A Summit to advance BAS cybersecurity
For the second year, the New Deal for Buildings is organizing a Cybersecurity Summit at AHR Expo. The event is designed to gather BAS leaders and facility practitioners to discuss and chart the way forward for the adoption of comprehensive cybersecurity policies, practices, and technologies in the BAS industry. Sponsors of this event are made up of the leading companies and organizations advocating for better cybersecurity in building automation systems.
The Summit comes at the heels of the release of BACnet/SC, a critical component to securing BAS networks.
10. Historical Timeline for Building Automation Security
20041820
1926
1973
1983
Mechanical & Pneumatic Controls Security Through VPNs & VLANS
1999
2009
CISCO/Cimetrics
Begin IT Friendly Security Initiative
BACnet IT Working Group Founded
Arab Oil Embargo
Mini Computer
Control
BACnet IP
Annex J
BACnet International Founded
BACnet Manufacturer’s Association
BACnet
Addendum G
Started
Central
Heating
Air
Conditioning
Direct Digital
Control
2019
BACnet SC
Released
1995
BACnet International
BACnet Secure Connect
Interoperability Acceleration Program
2002
BTL Listing
Begins
2020
Secured by
Cimetrics
2020
Early Access Consensus Process
11. More
NIST Interagency Report 7621, revision 1 | Small Business
Information Security: The Fundamentals, section 2.1
● Phishing attacks
● Ransomware
● Imposter scams
● Environmental events
● Lateral attacks
Cybersecurity Threats
Credit: NIST
12. The framework is divided into three parts, "Core", "Profile" and "Tiers“
• “Core" contains an array of activities, outcomes and references about aspects and approaches to
cybersecurity.
• “Framework Implementation Tiers" are used by an organization to clarify for itself and its partners
how it views cybersecurity risk and the degree of sophistication of its management approach.
• "Framework Profile" is a list of outcomes that an organization has chosen from the categories and
subcategories, based on its needs and risk assessments.
Provides a continuous
process for
cybersecurity risk
management
For organizations of any
size, in any sector, whether
they have a cyber risk
management program
already or not
Has proven useful to a
variety of audiences
NIST Cybersecurity Framework
(“Framework for Improving Critical
Infrastructure Cybersecurity ”)
Credit: NIST
14. Cybersecurity Framework Functions
"Develop the organizational understanding to manage
cybersecurity risk to systems, assets, data, and capabilities."
"Develop and implement the appropriate safeguards to ensure delivery of
critical infrastructure services."
"Develop and implement the appropriate activities to
identify the occurrence of a cybersecurity event."
IDENTIFY
PROTECT
DETECT
15. Cybersecurity Framework Functions
RESPOND
RECOVER
SUMMARY
"Develop and implement the appropriate activities to take
action regarding a detected cybersecurity event."
"Develop and implement the appropriate activities to maintain plans for
resilience and to restore any capabilities or services that were impaired due
to a cybersecurity event."
Call to Action!
16. ISA Secure/IEC 62443
By Gilsinnj - Own workPreviously published: ISA99 Standards Committee, CC BY-SA 3.0
ISA/IEC 62443 is a series of Cybersecurity Standards for Industrial Automation
18. What does Cybersecurity Cost and
Who is going to pay?
●Buildings and equipment are capital assets
○ Capital is only allocated for buildings when they are built or sold
○ The lifetime of buildings and mechanical systems is at least 30 years
●Information technology is an ongoing operating expense.
○ The lifetime of IT equipment is 3 years
19. What is the cost of NOT having Cybersecurity?
Credit: IBM Security
20. DoD Budget $ DoD # of Devices
IT / IS
8,000,000
OT /CS
2,000,000,000
OT /CS
150,000,000
IT / IS
30,000,000,000
IT/IS Versus OT/CS Budgets and Devices
Credit: Michael Chipley / ESTCP Bootcamp / DoD
Who will pay?
21. The path forward: NOT business as usual
● BACnet International
○ Support rapid implementation of BACnet/SC by OEMs
■ Reference code and test devices
○ Accelerate BTL testing of BACnet/SC compliant products
● Secured by Cimetrics - Holistic Cybersecurity
○ One-Step Device Onboarding
○ Device & Cert Management
○ Interoperable Configuration
○ Secure Backup/Restore
○ Secure Firmware Updates
○ Enable IT monitoring
25. Overall Objectives
● Know what systems you have
● Understand the risks to the organization
● Establish policies and procedures to manage risk
● Assess risks and identify business impact
● Move from assessment to risk management
26. Asset Management
● What are the systems?
○ Building Automation
○ Lighting Control
○ Elevators
○ Access Control
○ Video Surveillance
○ … and many other possibilities
● High level attributes for each system type
○ Manufacturer
○ Model
○ Installing contractor / service provider
○ Network
○ Software Revision
27. Business Environment
● How dependent is the organization on the functioning of its control
systems?
● Understand what services and functions must be in place in order to
respond to a cybersecurity attack / incident
● Define the organization’s role relative to the supply chain (i.e. who owns the
problem and the response)
28. Governance
● Define and communicate the organization’s cybersecurity policy
● Establish roles and responsibilities both internally and externally
● Understand legal and regulatory requirements
● Cybersecurity processes align with the potential risks
•“…80% of breaches are because of lack of basic
processes, policies and procedures and
employee/vendor mistakes.
•www.itgovernance.co.uk
29. Risk Assessment
● Identify Control System Vulnerabilities
○ Out-of-date Software
○ Physical Location
○ Users improperly configured
○ Non-application software running on servers
● Identify Internal and External Threats
○ Malware
○ Hackers
○ Rogue Employees
● Identify business impacts and likelihoods
○ Downtime
○ Equipment damage
○ Compromised building access
30. Risk Management
● Risk Management Processes are Defined and in Place
○ Monitoring Systems (both manual and automated)
○ System and Supplier Audits
○ Life Cycle Management
○ Security Release Awareness
○ IT and OT Coordination
● Risk Tolerance and its Impact by System Type
31. Supply Chain Management
● Cybersecurity processes are defined and stakeholders identified
● Suppliers undergo risk assessment with criteria incorporated into
contracts
● Suppliers are routinely audited to ensure compliance
Cybersecurity supply chain management challenge is fundamentally more
complicated with respect to the buildings controls industry
○ Highly fragmented
○ Follows the construction value chain
○ Day to day operations largely depend on contractor involvement
35. Why do we need to protect BAS systems?
● They are mission-critical systems in many buildings.
Therefore they are potential targets of cyber criminals.
● A compromised BAS can also be used to attack interconnected systems.
36. What should we protect?
● From the Identify function activities the building owner should determine:
○ What are the assets that make up the BAS?
○ Physically where are those assets?
○ How are the assets connected to networks?
● Use a risk assessment to prioritize protection activities.
37. Protect - from the NIST Cybersecurity Framework
● Identity Management and Access Control
● Awareness and Training
● Data Security
● Information Protection Processes and Procedures
● Maintenance
● Protective Technology
38. Protect - from the NIST Cybersecurity Framework
● Identity Management and Access Control
● Awareness and Training
● Data Security
● Information Protection Processes and Procedures
● Maintenance
● Protective Technology
39. Protect - from the NIST Cybersecurity Framework
● Identity Management and Access Control
● Awareness and Training
● Data Security
● Information Protection Processes and Procedures
● Maintenance
● Protective Technology
40. Protect - from the NIST Cybersecurity Framework
● Identity Management and Access Control
● Awareness and Training
● Data Security
● Information Protection Processes and Procedures
● Maintenance
● Protective Technology
41. Protect - from the NIST Cybersecurity Framework
● Identity Management and Access Control
● Awareness and Training
● Data Security
● Information Protection Processes and Procedures
● Maintenance
● Protective Technology
42. Protect - from the NIST Cybersecurity Framework
● Identity Management and Access Control
● Awareness and Training
● Data Security
● Information Protection Processes and Procedures
● Maintenance
● Protective Technology
43. Protect - from the NIST Cybersecurity Framework
● Identity Management and Access Control
● Awareness and Training
● Data Security
● Information Protection Processes and Procedures
● Maintenance
● Protective Technology
44. How does BACnet/SC help protect BAS systems?
● A device must have a properly signed digital certificate to join a BACnet/SC
network.
● All BACnet/SC network traffic is encrypted.
45. Discussion
● Identity Management and Access Control
● Awareness and Training
● Data Security
● Information Protection Processes and Procedures
● Maintenance
● Protective Technology
49. Detect: Three Main Functions
Per the Framework:
● Detect Anomalies and Events (in a timely fashion)
● Continuous Monitoring (threats are always there)
● Maintain Processes and Procedures (exploits are always changing)
These need to be done at different levels:
● Different types of attacks and detection methods are needed at different
levels
● Requires cross-functional Team approach
Defense in Depth
50. Detect: What to Detect?
Similarities with IT/OT Systems:
● Malware installed or being executed
● Multiple failed attempts to login
● Unusual traffic patterns or user activity
● Attempts to cross segmented network boundaries
Differences for OT Systems:
● Attacks use much less data
● Attacks use small commands to do big (and BAD) things
Need To Know How The System Specifications and Requirements
51. Detect: Continuous Monitoring
Automated Tools:
● Keep everything up to date
● Insure configuration is correct
● Use the right tool for the right job
Automanual Tools:
● Audit log inspection
● Verification of Process Results
Security Detection Also Helps to Verify Operations
52. Detect: Maintaining Security
● On-Going Commissioning
● Additions & Changes to the
System Require Security Reviews
● Continual Training
53. Detect: Questions
● Experience involving IT & OT together?
● Experience with other types of
attacks/exploits?
● Experience with on-going commissioning
or analytics?
● What logged items are helpful?
● Aware of Automated Tools?
57. ●Respond
● NIST defines respond as "Develop and implement appropriate
activities to take action regarding a detected cybersecurity
incident".
1/8/2020 New Deal - AHR Show Orlando, FL Tuesday Feb 4, 2020 57
58. ● "The Respond Function supports the ability to contain the
impact of a potential cybersecurity incident. Examples of
outcome Categories within this Function include: Response
Planning; Communications; Analysis; Mitigation; and
Improvements".
●
1/8/2020 New Deal - AHR Show Orlando, FL Tuesday Feb 4, 2020 58
59. ● Here are the parts to the respond function and their
importance:
● Response Planning: Response processes and procedures are
executed and maintained, to ensure timely response to
detected cybersecurity events.
● Analysis: Analysis is conducted to ensure adequate response
and support recovery activities.
● Mitigation: Activities are performed to prevent expansion of an
event, mitigate its effects, and eradicate the incident.
● Communications: Response activities are coordinated with
internal and external stakeholders, as appropriate, to include
external support from law enforcement agencies.
1/8/2020 New Deal - AHR Show Orlando, FL Tuesday Feb 4, 2020 59
60. ● Improvements: Organizational response activities are
improved by incorporating lessons learned from current and
previous detection/response activities.
● When breaches occur in companies, an incident response plan
is critical to manage the immediate aftermath. Surprisingly,
lots of organizations don't have an incident response plan, or
just haven't tested the plan that they have in place.
● Your Response Plan: Make sure that you're reporting breaches
if they occur.
● Mitigate: Make sure you have a plan to mitigate any event that
could occur, in house and with third parties.
● Analyze: Go over your plan with experts inside and outside of
your team.
1/8/2020 New Deal - AHR Show Orlando, FL Tuesday Feb 4, 2020 60
64. A Scenario
● Alert - Your Building (or Campus of Buildings) is Acting Strangely!
○ Temperature Controls unresponsive
○ Security badging systems not working
○ Cooling systems for data center inoperative, shutting down data center
○ Elevators not working - people trapped
● After Analysis, Malware has affected your IT and OT Networks!
○ Initial malware weaponized infrastructure (AD instances) that spread infections to
systems at login time
○ Secondary malware attacked connected BAS systems
○ Malware had been dormant for months before until activated
● People want answers!!
○ Customers, tenants & stakeholders angry
○ Local Media is here and “want to ask you a few questions.”
○ And.. your communication systems are all also down - email systems, VoIP systems
65. What’s Involved in the Recover function?
● Recovery Planning
○ You need to have a plan & you probably haven’t thought out how complex this plan
needs to be
○ Your plan must have enough detail so that members of your team can execute it
for various scenarios
○ People typically don’t make complex decisions on-the-spot very well during
stressful conditions - they need to be prepared in advance
● Communications
○ How do you communicate to your internal stakeholders? Your customers? The
media?
○ Who will need to be involved in crafting communication?
○ What communication can you pre-plan NOW vs. in the heat of the moment?
● Improvements
○ Identifying Lessons Learned & Adapting your process - not just for recovery, but in
the functions of identify, protect, detect, and respond.
66. How Do You Recover Technical Functionality?
● How do you begin the process?
○ What takes priority?
○ Have you done a previous dependency analysis & criticality analysis & understand SLAs
to determine what systems you should bring online first?
○ Are there interim approaches that you can apply to restore partial services?
● Is the threat over, or is it still active?
○ Too many times, we jump to recovery without addressing the issue, which can repeat
itself (ex: not eliminating the threat or not mitigating how it came in)
● In recovering individual systems, have you planned for:
○ Recovering from Hardware failure?
○ Restoring from Backups of individual systems and their components?
■ Not just backups of your logic, but operating systems, filesystems, the works!
○ Restoring your communication systems so that you can respond??
● What people will be involved & what groups will you need to coordinate with?
○ Management? Who from OT? Who From IT?
67. Communication - It’s Complex!
● Communication often has legal, regulatory, and reputation impacts
● Who will you need to work with & coordinate with?
○ You most likely need to work closely with Marketing communications, Legal, and
Executive before you communicate with your customers
■ What communications can you plan in advance of an attack?
● What’s Your Message?
○ To Customers? To stakeholders? To shareholders? The media?
○ What’s the Plan?
○ What Systems will be restored - and when?
● How will your organization technically communicate?
○ Do you have alternative channels of communication?
● Who will do the communication?
68. How To Prepare, Test & Execute Your Plan
● CISA US-CERT Cyber Resilience Review (CRR)- https://www.us-cert.gov/resources/assessments
● NIST CSF (& References!) https://www.nist.gov/cyberframework/recover
● Using these references as a guide, gather stakeholders and draft a plan.
● Think through scenarios and see if your plan addresses it
● Do tabletop exercises with those who will be involved, walking through scenarios
● Best practice: Red team/Blue team exercises
● Finally, when you do execute the plan, apply lessons learned to your entire process.