Securing Intelligent Building Management Systems (IBMS): Where to Start
Whether we’re depending upon the IoT or the networks that link them, our worlds are increasingly connected – and increasingly more vulnerable to cyberattacks. The SIA, in partnership with the ASIS FoundationTM and BOMA International, recently produced a report warning against security weaknesses in Intelligent Building Management Systems (IBMS), which rely on the IoT and the networks that connect them. The report also recommended measures to take to protect buildings now. Titled “Building Automation & Control Systems: An Investigation into Vulnerabilities, Current Practice & Security Management Best Practice,” it provides a smart roadmap for identifying and fixing IBMS vulnerabilities.
IBMS is a swiftly growing industry. By 2022, experts expect it to reach $104 billion. Right now, it’s moving at a rapid clip of 15 – 34 percent growth each year, fueled by demand for less maintenance, more control and operability and greater energy efficiency. As the IoT continues to explode, IBMS can potentially achieve even greater growth, especially in the residential market. Additionally, with increased pressure to build environmentally friendly buildings, IBMS has an important place at the table. Commensurately, the intelligent building security market is also exploding, with 31 percent growth per year. This will equate to $59B+ by 2023.
How Do IBMS Work?
The systems are known by various names, including Facilities Management System, Building Management System, Intelligent Building, Smart Buildings, Building Automation System and Intelligent Business Management Systems. Whatever their name, they all function the same way, as automated building systems that pull together the many building functions and information flow processes into one central decision point.
IBMS incorporate a widespread gamut of technologies and scopes. A home heating system is one small example. A more complex system like a high rise Smart Building would integrate several systems, including lighting, elevators, HVAC and life safety systems, along with administrative, business and maintenance functions. Of course, security is becoming an increasingly sought after component, in the form of surveillance cameras, access control and intruder detection.
An IBMS is a modular system that can be scaled up or down, and there are three levels of integration that control it:
- Management Level: This is where the human interface lives. The management level controls the system using workstations, servers and network switches that can manage one room or can operate a larger facility system, overseeing both the plant and its equipment with lighting control, energy management and maintenance.
- Automation Level: These are the primary control devices like routers and controllers that are networked through controllers and use open-source communication; they provide the interface between the user interface and the field devices.
- Field Devices Level: These are the sensors or activators that measure equipment, like temperature sensors, valves, light switches, fans and PIR detectors.
Since several systems must be integrated, proper connectivity is key. Although there’s no one protocol, many systems rely on LonWorks, Internet Protocol, BACnetTM and Hypertext Transfer Protocol (HTTP). This is where security vulnerabilities can creep in.
How Secure Are IBMS?
These systems have a number of upsides, namely decreased operating costs, increased control, monitoring and operability and government regulation; however, security professionals aren’t always prepared for their inherent security risks. In fact, the SIA report discovered a disconcerting disconnect between the perceptions of threats in this industry and the reality. Since it’s a new and burgeoning field, there aren’t standards in place and many strategies remain siloed, so they require a holistic approach. Like other security risks, IBMS vulnerabilities must be addressed by all stakeholders.
What do these vulnerabilities look like? The systems are designed to be automatic and responsive, so in a residential building, an IBMS will come to life when a resident uses his access card to enter his building. The system will open the doors and set the lighting to his predetermined levels, then turn them off as he enters another space, thereby saving energy. On the commercial side, an employee’s smart phone could serve as a credential to grant him access, thereby capturing information about the employee’s arrival time. His cashless interaction with the parking garage could be automatically deducted from his paycheck, which is linked directly to that system. You can start to see the serious security issues that might arise from these convenient connections, both on the physical and cyber sides.
How can you mitigate the risks associated with maintaining an IBMS? The SIA report recognizes five levels of severity, ranging from Low Level to Moderate Level to High Level to Extreme Level to Critical Level risks. The most effective way to determine your specific risk it to identify your criticality level, check off the items that you’ve already addressed, and use the rest of the items as a checklist to be assigned to the correct person/people in the future.
As with any networked system, constant vigilance is key. If you need more information on securing your networks or other systems, contact us here. We can help you identify and eradicate these growing threats.