Cyber Security of Building Automation Control Systems
The 21st Century has seen an increasing emphasis on better control of the physical access to, and the environment of buildings. This has led to increasing deployment of Building Automation Control Systems (BACS). Vendors like Siemens, Johnson Controls and Honeywell provide products that automate the monitoring and control of the different spaces in a building. For example, such controls facilitate the real time optimization of the energy usage and air quality, in response to changing space occupancy. Often, and increasingly so, these systems are connected to other systems like HVAC control and electrical power management and external systems like corporate networks and payment processing systems In general, the BACS are slowly changing and, like many control systems are not included in regular management monitoring oversight. Thus, once an intruder gets into the BACS system they could stay in the network for months or even years. Besides manipulating HVAC elements such as building temperature, humidity, air quality, etc., intruders can use also this as a gateway and navigate to other corporate systems and cause even more damage. Clearly, there is a need to cyber protect your BACS and connected systems.
The above figure provides a typical BACS architecture, showing some of the interconnectivity between BACS and corporate networks. Buildings such as Data Centers and Pharmaceuticals production facilities rely heavily on automated environmental controls and optimal energy consumption. The increased need for efficient and economical regulation of environmental parameters make the deployment of BACS vital to these facilities. We have noted that many of the BACS systems are managed by facilities managers who do not have cyber security skills. Further, these systems change slowly, making monitoring them a low priority among the cyber security team. Reducing the vulnerability of Building Automated Control Systems to hacking and reduced effectiveness/manipulation can be accomplished using SCIT’s rotation based approach
Examples of environments where SCIT is particularly effective include:
- BACS systems are connected to other critical systems such as Payroll Processing and can serve as an entry point for intruders
- Systems control critical processes such as pharmaceutical production facilities where compliance with FDA regulations and financial exposure are major concerns. An attack on a Merck facility, for example, resulted in production being halted for more than a month.
- In a similar vein, SCIT can protect electric utilities which need to endure grid control system are compliant with NERC regulations. This is in addition to protecting systems that control facilities providing other functions such as power production.
Return to government service
6 年These are very important concepts well stated.? This is an area where infrastructure architects and :structure" architects must cooperate and collaborate to provide cyber physical resiliency in the face or insidious threats or the cascading effects of lesser, indirect threats.? The healthcare industry needs these types of capabilities, for a life or death example/?
Revolutionizing Clinical Trials with AI Powered Patient-Centric Software Solutions | #BridgingRare
6 年Very thoughtful and informative article. How does SCIT solution work here? Is it a software installation on a BACS server? Or is it some kind of a network crawler?
Chief Information Officer Consultant
7 年Setup for schools?