Building Management System Vulnerabilities - Term Paper Example

Building Management System Vulnerabilities Name: Tutor: Course: Date: Executive Summary Building Management Systems (BMS) or simply Intelligent Buildings (IB) become the building wide control systems controlling, connecting, and monitoring a system of a facility, associated subsystems, and equipment and plant. These systems support the information flow across the building, providing more advanced business telecommunications and automation services. By doing so, they allow further maintenance, automatic control and monitoring management for the different services or subsystems of the building in an integrated and optimum way, remote and/or local, and devised with adequate flexibility to enable in an economical and simple way the execution of prospective systems. The testing scope for vulnerabilities comprise basic to sophisticated technological and physical attacks bringing about the comprehension of the BMS vulnerabilities (Schneider & Rode, 2010). The manager considers a list of discrete steps taken within a methodology of evaluation. The highly considerable authenticated vulnerabilities constitute attacks on the automation level networks, physical management and attacks against Controllers. Others are the BMS dependency on power to enable capability. Wiretapping on the network offers valuable lessons for understanding the occurrences in the system (CIBSE, 2000). Access to the network is facilitated by access to Controllers through outputs and inputs from local programming. However, mitigation strategies of the prospect involve the threat of understanding BMS criticalities, network isolation, sound security risk management process, access control, staff vetting, and increasing awareness of BMS vulnerabilities. Table of Contents Building Management System Vulnerabilities 0 Name: 0 Understanding Building Management System 5 Hardware Architecture 5 Software Architecture 7 Building Management System Vulnerabilities 9 Trouble Shooting BMS systems 12 Evaluating a BMS system 14 Mitigating BMS Vulnerabilities 16 Future of BMS Risk and Threats 18 References 21 Building Management System Introduction A Building Management System (BMS) is fundamentally an installed computer-supported control system in buildings that monitors and controls the building’s electrical and mechanical equipment like; fire systems, power systems, ventilation, security systems, and lighting. A BMS constitutes the hardware and software. Here, the software program is hierarchically configured in proprietary ways through use of protocols as Profibus and C-bus among others. In recent times, new vendors are generating certain BMSs with capability of integrating open standards and Internet protocols like LonWorks, XML, Modbus, DeviceNet, BACnet, and SOAP. Building Management Systems (BMS) or simply Intelligent Buildings (IB) become the building wide control systems controlling, connecting, and monitoring a system of a facility, associated subsystems, and equipment and plant (Honeywell Building solutions, 2008). These systems support the information flow across the building, providing more advanced business telecommunications and automation services. By doing so, they allow further maintenance, automatic control and monitoring management for the different services or subsystems of the building in an integrated and optimum way, remote and/or local, and devised with adequate flexibility to enable in an economical and simple way the execution of prospective systems. According to Lafontaine (1999), building management systems enable and integrate connectivity in the greater part of the building’s equipment and plant systems, inclusive of security systems. Over the last decade, building management systems have become a principal factor in the build, design, maintenance, and operation of commercial buildings. These systems are increasing popular steered by the desire to provide more safer and reactive facilities, provoked through the necessity of saving energy, and reduction of operational costs (Gadzheva, 2008). Intelligence Building technology is ingrained into a variety of facilities, many which hold premises, classified material, and other assets. The presence of classified protected areas constitutes a variety of systems like life safety and fire. They boast wider integration and incorporation into traditional electrical, electronic, pneumatic, and mechanical systems. Nonetheless, building management systems are still at the initial phases, though the feasibility of these technological solutions ought to be taken from the onset due to neglect of information control, privacy, and security (Gadzheva, 2008, p. 6). The various ways of integrating these systems are by open and common data communication protocols to hardware so as not to render facilities vulnerable to both internal and external risks and threats. Most building management systems are design of low-profile, integrated, and user-friendly security systems employing a camouflaged hardware with a state-of-art technology. This is near optimum mix of human resources providing a cost effective system largely emergent from vital security cover and protection of all the assets inside the premises (Schneider Electric TAC, 2004). The design of the system is largely discreet enough to mix with the ambience while being effective enough to attain the fundamental objective of protection (Lafontaine, 1999). The Security System constitutes a perimeter protection to detect intruders, electronic surveillance, and access control system.  The outer perimeter of a building is cushioned from unwanted intruders using a Perimeter Protection System. This system operates as a deterrent at any point an individual attempts to intrude from the perimeter facing the system installation (Jones & Smith, 2005). A variety of alternatives are available such as electric fence, IR sensors, and sensor cabling is unique to the system. Physical control of people movement is provided by customized Access Control in the premises that restricts entry to authorized areas. Indoor/outdoor type cameras are used for Electronic Surveillance reasons situated at strategic points according to the challenges of maintaining discreet positioning and the design required (Jones & Smith, 2005). These cameras are linked to a server based system or a DVR. Understanding Building Management System To understand the building management system vulnerabilities is important to get acquainted with the hardware and software architecture of the system. Hardware Architecture Building management system or intelligent building system is categorized into three strata of architecture. The management level comprises the workstations (human interface), routing and server devices, all linked through a LAN/WAN Ethernet communication by use of TCP/BACnet/IP. Various secondary room automation and primary control are provided by the automation level which is linked through a networked Controllers employing an operating KNX, BACnet, LonWorks and twisted-pair cables among others (Lafontaine, 1999). The interface is provided by an automation level Controllers between the BMS lower and upper levels, and comprises some shared intelligence. Controllers are ordinarily made to either offer unique generic functionality or application functionality. However, most up to now have some magnitude of multi-functionality. Lastly, field level devices are operated and connected to particular equipment and plant sensor or activators running the protocols such as own proprietary protocol or Modbus. Field devices are the components that link the BMS to the physical environment, hence generating system information and the way to constantly change the building safety and environment conditions (Schneider Electric TAC, 2004). BMS hardware application has not been approached using a single approach therefore integration of BMS devices rely on the complexity and requirements of the facility. Source: Buildings.com Figure 1: Typical BMS System Software Architecture The device level of management essentially entails a software package allowing integration within the human system. Generally, it operates on standard software like WAN/LAN communication on Ethernet based on Microsoft Windows 2000/XP/2003. Other support gadgets are the standard network equipment or the TCP/IP. The software system essentially permit human interface to adjust, monitor, control and the facility (Lafontaine, 1999). Most designers provide in various modules the software packages which permit users to identify what most suits their future and building upgrades. The automation level is the second level of an integrated BMS system. Functioning of the BMS is anchored on the demand for some form of network that integrates and connects the various discrete elements (Schneider Electric TAC, 2004). The network has to be of simple device interfaces and be real-time only compared with the inexpensive nature of present building devices like light switches (Callaghan, Sharples, & Clarke, 1999, p. 136). These needs have given rise to a number of BMS network protocols and standards. Protocols or Standards C-Bus Energy star oBIX BACnet Dynet Modbus CIBSE OpenTherm EnOcean Midac OpenWebNet DSI LonTalk DALI ZigBee KNX There is no specific standard for all existing BMS devices present today, though the two protocols LonWorks and BACnet have been broadly accepted and applied as global de-facto standards. In addition, the industry has applied the connectivity Ethernet to all BMS devices, whether they are sub-network or primary network devices (Honeywell Building solutions, 2008). Connectivity entails Direct Digital Controllers (DDC) alongside with open protocols like Modbus, BACnet, and LonWorks. Current control coonects all these protocols thus giving a universal output/ input linkages to damper actuators, temperature sensors, lighting devices, and life safety (Schneider Electric TAC, 2004). Source: Automated buildings.com Figure 2: BMS software architecture Building Management System Vulnerabilities Building management systems are susceptible to a range of vulnerabilities. For instance, the building may have a facility have open data and shared communication hardware and protocols, and consideration of security issues or restricted awareness. These cases render BMS vulnerable to both internal and external threats. The security manager takes the initial part of the building security through a suggested list of desk-top assessed vulnerabilities (Schneider Electric TAC, 2004). This guides the defeat evaluation planning. The purpose of the BMS is to integrate and link equipment and plant permitting remote and/or local control monitoring. However, service engineers design, install and operate many of these systems with limited consideration of security. Maintenance of the facility’s operational capability and environmental is the basis of the service focus instead of safeguarding the various BMS components beyond locking plant enclosures or rooms. For instance, nowadays a Chiller can host a functionality that interfaces the propriety HVAC system and also the generic BMS system. BMS extended to Information technology networks that are needed across and into entirely every section of the facility like ceiling spaces, plant rooms, and service areas (Gadzheva, 2008). Furthermore, primary data network is used by majority of BMS within the information technology network. Every device location has a Controller with all the functionality of a desk computer exclusive of the user interface. Nevertheless, plugging programming devices into the Controller is one of the functionality permitted, providing access to the robust BMS system and in some cases, the larger information technology network. Consideration of the vulnerability of BMS systems has been limited (Gadzheva, 2008), owing to such institutions such as the the BMS manufacturers, International Organizations for Standards (ISO), maintainers or integrators. Their focus literally ensures that the various parts of a facility’s equipment and plant are effectively communicate and integrated with a requirement of a little additional interfacing. Fundamental program interface and coding hardware is freely accessible (Schneider & Rode, 2010). BMS experience generic vulnerabilities with the basic contextual application difference hence a threat to the BMS and larger facility. The security managers’ initial review of probable vulnerabilities can range from physical access to those devices that have no form of constant power supply to ensure capability. Desktop Evaluation Vulnerabilities Physical device access Compromise and access of the level of automation Compromise and access of management software Physical network access Compromise and access of the level of automation Compromise and access of the Ethernet Loss of integrity due to unauthorized key EM attack Compromise and wiretap of the Ethernet Compromise and wiretap of the automation level Wiretapping Compromise and access of the automation level Compromise and access of the Ethernet Workstation Compromise and access of management software Foreign device Insertion of an alien controller to the automation level Remote workstation Use of foreign computer to access Ethernet External and internal memory System memory insertion and past extraction Device program External programmer utility within the controller Enclosures Current enclosures comprise dust covers only Embedded function Embedded functions illegally used Power supplies Entire system shuts down due to power loss Anti-tamper Absence of anti-tamper capability The testing scope for vulnerabilities comprise basic to sophisticated technological and physical attacks bringing about the comprehension of the BMS vulnerabilities (Schneider & Rode, 2010). The manager considers a list of discrete steps taken within a methodology of evaluation. This starts with documenting a clear approach to evaluating a priori testing criteria. Figure 3: Defeat Evaluation Method For purposes of vulnerability evaluation, a BMS system is selected based on a list of parameters comprising; a system provided by a international manufacturer in the BMS market, and assumes a wide range of BMS products from the device level to management (Schneider & Rode, 2010). The BMS system is applied extensively in major facilities and supported by many sponsoring agencies. Trouble Shooting BMS systems The procured system has of a range of discrete devices initially integrated to conform with what is taken as a typical facility BMS, but to a smaller scale. The security manager can use a management level computer to check system vulnerabilities (Jones & Smith, 2005). The computer can be an IBM Laptop installed with a Microsoft Windows XP Professional V2002 and operating a Pentium 1.7GHz with 1GB RAM. The BMS devices can then mounted from the desk-top onto a board and linked (Jones & Smith, 2005). Other gadgets for connection are data network Ethernet, automation RS-485 BACnet, and 240VAC primary supply. Furthermore, a custom manufactured Test Module can be connected to augment the number of outputs (x4) and inputs (x4). Figure 4: Evaluated BMS system connections Figure 5: Evaluated BMS system (i) and evaluated I/O expansion module (ii) The Management level computer is programmed to identify all items in the network. A plain Graphical User Interface (GUI) is also programmed for the Management software to control and monitor the different components. The GUI is able to display some items like temperature readings from screen control of the VAV duct actuator, duct sensors, and switch status among others (Jones & Smith, 2005). Evaluating a BMS system The evaluation method is used in the emulated BMS recognizing some essential vulnerability. These vulnerabilities constitute attacks on automation level networks, physical management, attacks on the controllers, and system dependency on power. The workstation physical access is prevalent in management level software where major threats against the BMS are sighted. With such degree of access, the attacker can easily alter the BMS program with their specific coding. For instance, writing to a Controller to permit a protracted time delay prior to detector alarms enables undetected access. Furthermore, the intruder can install a malicious code on the system such as a key logger (Honeywell Building solutions, 2008). Moreover, physical access to any area of the Ethernet cable permits wiretapping such as the case of displacement-insulation connectors. The freeware BACnet4Linux once linked to the Automation level network allows for complete monitoring capability. Nonetheless, this software in its existing format may not be able to write back to control the BMS system. Nonetheless, the software for professional automation level is capable of not only monitoring but also writing back to the BMS system. At the level of Ethernet Management, freeware such as Wireshark can read the MS/TP protocol. Figure 6: Wiretap concealed with single pair displacement-insulation connectors Majority of the BMS Controller’s include a service port out of which connection is made to the readily available local Service Tool. The Service Tool permit Controller’s local access and to its automation level programming changes (Schneider Electric TAC, 2004). For instance, these program changes can easily switch outputs and inputs off or on at a determined time, hence putting off a series of detectors or a detector thus permitting undetected access into a facility. Another way can be through disabling any alarms, turning off HVAC and permitting overheating in server rooms and ultimate shutdown. Source: Lonix Building Connectivity. (n.d.). Figure 7: Service port on an ordinary Air Handling Controller Controllers come in a light-weight cover designed to offer internal circuitry protection and not to safeguard against an attacker. When no form of anti-tamper is fitted, the cover clips on/off shows a simple depression of its sides (Langston & Lauge-Kristensen, 2002). An essential use of an additional enclosure or redesign with anti-tamper is needed to safeguard the Controller. A variety of Controllers have additional functionality on an add-on wireless. A wireless adaptor plugging directly into the service port is obtained and a device was inserted covertly within the enclosure of Controllers. The system depends on the principal power supply to sustain functionality since all the devices needed have power operating, maintenance, monitoring and control capabilities. Generally for devices, power needs range from the 240VAC to 12VAC/DC. Power utility loss can be localized when lost or whole of system when the building equipment and plant fail for example the non-emergency lighting, elevators, and HVAC. Partial or total loss of BMS power led to the network communication loss, monitoring and control capability. Mitigating BMS Vulnerabilities Building Management System risks are relative; in other ways, directly associated to the threat exposure of the facility. A facility containing sensitive or other largely safeguarded information, the BMS threat should be taken as crucial (Honeywell Building solutions, 2008). Conversely, there exists a range of generic mitigation strategies that can be exploited by the security manager: Security risk management: This involves a robust security risk management strategy that takes into account system criticalities, the situational threat assessment, and identified vulnerabilities. Communication protection and Information system: Offers some magnitude of partitioning and network isolation, between the BMS, both external and internal, wider networks, and operating systems. Environmental and Physical security: Validate and control access to the critical and various BMS parts, with protection measures layered where feasible. Personnel security: Personnel and third parties operating and maintaining the IB system must be vetted. Operational Continuity: Giving a scale of emergency power to the more essential BMS parts and functions. Security awareness: Offering training to raise awareness of BMS and its vulnerabilities throughout the organization. Furthermore, ensure huge integration of the different stove-piped divisions like Personnel Security, Facility Management functions, Information Technology and Computing, and Physical Security. Future of BMS Risk and Threats The security manager needs to take some consideration of the future of Building Management systems (BMS) to offer some level of comment on changing and developing technologies probably applied in the coming decade (Langston & Lauge-Kristensen, 2002). Such a review gives a degree of comprehending the prospect and creating vulnerabilities and threats of BMS technologies. These issues ought to be considered through wide application of telecommunications and wireless devices easing connectivity, expanded system communications, wide and rising open architecture, (Honeywell Building solutions, 2008) connectivity facilitating plug and play, single design approach for some of the devices such as artificial intelligence, Controllers, and ultimately multi-functional and smart sensors to attain multiple functions. Future risk or threat Descriptor Wireless Scaling up the use of wireless to simplify and lower connectivity costs Plug and play There is ease of device installation by way of plug and play in which the devices are connected to a network with restricted authentication acceptance Extended interconnectivity Multiple connectivity for large systems including external and internal which extends to cloud computing and other networks Artificial Intelligence More complex systems as they become smarter making it difficult to point out the vulnerabilities Single design approach Multiple application functions and use using a single controller. Presence of software disenabled functions like various outputs, wireless and inputs Smart sensor Multiple functions performed by sensors like HV AC, light and security detection making them vulnerable to masking or spoofing Building management systems (BMS) are becoming more popular in commercial buildings with unique merits in BMS like a more reactive building, lowered operating costs giving owners, users, and operators a great experience (Brooks, 2010). However, BMS are susceptible to vulnerabilities throughout their software, network, and hardware devices. Highly contextual is the degree of vulnerability basically directed by the threats to the facility. A defeat evaluation method used by a security manager can evaluate the list of suggested vulnerabilities by use of an emulated BMS system to authenticate vulnerabilities. The highly considerable authenticated vulnerabilities constitute attacks on the automation level networks, physical management and attacks against Controllers. Others are the BMS dependency on power to enable capability. Wiretapping on the network offers valuable lessons for understanding the occurrences in the system (CIBSE, 2000). Access to the network is facilitated by access to Controllers through outputs and inputs from local programming. However, mitigation strategies of the prospect involve the threat of understanding BMS criticalities, network isolation, sound security risk management process, access control, staff vetting, and increasing awareness of BMS vulnerabilities (Honeywell Building solutions, 2008). Ultimately, prospective risks and threats seen to probably increase in wireless devices which eventually expands the protracted system communications and open architecture, smarter multi-functional sensors and single design approach to attain multiple functions. References Automated Buildings.com. (n.d.). Networks. Brooks, D. J. (2010). Assessing vulnerabilities of biometric readers using an applied defeat evaluation methodology. Paper presented at the Proceedings of the 3rd Australian Security and Intelligence Conference, Perth. CIBSE. (2000). Building control systems: CIBSE Guide H. Oxford: Butterworth- Heinemann. Gadzheva, M. (2008). Legal issues in wireless building automation: an EU perspective. International. Journal of Law and Information Technology, 1-17. Honeywell Building solutions, (2008). Integrated Building Management Systems: Today’s secret to increased building and workplace performance. Honeywell International Inc. Jones, D. E. L., & Smith, C. L. (2005). The development of a model for testing and evaluation of security equipment within Australian Standard / New Zealand Standard AS/NZS 4360:2004 - Risk Management. Lafontaine, J. (1999). Intelligent building concept. Ontario: EMCS Engineering Inc. Langston, C., & Lauge-Kristensen, R. (2002). Strategic management of built facilities. Boston: ButterworthHeinemann. Lonix Building Connectivity. (n.d.). System overview. Schneider, D., & Rode, P. (2010). Energy renaissance. High Performance Building Magazine, 13-16. Schneider Electric TAC. (2004). Product catalogue: Schneider Electric. Read More