Seven Ways to Help Secure Your Building Automation System

Cybersecurity Image

By: Jason D. Mills, Director of Marketing and Communications

As building automation systems advance, operation technology and information technology converge. While this integration of OT with IT creates more efficient and modern ways to control your building automation system (BAS), it brings new challenges, particularly regarding cybersecurity. Let’s look at seven ways to increase cybersecurity for your BAS.

  1. Change Default Passwords
    While this may seem obvious, it is often overlooked. This is the top way to stop someone from accessing equipment or a system. Taking the time to change default settings can save a lot of headaches.
  2. Don’t share passwords or leave them exposed
    If you share passwords openly, leave them on sticky notes, or reuse a shared password, multiple networks could be compromised at the click of a button.
  3. Keep your computers up-to-date
    You are only as secure as your most out-of-date software. This introduces critical patches that keep your network secure against the latest cyber-attacks. However, many BAS software and services are written for specific versions of the operating system or components, so you will need to fully understand your BAS before updating.
  4. Create a separate BAS network
    While we do not recommend this as a first option, there may be concerns with your IT department allowing you to use their networks. You can create another separate one, with a separate system of cables and routers. This secondary network still needs to be managed.
  5. Whitelisting and Blacklisting IP addresses, Ports and URLS
    Whitelisting is the process of allowing IP addresses, ports, and URLS access to your network. If someone is asking to enter your network from a whitelisted IP, they will be granted access. Blacklisting is the opposite; IP addresses, ports and URLS that will never be allowed in. Some BAS products allow you to configure such lists. For ones that do not, consider setting up whitelists at one or more of the firewalls between the BAS and the outside world.
  6. Only allow outbound traffic and ignore inbound traffic
    This is dependent on the site’s BAS software or services. If it is designed to be “outbound only,” it initiates all communications with the outside world, and firewall rules can be put in place that block unsolicited inbound messages. IP routers and gateways are typically configured to allow inbound messages only when a computer on the inside first sends out a message to an outside server. This allows the BAS to communicate with the outside world even with inbound messages blocked. Some IT departments also make outbound rules, meaning that their firewalls may block your BAS from sending out messages. In this case you must have IT configure the firewalls to allow outbound messages to the services your BAS uses.
  7. Encrypting information
    Imagine sending a letter via regular mail containing all of your passwords without an envelope. Everyone who touches it can read your letter. The same is possible if you do not encrypt your connections and data. For digital information, there are two basic encryption ways: the messages carrying your data, or the data itself. Encrypting messages is done by VPNs and encryption protocols, such as TLS. This type of encryption is supported by system firewalls and routers. Data encryption can be done so the stored data is not human or machine-readable, unless one has the proper codes to decrypt it. This type of encryption is usually done by the BAS or database services.

KMC Controls understands the risks and concerns with building automation security. Our IoT building automation platform, KMC Commander™, uses leading technology and best practices to ensure your system is secure. The platform has more than a dozen cybersecurity features built-in, including:

  • Ubuntu Snappy OS: From limited user and program permissions to the ability to secure boot, Ubuntu provides a secure foundation.
  • Whitelisting: If you haven’t explicitly authorized an IP connection, a physical port, or a process, the hardware and software will not allow it.
  • Outbound Communications: To servers or devices, KMC Commander initiates all communication links.
  • Data Encryption: Data is encrypted at the box and cloud levels and communicated over SSL/TLS.
  • Cloud-Only Interface: Remote user interaction with KMC Commander is limited at the cloud level, isolating the physical layer.
  • Custom User Permissions: Easily customize the levels and groups of users for your platform, limiting the most sensitive interactions to the appropriate people.
  • No Back Doors: There are no back doors built into KMC Commander installations, eliminating the threat of compromise-by-design.
  • Trusted Platform Module: Encryption keys are stored on a separate chip in the gateway, apart from the primary storage and memory.
  • No Data Masking or Obfuscation: By using best security practices, we choose not to use “security through obscurity.”

This layering of security features and practices helps prevent damage and exposure from a cyber-attack.

In addition to these best practices, one key thing you can do to keep your system secure is to be aware of threats and security measures. Creating a cyber-culture is not only useful for building automation networking, but all facets of your digital life.

intel IoT Solutions Alliance