Don’t let a BEMS become a gateway to hackers
In the battle to thwart the growing threat posed by hacking, it is vital to ensure that a building energy management system (BEMS) is as secure as possible. Graeme Rees of Trend Control Systems explains why.
All businesses are potential targets for hackers, and IT security breaches are making the news headlines on an almost daily basis. If the experts are to be believed, this current level of activity is just the tip of the iceberg; to highlight the scale of the issue, in 2014 the USA-based Center for Strategic & International Studies claimed that hackers stole roughly 81.5 million records worldwide, while The World Economic Forum has estimated a $3 trillion cost to the global economy if the problem is not taken seriously.
Although it tends to be the attacks made on companies such as Sony and Microsoft that grab the public’s attention, organisations of all types and sizes are vulnerable, and the PricewaterhouseCoopers (PwC) 2014 Global Economic Crime Survey found that one in four of those questioned had been hacked. One of the reasons that this nefarious activity has become so widespread is that the chances of getting caught are close to zero. Prosecutions are disconcertingly rare, and by the time the alarm is raised the culprit has usually covered their tracks to evade detection.
Horror stories about what can happen as a result of such an event are in no short supply, and the level and type of threats are constantly evolving. While some are carried out for financial gain, others are designed to cause as much disruption to business operations as possible.
Managing risk should always be about what you can do, not what you can’t. Organisations have to be more aware than ever of how to protect themselves. Although the IT network infrastructure is the focus of attention in terms of preventing such attacks, a comprehensive evaluation of risk requires a meticulous approach to mapping all of an organisation’s IT related assets and processes — including a BEMS.
Although a hacker might wish to cause disruption by, for example, shutting down plant, altering setpoints or turning lights off, it is far more likely that any security based vulnerability in a BEMS would be used as a gateway or point of access to obtain confidential data. Preventing the latter should be a priority for every organisation. There are a number of UK and European laws that govern corporate liability for data breaches, and fines can be as high as £500 000. This is in addition to the cost in terms of operational downtime and business continuity, while not forgetting reputational damage.
Ensuring that a BEMS does not become a weak link in the security chain means being aware of, and applying, best practice. As well restricting physical access to the BEMS, making sure that it is not directly accessible from the Internet is a prerequisite. Similarly, only designated personnel should be able to use it, and organisations should adopt a strict username, password and PIN policy. We are always told that it is wise to regularly change our passwords and make them as strong as possible, and this applies equally to a BEMS.
Security must be designed into the operation of the BEMS from the outset — it must never be considered an optional extra. This technology is not ‘fit and forget’, so all relevant equipment should have the latest software and firmware versions applied, and all PCs that are connected over the network should run virus protection software with up-to-date virus definitions as a matter of course.
It is advisable to isolate the BEMS from the corporate IT network infrastructure through the use of a virtual local-area network (VLAN). This allows devices to appear as if they are not actually connected to the same cabling, even though they may be physically located on the corporate network. For additional security, a virtual private network (VPN) should be configured to prevent unauthorised access.
Security awareness must also form a part of any BEMS-related training for employees, and it should be considered as a priority to building effective prevention, detection and response. It should also be remembered that effective processes are entirely dependent upon implementation of policy — therefore strict adherence is required to mitigate the possibility of a security breach.
Furthermore, the most effective preventative strategy can only be achieved through working with an expert BEMS provider. This ensures that each stage of the installation and maintenance process meets pre-defined standards. Although it is incumbent upon manufacturers to issue regular firmware and software updates, their availability should be immediately communicated to systems integrators, which should then carry out the necessary work.
Finally, like most other aspects of successful BEMS operation, its security should be reviewed and tested on a regular basis. Assessing performance to determine its strengths and weaknesses is a key platform of organisational preparedness — something that no organisation can afford to ignore.
Graeme Rees is marketing director with Trend Control Systems