IT security in building automation - What contribution does BACnet make?

System disruptions can occur from both internal and external sources. Internally induced disruptions of availability, integrity, authenticity, and confidentiality affect the fundamental operational safety of the infrastructure. Externally induced disruptions typically involve sabotage, espionage, or unauthorized access.

The usual points of attack on automation systems are primarily at the automation and management levels of a building, rather than at the field level or the higher levels in technical building management. Therefore, there is a particular need for action here.

Regulations for IT security in building automation

In Germany, the basic regulations are the standards and the basic protection compendium of the Federal Office for Information Security (BSI). The basic protection modules Infrastructure for Building Management (INF.13) and Building Automation (INF.14) are mandatory for federal authorities and operators of critical infrastructures (information at www.bsi.de). The VDMA 24774 (2023-03) describes the current requirements for IT security in building automation (guidelines for building automation) and EU Regulation 2016/679 provides information on the General Data Protection Regulation for the protection of personal data in building automation).

However, there is no 100% IT security for building automation either. The precautions to be taken in the field of building automation must be derived from a risk analysis for the respective use. The BSI standards and basic protection compendium identify the following threat situations as particularly significant for building automation:

Inadequate planning of building automation, for example, due to lack of redundancies or high complexity of the collaboration of different trades. Faulty integration of TGA systems into building automation or faulty configuration of building automation. Use of insecure systems and protocols in building automation, such as the "old" BACnet protocol, as well as KNX or ModBus. Manipulation of interfaces of independent TGA systems to building automation (for example, via a manipulated fire alarm that opens all doors).

Deficiencies in Technical Building Management (TGM) as sources of risk

Lack of basic IT security for TGM planning, as, for example, the operators are often not yet determined during planning. Lack of documentation in TGM leads to uncertainties about the status quo of IT security. Conscious or unconscious compromise of interfaces with TGM, especially when protected areas are connected to TGM, such as intrusion or fire alarm systems. Inadequate monitoring of TGA, so that, for example, system-critical malfunctions are not recognized. Inadequate role and authorization management (e.g., several people share a user account). In addition, there are the long life cycles of building technology systems, which require a special degree of forward-looking planning of GA systems and a strategic approach. The following requirements should therefore always be taken into account when planning GA systems.

Specifications for the planning of GA systems

Encrypted data transmission/communication (BACnet/SC, KNX-Secure, etc.). Deactivation of all unnecessary services and accesses from the factory ("hardened" devices and software) including documentation of the used ports. Management software with functions for recording user activities (Audit Trail). Acceptance of the GA system only with the latest firmware (automation stations) or software version (BBE, MBE), at least all security-relevant updates, especially the current patches from Windows as well as the current versions of the software systems.

Specifications for the implementation and execution of building automation systems

Setting up physically or virtually separate IP networks for building automation, including securing particularly vulnerable network segments with firewalls. Secure access for remote maintenance. Establishment of a backup concept for automation stations and management level, including instructions for recovery. Physical securing of switch cabinets, technical rooms, etc., including deactivation of USB or Ethernet access. Malware protection and the latest security patches for engineering tools. Project-specific adjustment of access permissions and password changes (especially on automation stations, BBE, MBE), activation of auto-logoff functions. Further hardening of systems by deactivating or deleting all unused services, physical accesses, user accounts, processes, and programs (especially on automation stations, BBE, MBE), activation of auto-logoff functions. Creation of work instructions and behavioral instructions for the permanent maintenance of IT security by the installer (SOP = Standard Operating Procedure). Creation and handover of a GA network documentation with model designations of the components, MAC addresses, installation location, and firmware version levels. IT security training for operators.

Specifications for the operation of GA systems

Individual usernames and passwords. Regular security-relevant updates/upgrades (especially of PCs, servers, and routers), ensuring that updates are only downloaded unaltered from sources with a certificate. Regular backups of system programming, configuration, configuration changes of the MBE software, and stored operating data. Ensuring compliance with work instructions and behavioral instructions, including regular updating of the IT security concept as part of the maintenance of the GA system. Regular IT security training.

Summary

Even in building automation, there is no 100% security for availability, integrity, authenticity, and confidentiality of data. However, by specifying and observing simple technical and organizational measures, a good level of security can be achieved. The consistent use of BACnet is just one, albeit important, component for greater future security. In summary, the following 5 tips:

Determine the protection requirements for each building based on a risk analysis. This must be done jointly by specialist planners, clients, and operators. Be aware that GA systems are particularly vulnerable in terms of IT security, with the greatest risks currently arising from the connection of building automation to the Internet, e.g., due to cloud computing. Based on a security concept, make specific IT security specifications for planning, implementation, and operation based on VDMA 24774. Also, in view of the increasing use of cloud computing, encrypted protocols such as BACnet should be required for newly constructed GA systems and for the renovation of existing GA systems. Issue work instructions and behavioral instructions (policies) for damage prevention and damage mitigation. Agree on software maintenance and system maintenance to regularly close known security vulnerabilities. As part of regular maintenance, not only check compliance with policies but also the currency of the security concept."