ASHRAE Journal - September 2014 - 61

TECHNICAL FEATURE

a presentation by the Industrial Control Systems Cyber
Emergency Response Team (ICS-CERT), a government
agency dedicated to protecting critical infrastructure, it
was noted that having systems publicly exposed was one
of the leading causes of exploited systems.
How do we prevent this from happening? We close
the front door! To prevent unauthorized system access,
the design engineer needs to ensure four phrases are in
their specification.

Spec it Out
1. The control system will reside on a private class IP
network and will only be accessible via the private network or a Virtual Private Network (VPN) connection.
2. The control system installer will delete default
accounts and change the default passwords.
3. The control system installer will work with the client IT department to ensure that their system utilizes
Simple Network Management Protocol V.3 (SNMP) integration or equivalent for user account monitoring.
4. The control system will not use single sign on (SSO)
for user account management.
Now wait a minute, you may be saying, what if the client wants the system publicly exposed? What if the control system they want doesn't support SNMP? All good
questions.
Active Directory (AD) is how most IT groups manage
user accounts. The difference between account monitoring and account management is slight but important.
If you monitor an account, you can see who logs on and
when, which is called event logging. However when you
manage an account, specifically if you use SSO, the user
can log onto their computer and the BAS system with the
same account. Therefore, if someone penetrates your
BAS they can sometimes access your whole network.
If a client wants a publicly exposed system or they want
a system that doesn't support SNMP V.3 then you must
get in writing that the client understands and accepts
the risk and releases you from any and all liability if
someone penetrates the system causing property damage and/or loss of life.

Most, if not all, of these issues can be solved via proper
patching.
There is one phrase that I hate to see in proposals and
specifications. "Patching and software updates for the
XYZ system will be the responsibility of the controls
vendor."
Really? When is the last time any controls vendor
patched a blade server? Half of the BAS's on the market run at least two patches behind the latest Java,
Windows Service Pack, or .NET framework because
that is what the programmers used to design the
system.
So what is a patch? A patch is where a software provider delivers "fixes" to its software. When software is
created, it is often rushed to meet a completion date,
which often leaves errors. A good analogy is value engineering-you design a great specification for an art gallery, and the customer removes the dehumidification
sequence to save money. Only when the art becomes
damaged does the customer decide to add back in the
dehumidification.

Spec it Out
1. The controls provider will be required to patch the
control system and associated servers to the latest version, revision, or update every quarter. If any security
vulnerabilities are discovered by the vendor, the controls provider will be responsible for notifying the client
within five business days.
2. The controls provider will provide quarterly documentation in the form of a physical and soft logbook
ensuring that the updates and patches have been
performed.
This may seem a little extreme, but let's consider the
loss in profit and reputation for both you and your customer. If a user or non-user exploits a Java 5.0 installation and then logs into your client's hospital and
proceeds to shut down all the chillers what is the cost
of that? What if they pivot and grab patient data off the
electronic medical records (EMR)? Remember, simple
steps can avoid large damages.

Patch Up Your Holes

Don't Let "Oops" Become "You're Fired!"

The good news is the system is behind the firewall; the bad news is the
wall is on fire.

Did you need that database for the compliance survey?

What do Java exploits, unsecured operating systems,
and improperly designed platforms have in common?

Have you ever experienced that sinking feeling in
your gut as you watch the database you just spent
months developing melting away into deletion land? I
SEPTEM BER 2014

ashrae.org

ASHRAE JOURNAL

ASHRAE Journal - September 2014

Table of Contents for the Digital Edition of ASHRAE Journal - September 2014