ASHRAE Journal - July 2019 - 29
SOLVING PROBLEMS
human health and safety, said Tully, a manager of application engineering for Reliable Controls Corporation.
Steven Bushby, Fellow ASHRAE, a previous chair of the
Standard 135 committee, said the legacy of the building
industry ignoring building automation system's cybersecurity is because closed, proprietary systems were not
connected to anything; thus, not seen as much of a risk.
That changed with the development of BACnet, the most
widely used building automation system protocol in the
world.
The most common BACnet system is a multi-level system with workstations and supervisory controllers connected to an Internet Protocol (IP) network. The supervisory controllers often serve as routers to a different,
lower-cost network technology that connects equipment
specific controllers, according to Bushby, who works
for the National Institute of Standards and Technology
(NIST). He is the leader of NIST"s Mechanical Systems
and Controls Group of the Energy and Environment
Division of the Engineering Laboratory.
He said it is common practice for building owners
to connect building controllers to the same networks
used for general business and IT purposes. Sometimes
facilities will have a standalone, separate network for
building control that is isolated from the Internet, but
the more common approach is sharing the network
because it is cheaper, according to Bushby. This creates
vulnerabilities to phishing attacks and compromised
login credentials. In this model, login credentials
intended to provide an operator or vendor with remote
access to the building automation system becomes a
vehicle to access or attack anything connected to the IP
network.
Putting BACnet devices and other operational technology (OT) devices on IT networks can lead to dangerous installation practices such as placing unprotected
devices on the IP backbone or across the Internet, said
David Robin, Member ASHRAE, a member and past
chair of the ASHRAE Standard 135-2016 committee.
Virtual LAN (VLAN) or Virtual Private Network (VPN)
configurations should be used to protect OT devices that
do not have their own security, but this requires coordination with IT, which may cause delays when setting up
or changing a facility's operational side.
The most common mistake people make regarding building automation system security, Tully said, is
the lack of awareness about inherent vulnerabilities
and the threats they pose to organizations and mission
capabilities.
"This poor judgment or awareness often results in negligent user account management, weak or vulnerable
passwords, poor system/server/application administration, use of standard openly published ports, preservation of default credentials, inbound firewall penetration, little to no auditing and no recovery/resilience plan
for when a breach occurs," he said.
Tully said it also is common for vendors and service providers to leave default passwords in place for
convenience.
Recommended Solutions
There is no single security solution that is appropriate
for every building automation system because of technology and the ever-changing threat environment, Tully
said.
One of the recommended strategies for protection schemes commensurate with security controls
already established in the IT domain is using NIST
Special Publication 800-27, Fundamental Engineering
Principles for Information Technology Security
(EP-ITS). Standards have implemented the use of
EP-ITS, and organizations have used EP-ITS for some
time, he said.
"Rather than ignoring or avoiding these standard
practices and security controls, BAS manufacturers and
vendors should embrace these techniques and engage in
proactive collaboration with cross-functional teams with
the organizations and IT teams whom they serve," Tully
said.
Another strategy is hardening-improving an information or computing system's security by reducing its
surface of vulnerability. Hardening trusts a minimum
number of system elements, which reduces exposure to
vulnerabilities that could be exploited for unauthorized
information access and manipulation.
Building automation system environments should be
appropriately secured to each organization's requirement and functional expectations, Tully said. The goal of
hardening is mitigating risk to an acceptable level.
"The most common solution today is to put the building automation part in a virtual private network (VPN),
which blocks access except for specifically designated
devices that can connect, and it encrypts the message
and it provides a pretty reasonable level of security,"
J U LY 2 0 19
ashrae.org
ASHRAE JOURNAL
29
�
https://www.ashrae.org/
ASHRAE Journal - July 2019
Table of Contents for the Digital Edition of ASHRAE Journal - July 2019
Contents
ASHRAE Journal - July 2019 - Intro
ASHRAE Journal - July 2019 - Cover1
ASHRAE Journal - July 2019 - Cover2
ASHRAE Journal - July 2019 - 1
ASHRAE Journal - July 2019 - Contents
ASHRAE Journal - July 2019 - 3
ASHRAE Journal - July 2019 - 4
ASHRAE Journal - July 2019 - 5
ASHRAE Journal - July 2019 - 6
ASHRAE Journal - July 2019 - 7
ASHRAE Journal - July 2019 - 8
ASHRAE Journal - July 2019 - 9
ASHRAE Journal - July 2019 - 10
ASHRAE Journal - July 2019 - 11
ASHRAE Journal - July 2019 - 12
ASHRAE Journal - July 2019 - 13
ASHRAE Journal - July 2019 - 14
ASHRAE Journal - July 2019 - 15
ASHRAE Journal - July 2019 - 16
ASHRAE Journal - July 2019 - 17
ASHRAE Journal - July 2019 - 18
ASHRAE Journal - July 2019 - 19
ASHRAE Journal - July 2019 - 20
ASHRAE Journal - July 2019 - 21
ASHRAE Journal - July 2019 - 22
ASHRAE Journal - July 2019 - 23
ASHRAE Journal - July 2019 - 24
ASHRAE Journal - July 2019 - 25
ASHRAE Journal - July 2019 - 26
ASHRAE Journal - July 2019 - 27
ASHRAE Journal - July 2019 - 28
ASHRAE Journal - July 2019 - 29
ASHRAE Journal - July 2019 - 30
ASHRAE Journal - July 2019 - 31
ASHRAE Journal - July 2019 - 32
ASHRAE Journal - July 2019 - 33
ASHRAE Journal - July 2019 - 34
ASHRAE Journal - July 2019 - 35
ASHRAE Journal - July 2019 - 36
ASHRAE Journal - July 2019 - 37
ASHRAE Journal - July 2019 - 38
ASHRAE Journal - July 2019 - 39
ASHRAE Journal - July 2019 - 40
ASHRAE Journal - July 2019 - 41
ASHRAE Journal - July 2019 - 42
ASHRAE Journal - July 2019 - 43
ASHRAE Journal - July 2019 - 44
ASHRAE Journal - July 2019 - 45
ASHRAE Journal - July 2019 - 46
ASHRAE Journal - July 2019 - 47
ASHRAE Journal - July 2019 - 48
ASHRAE Journal - July 2019 - 49
ASHRAE Journal - July 2019 - 50
ASHRAE Journal - July 2019 - 51
ASHRAE Journal - July 2019 - 52
ASHRAE Journal - July 2019 - 53
ASHRAE Journal - July 2019 - 54
ASHRAE Journal - July 2019 - 55
ASHRAE Journal - July 2019 - 56
ASHRAE Journal - July 2019 - 57
ASHRAE Journal - July 2019 - 58
ASHRAE Journal - July 2019 - 59
ASHRAE Journal - July 2019 - 60
ASHRAE Journal - July 2019 - 61
ASHRAE Journal - July 2019 - 62
ASHRAE Journal - July 2019 - 63
ASHRAE Journal - July 2019 - 64
ASHRAE Journal - July 2019 - 65
ASHRAE Journal - July 2019 - 66
ASHRAE Journal - July 2019 - 67
ASHRAE Journal - July 2019 - 68
ASHRAE Journal - July 2019 - 69
ASHRAE Journal - July 2019 - 70
ASHRAE Journal - July 2019 - 71
ASHRAE Journal - July 2019 - 72
ASHRAE Journal - July 2019 - 73
ASHRAE Journal - July 2019 - 74
ASHRAE Journal - July 2019 - 75
ASHRAE Journal - July 2019 - 76
ASHRAE Journal - July 2019 - 77
ASHRAE Journal - July 2019 - 78
ASHRAE Journal - July 2019 - 79
ASHRAE Journal - July 2019 - 80
ASHRAE Journal - July 2019 - 81
ASHRAE Journal - July 2019 - 82
ASHRAE Journal - July 2019 - 83
ASHRAE Journal - July 2019 - 84
ASHRAE Journal - July 2019 - 85
ASHRAE Journal - July 2019 - 86
ASHRAE Journal - July 2019 - 87
ASHRAE Journal - July 2019 - 88
ASHRAE Journal - July 2019 - 89
ASHRAE Journal - July 2019 - 90
ASHRAE Journal - July 2019 - 91
ASHRAE Journal - July 2019 - 92
ASHRAE Journal - July 2019 - 93
ASHRAE Journal - July 2019 - 94
ASHRAE Journal - July 2019 - 95
ASHRAE Journal - July 2019 - 96
ASHRAE Journal - July 2019 - 97
ASHRAE Journal - July 2019 - 98
ASHRAE Journal - July 2019 - 99
ASHRAE Journal - July 2019 - 100
ASHRAE Journal - July 2019 - 101
ASHRAE Journal - July 2019 - 102
ASHRAE Journal - July 2019 - 103
ASHRAE Journal - July 2019 - 104
ASHRAE Journal - July 2019 - 105
ASHRAE Journal - July 2019 - 106
ASHRAE Journal - July 2019 - 107
ASHRAE Journal - July 2019 - 108
ASHRAE Journal - July 2019 - 109
ASHRAE Journal - July 2019 - 110
ASHRAE Journal - July 2019 - 111
ASHRAE Journal - July 2019 - 112
ASHRAE Journal - July 2019 - 113
ASHRAE Journal - July 2019 - 114
ASHRAE Journal - July 2019 - 115
ASHRAE Journal - July 2019 - 116
ASHRAE Journal - July 2019 - 117
ASHRAE Journal - July 2019 - 118
ASHRAE Journal - July 2019 - 119
ASHRAE Journal - July 2019 - 120
ASHRAE Journal - July 2019 - Cover3
ASHRAE Journal - July 2019 - Cover4
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_VHQRAW
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_XGMDXI
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_YELQLJ
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_QJLWMC
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_MCDEBX
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_WNYSQY
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_XATVOD
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_FJSHSS
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_CCBZDS
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_XDEFVG
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2023november_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2023november
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_VHGNBL
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_WPKBNJ
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_UUVCDE
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_RTGDEW
https://www.nxtbook.com/nxtbooks/ashrae/ashraemexico_2023
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_LKRFXS
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_AZSOFG
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_ERCDBH
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_QWDFRV
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_JHGVDF
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_OPUYHG
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_SREIBM
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_LRTGLK
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_OKRFGH
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2022november_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2022november
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_TZSERA
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_LVRUIX
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_RPTVYZ
https://www.nxtbook.com/nxtbooks/ashrae/mini_pub_catalog
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_XIYTGD
https://www.nxtbook.com/nxtbooks/ashrae/ashraemexico_2022
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_RFGDOB
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_PABXNU
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_REMKLS
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_PICVBT
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_AOYTVW
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_JQOPLS
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_IOYTBC
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_SGAJJF
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_IGHYER
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_PDRKLS
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2021november
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2021november_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_XCODFR
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_QSLFGO
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_ILKVNM
https://www.nxtbook.com/nxtbooks/ashrae/ashraemexico_2021
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_OPDJKD
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_VJKSRY
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_SDHUTC
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_JPPKRR
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_SDLTTH
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_CKLLES
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_SLDOX
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_HJETUK
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_OLUHGE
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2020october
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2020october_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_ZERDGH
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_QVMNEO
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_RTPOKE
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_BBATRE
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_STUBMW
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_TPEMPE
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_JNMKDS
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_FBTTPA
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_WQMMNE
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_TVBRYN
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_showguide2020
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_KTUZMA
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_ABEDGD
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201910
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201909
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2019septmeber_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2019september
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201908
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201907
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201906
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201905
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201904
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_2019april
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201903
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_2019march
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201902
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201901
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_showguide2019
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_2018december
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_2018november
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2018fall_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2018fall
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_2018october
https://www.nxtbook.com/nxtbooks/ashrae/ashraemexico_2018
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201810
https://www.nxtbook.com/nxtbooks/ashrae/ashraeinsights_201806
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201805
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201804
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201803
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201712
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201711
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201710
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2017fall_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2017fall
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201709
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201705
https://www.nxtbook.com/nxtbooks/ashrae/ashrae_meetinginsert_201610
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2016fall_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2016fall
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_acrexindia
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2015summer_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2015summer
https://www.nxtbook.com/nxtbooks/amca/2014summer2
https://www.nxtbook.com/nxtbooks/amca/2014summer
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_acma_2014summer
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201311
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201309
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_acmasupp_2013fall
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201305
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201303
https://www.nxtbook.com/nxtbooks/ashrae/pubcatalog_2013winter
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201211
https://www.nxtbook.com/nxtbooks/ashrae/achr_expo_mexico2012
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201209
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201208_v3
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201208_v2
https://www.nxtbook.com/nxtbooks/ashrae/pubcatalog_2012summer
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201205
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201203
https://www.nxtbook.com/nxtbooks/ashrae/pubcatalog_2012winter
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201111_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201109_v2
https://www.nxtbook.com/nxtbooks/ashrae/pubcatalog_2011summer
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201105
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201103
https://www.nxtbookmedia.com