality to allow manual operation as a fall-back.
“An identified minimum level of service and hardware hardwired that can provide it is thus essential,” he says in his paper Cyber Security and Building Services. “The very existence of such a plan may not make the reward of a targeted attack worthwhile”.