Building Automation & Control Systems An Investigation into Vulnerabilities, Current Practice & Security Management Best Practice REPORT David J Brooks Michael Coole Paul Haskell-Dowland Melvyn Griffiths Nicola Lockhart ASIS Foundation Project No.: FDN-BMS-2017 This Report was made possible by funding, support, collaborative and membership participation from: ASIS Foundation Security Industry Association Building Owners and Managers Association The authors would like to acknowledge the contribution and hard work of the many security and facility professionals who participated in this research. Without their contributed and time out of their busy schedules, the research could not have been achieved. The Edith Cowan University’s research team and Report authors comprised of: David J Brooks, Principal Investigator Michael Coole, Subject Matter Expert Paul Haskell-Dowland, Subject Matter Expert Melvyn Griffiths, Research Analyst Nicola Lockhart, Research Analyst Executive Summary Building Automation and Control Systems (BACS) have become embedded into the contemporary built environment and its facilities. BACS technology and its connectivity extends across all types, sizes and functions of facilities for the purposes of not only automation, but the free flow of information. However, limited organizational awareness and understanding of BACS threats and vulnerabilities remain a concern, and their potentially impact to the organization. THE PROJECT The purpose of this project was three-fold. First, to review current and future BACS, including terminology, technical architecture and likely vulnerabilities. Second, to gain an evidence based understanding of security and facility professional’s awareness, criticalities and security practice in regard to BACS vulnerabilities; and third, provide guidance to support security and facility professionals in BACS security design and maintenance activities. The project applied a three-staged mixed methods research approach, to support evidence based findings and outcomes. The process commenced with a meta-literature review (Stage 1), followed by a survey (Stage 2) that was critiqued by focus groups (Stage 3) to garner deeper understanding. The survey (N=331) had responses from 38 different nations and diverse practice areas, with the majority from security (72 percent) and the remainder from facilities. The focus group participants (N=14) reviewed the survey findings and the draft BACS Guideline. WHAT IS BACS? Building Automation and Control Systems (BACS) is an automated system that converge, integrates and connects many different facility technologies through information flow to a monitoring point. BACS are modular, formed from the integration of devices, equipment and communication platform networks with open communication protocols. BACS are also known by many other terms, such as a Building Automation System, Building Management System, Intelligent Building, Smart Buildings and even, Smart Cities. With the Internet of Things, BACS will continue to expand into areas of the built environment and everyday life. Nevertheless, regardless of name, the core principles of BACS are the same; to facilitate free information flow and automated decision-making through connectivity. BACS technical architecture is based on three levels, namely Management, Automation and Field device levels. The Management level contains the human interface, generally on the organization’s enterprise network. The Automation level provides the primary control devices, connected via networked Controllers. The Field device level are the physical input sensors and output activators, connected to plant and equipment to monitor and control the environment. The BACS market is growing between 15 to 34 percent per year, due to the demand for energy and operational efficiency and sustainability, increasing government regulation, and greater monitoring, control and operability. By 2022, the BACS industry will be worth an estimated US$104 billion. With global rises in energy costs and greater government sanctions, BACS is likely to be at the forefront of future facility projects. PROJECT FINDINGS Facility professionals manage and operate BACS, with 36 percent of participating building owners and operators indicating they have such a responsibility. Security professionals predominately manage and operate the security systems. Whereas, Information Technology professionals manage and operate the technical elements of networked systems, including the broader BACS i | Page architecture. Nevertheless, each professional generally focused only on their areas of practice and responsibility, resulting in silos of responsibilities. Vulnerabilities in the BACS architecture are diverse, all which can be exploited for nefarious gains. Due to their physical location across all parts of a facility and connectivity with open protocols, BACS are prone to technical and physical attacks at all architectural levels; however, the Automation level is considered the most vulnerable. Generic BACS vulnerabilities were extracted and tabulated (Appendix A). Failure to appreciate such vulnerabilities results in the organization being exposed to security risks unknowingly. Nevertheless, BACS vulnerabilities are diverse and at most times abstract, presented without context or situation and resulting in difficulty for practitioners to understand and mitigate. There is a significant disconnect between expressed security and facility professionals’ perceived understanding of BACS threats and risks, and their actual understanding. Although 75 percent of security and facility professionals had an awareness of BACS architecture and half featured BACS risks in their risk management documentation, the majority of security and facility professionals displayed a limited understanding of BACS technical elements and there resulting critical vulnerabilities. Security and facility professionals rated BACS criticality of vulnerabilities, at all architectural levels, relatively equal and with limited distinction. Such findings supported the assumption that security and facility professional lack robust understanding of BACS vulnerabilities. In contrast, Integrators (Vender, Installers) and cybersecurity professionals displayed a divergent and more accurate understanding of BACS vulnerabilities and their organizational significance. This group rated higher criticality of attacks against the Automation equipment and its network, demonstrating that they hold a higher level of BACS technical understanding that can be drawn on by organizations to achieve BACS security. Therefore, to manage the security of BACS requires information technology or cybersecurity professionals within, or integrated with, the facilities and security departments. Such professionals may be in-house information technology or cybersecurity professionals, or “third party” contractors, such as Integrators. Half of the project participants reported BACS had integrated security systems, which is likely to significantly increase in the future. Nevertheless, findings indicate diverse views on the types of integrated security systems, directed by the professional being asked. The understanding of integration between security and facility professionals lacks definition or common understanding, leading to misunderstanding and therefore, further siloed view of associated security risks. Integration remains technically and functionally broad and undefined, with diverse views on meaning depending on one’s occupational role. There is a lack of common understanding and clarity of language with BACS terms and practices. BACS risks are contextual, aligned with the facility’s threat and their functional criticality. Nevertheless, as with all security vulnerabilities, there are generic mitigation strategies that can be taken to protect these systems. Furthermore, BACS vulnerabilities are abstract and without context, making it difficult for practitioners to understand and mitigate. Therefore, the BACS Guideline (see Appendix I) was developed as a tool to aid professional decision-making. Security and facility professionals can address security related BACS questions to gain a level of assurance in protecting their organization or make informed decisions to accept risk without treatment. Finally, the security and facility professional’s lack of understanding and application of security zones was identified. The BACS Guideline has to be applied across many different built environments, with different threats and organizational criticalities and therefore, uses security ii | Page zones in its security questions. However, many of the professionals had a limited understanding and practice of designing and applying security zones as a defense in depth method. RECOMMENDATIONS Across the security and facility professions, the project identified a number of key recommendations: • Promote greater awareness of BACS and its threats and risks posed to the organization. However, such awareness has to be sound, easy to read and understandable to non- technical people. • Improve cross-department liaison, using strategies such as a BACS working group chaired by facilities and with membership from security, cybersecurity and other relevant stakeholders. • Build partnership with BACS experts, namely Information Technology and cybersecurity professionals, and Integrators. These professionals may be in-house or “third party” contractors. • Provide a guideline that is simple to read and apply as an aid to security and facility professionals
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages220 Page
-
File Size-