Fast accesses

11. – 15.3.2019 (Monday – Friday), Frankfurt am Main

IT security in building automation


The revelations of former NSA employee Edward Snowden have fundamentally changed public awareness in Germany of data security - and IT security in general. The issue has now also become relevant to building automation.

Modern building automation networks are frequently advertised as being 'open' and as having “easy-to-use remote control”.

But 'Stuxnet' has now provided the first example we have seen of malware, whereby a manufacturer's automation system has been the target of a cyber-attack via a dedicated application. Similar controllers are also used in the automation of building services. There exists, therefore, in this area too, a possibility, in principle, of these being attacked. The threats are many and varied as are the possibilities for combating them in current building automation systems (BAS).

Joint responsibility for the security of automated buildings is shared between:

  • The manufacturers, who must offer suitable – that means secure – automation products and services.
  • The planners and contractors who provide the demand for these technologies
  • The users / operators of buildings that employ them

With building services technology and IT, two different worlds meet one another. In a building, the average life cycle of the components and automated elements of the switching modules, room control units and operating devices is around fifteen years. In the IT world, it is generally accepted that components will already need replacing after about five years. The IT security standards of ten years ago are today considered, in the IT sector, to be inadequate. As a result, building automation components cannot always meet the current security standards. The question remains: do they really need to?

The fundamental concept behind an automated building is the responsibility of the contractor and the specialists who do the planning. It is in their tenders and specifications that the technical requirements are defined and interrogated. And it is at this point that the expected security standards are set out. A risk analysis of the specific project provides the basis for an estimate of the real threat to the automated building. If, for example, only the heating, air-conditioning and ventilation systems are connected, then there are bound to be fewer risks involved than, say, if access control, gate opening, invoicing of consumption or refrigeration control for stored products are included in the automated system. Judgements need to be made about the following:

  • Which groups of people need access to the central building automation control systems via which operating devices and dial-in equipment and from where?
  • What is required for fail-safe and secure operation of the equipment?
  • What effects are potential system failures likely to have on the safety and security of people and productivity in the building?

Requirements of building automation

For a long time now, automated units and SPS controllers have contained sector-specific mini computers with special, embedded operating systems. They represent cost-effective hardware that performs the requisite monitoring, regulatory and control functions locally in the system, using energy-efficient regulatory algorithms. For this, it is vital that information is exchanged, i.e. that all the components are networked together. The trend for intelligent field devices and modules, which can assume a process-controlled regulatory or communicative function, continues. Mobile end devices, such as smartphones, increase expectations of operational functionality and visualisation of building automation systems (BAS). And the desire for solutions that are independent of time and space also grows. Modern integrated BAS, already offer the possibility of accessing them through intuitive operating interfaces using standardised IT communications protocols and web-server technology. These web servers can be built into local automated units, gateways, pumps, management systems and sensors. Like the internet, they mostly use the HTTP protocol. As a result, they are well suited to use cross-platform standard browsers as their means of access. Such solutions can be employed in separate, independent BAS networks without internet access. But, depending on the BAS concept, it is not necessary for the system to have its own access to all individual components via individual web servers. They thus represent an unnecessary security risk. For field devices and gateways, the web servers often serve only as a convenient way of more easily assessing the whole system when it is commissioned, which is why they must be capable of being switched off.

Encrypting communications and limiting access

Once you leave your own BAS network or if internet access is available, then the HTTP protocol is no longer adequate, as all the network components that are used for the transmission of data such as switches, routers and communications servers could simply read and manipulate all the information that has been transmitted – including even login details and passwords. At this point the HTTPS protocol, also the one used by online shops, is to be preferred.

As well as using encryption technologies, it is also necessary to limit access to data communication (both physical and via dial-in) in such a way as to allow access to the BAS or its network only to an authorised group of people, with appropriate authority to gain such access. Scada (= supervisory control and data acquisition) and web servers of automated local units must, therefore, have at their disposal suitable authorisation profiles, adapted for a variety of individual user groups, ranging from guest access to administrator.

Access to the BAS must be possible only via a personalised login consisting of user name and password. With regard to the requirements of appropriate passwords, the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnologie – BSI) offer some useful guidance ( Under no circumstances must there be any immutable system passwords for service and maintenance access. Any standard passwords used by the manufacturers or installers should be changed immediately. Commissioning reports and training in the use of the BAS must also be completed and all guidelines for working in and around any areas covered by the BAS company must be observed.

Automation units and management software systems should be capable of recording personalised data of user activities. The aim of audit-trail functionality is to provide unbroken traceability as far as operation of the system is concerned. To this end, any manual changes to switching stages within the system, time programming or alterations to the regulatory parameters must be clearly documented in such a way as to be tamper-proof.

Limiting IT functions

Firewall protection constitutes another established standard for IT computer systems. All BAS products, which are, for example, connected directly to an ethernet network for BACnet/IP communications, must also have implemented these security functions. Any data transmission to or from a device in the automated systems using a standardised FTP data transmission protocol (File Transfer Protocol) will be consistently blocked by a firewall at the automated devices of most manufacturers. Programmes for BAS applications are mostly transmitted to automated units exclusively via proprietary, company-specific software. This transmission can, additionally, be protected by a dedicated password.

In the latest BAS networks, communication of individual components at the levels of management and automation is increasingly effected via sector-specific, open communications protocols. The use of such sector based standards provides the building's users and operators with a defined and tested range of functionality and an independence from any particular manufacturer when it comes to servicing and extension, as well as with regard to future modernisation of the system. Thus, for instance, the BACnet/lP protocol communicates via a standard ethernet infrastructure, whereby devices from different manufacturers can exchange data quickly and directly between themselves. These advantages are offset by the defined open structure of the communications. As in the case of the HTTP protocol, the data exchange which takes place in this situation is also unencrypted. If a variety of people, such as operators or various different manufacturers, have access to a network of this kind, then it inevitably involves risk. In principle, the communication can be read by network analysers and, with the right tools, addresses and settings in any or all of the controllers can be changed. The BACnet community is working on security standards for future generations of BAS. Meanwhile, there is a conceptual objection to manufacturer-specific BACnet/lP security solutions, as such individual solutions go against the idea of open protocols and, at the end of the day, may well not be in the interests of the users.

Deliberate manipulation can, if the situation arises, also be achieved via an installed level of emergency operation at the main control panel. To protect against this, access to the technical rooms or emergency operation facilities should be locked and thus physically blocked. In similar vein, possibility of access to BACnet / IT communciation should be restricted to only as many authorised persons as is necessary.

Separation of IT and BAS

In order to limit opportunities for access to BAS networks, it is recommendable to separate all standardised BACnet/lP communications from any general communications network. This separation can be achieved either logically, through the use of Virtual Local Area Network (VLANs) with managed switching, or through physically separate infrastructures (networks). In situations where a common network infrastructure is used for both BAS and office communications, interfaces, support services and reaction times should be unambiguously agreed with the network operator.

Together with the requisite services, the careful and responsible choice of additional hard and software IT components completes the picture for the modern BAS, and can thus also make it possible to access the entire installation at a distance for remote maintenance, remote optimisation or remote operation. For this, a system of secured access via a virtual private network (VPN) should be installed. Suitable concepts for the use of these VPN connections have been and are being worked on by BAS manufacturers.

Evaluating the risks, increasing knowledge and understanding of the installation

New IT technologies offer lots of interesting possibilities in the field of building services automation. These are very much in demand and should, indeed, be used for efficient, modern BAS installations. A careful assessment of the opportunities and risks described is absolutely necessary for each project on a case-by-case basis. There are a host of possible ways of securing the building automation system from unauthorised access. To complement the German Office for Information Security's (BSI) catalogue of basic protection measures, the German Mechanical Engineering Industry Association (VDMA) has described, in the VDMA Guidelines 24774, the major ways of increasing IT security in the automation of building services. The greatest danger lies in BACnet communications networks, but probably not from deliberate manipulation with criminal intent; the causes of faults are frequently to be found in a lack of understanding and knowledge of the installation or lack of compatibility / incorrect set-up.

  • off icon facebook

    2 Klicks für mehr Datenschutz:
    Erst wenn Sie hier klicken, wird der Button aktiv und Sie können Ihre Empfehlung an Facebook senden. Schon beim Aktivieren werden Daten an Facebook übertragen.

  • off icon twitter

    2 Klicks für mehr Datenschutz:
    Erst wenn Sie hier klicken, wird der Button aktiv und Sie können Ihre Empfehlung an Twitter senden. Schon beim Aktivieren werden Daten an Twitter übertragen.

  • off icon google plus

    2 Klicks für mehr Datenschutz:
    Erst wenn Sie hier klicken, wird der Button aktiv und Sie können Ihre Empfehlung an Google+ senden. Schon beim Aktivieren werden Daten an Google+ übertragen.