ASHRAE Journal - May 2023 - 20
FEATURE
Ultimately, the facility owner is the responsible party
for many of the elements of BAS cyber/physical security.
The owner must be part of the discussion to ensure a
full site risk assessment and security plan are part of
the project. The owner is typically made up of a team of
professionals with different responsibilities. Depending
on the size and scope of the project/owner, that team
can include:
Facility management;
IT manager;
Human resources;
Legal counsel;
Security/risk officer; and
Executive management.
This team sets the facility high-level owner project
requirements (OPRs), which is then used by others to
FIGURE 1 ASHRAE four-tier model with cybersecurity vectors.
Tier 1
Enterprise IP Network
Tier 2
Building Level Network
Tier 3
Subsystem Equipment
Tier 4
Field Devices
External Hacked BMS
Cloud Service Corruption
Data Center Breach
Internal Access BAS Network
External Access via VPN, VLAN,
Wi-Fi, Cellular Modems, DSL Lines
Internal Access to Cabinets,
Devices, Equipment,
User Interfaces
Physical Access to Sensors, IoT
Hacks, Bypassing Network Security,
Back Door Access by Contractors
vectors for each tier.
One well understood cybersecurity model is the risk
management framework (RMF) initially developed by
the U.S. Government's National Institute for Standards
and Technology (NIST), which is now being adopted
by many in the public and private sectors. The RMF
provides an extensive assessment and engagement
model to identify the strategic and tactical areas to
address. For military facilities, the list of criteria is
extensive. It's less so for schools and much less so for a
gas station. The RMF follows three basic principles:
Development of the risk assessment model;
Identifying level of paranoia; and
Assign responsibility.
The U.S. Army Corps of Engineers uses the Defense
in Depth approach (Online Figure A; see this and Online
Figure B at https://tinyurl.com/
JournalExtras). It is the practice of
arranging defensive lines so they can
defend each other, especially in the
case of an enemy incursion.
BAS system specifications that
define cybersecurity requirements
typically will address both the
physical and logical aspects of
the system. Segmenting the
specification into the physical and
logical components helps define the
responsible party. One way of doing
this is by defining the information
technology (IT) and operational
technology (OT) requirements.
create specifications, standards, playbooks and design
frameworks. If the owner has multiple buildings in
their portfolio, these OPRs typically are consistent
from project to project. In many cases, these roles are
performed by third-party consultants, contractors or
advisors.
Assembling a Cybersecurity Plan
ASHRAE Guideline 13-2023, Specifying Building
Automation Systems, defines a BAS/BMS four-tier model.
The model defines the physical and logical tiers of a
building controls system segmented to roughly follow
how projects are contracted. Figure 1 shows the four-tier
model overlayed with the potential cybersecurity attack
20
ASHRAE JOURNAL ashrae.o rg M AY 2023
IT Best Practices
The following is a short list of some of the technical
tools IT professionals have at their disposal to manage
cybersecurity risks:
VLAN setup;
Port lock downs;
Encryption;
Bandwidth monitoring;
Firewalls;
Password/passphrase changes;
Network monitoring and restricted access;
Two factor/level authentication;
Isolated IP address access and management; and
Proper VPN setup.
Building Data Abstraction
https://tinyurl.com/JournalExtras
https://tinyurl.com/JournalExtras
http://www.ashrae.org
ASHRAE Journal - May 2023
Table of Contents for the Digital Edition of ASHRAE Journal - May 2023
Contents
ASHRAE Journal - May 2023 - Intro
ASHRAE Journal - May 2023 - Cover1
ASHRAE Journal - May 2023 - Cover2
ASHRAE Journal - May 2023 - 1
ASHRAE Journal - May 2023 - Contents
ASHRAE Journal - May 2023 - 3
ASHRAE Journal - May 2023 - 4
ASHRAE Journal - May 2023 - 5
ASHRAE Journal - May 2023 - 6
ASHRAE Journal - May 2023 - 7
ASHRAE Journal - May 2023 - 8
ASHRAE Journal - May 2023 - 9
ASHRAE Journal - May 2023 - 10
ASHRAE Journal - May 2023 - 11
ASHRAE Journal - May 2023 - 12
ASHRAE Journal - May 2023 - 13
ASHRAE Journal - May 2023 - 14
ASHRAE Journal - May 2023 - 15
ASHRAE Journal - May 2023 - 16
ASHRAE Journal - May 2023 - 17
ASHRAE Journal - May 2023 - 18
ASHRAE Journal - May 2023 - 19
ASHRAE Journal - May 2023 - 20
ASHRAE Journal - May 2023 - 21
ASHRAE Journal - May 2023 - 22
ASHRAE Journal - May 2023 - 23
ASHRAE Journal - May 2023 - 24
ASHRAE Journal - May 2023 - 25
ASHRAE Journal - May 2023 - 26
ASHRAE Journal - May 2023 - 27
ASHRAE Journal - May 2023 - 28
ASHRAE Journal - May 2023 - 29
ASHRAE Journal - May 2023 - 30
ASHRAE Journal - May 2023 - 31
ASHRAE Journal - May 2023 - 32
ASHRAE Journal - May 2023 - 33
ASHRAE Journal - May 2023 - 34
ASHRAE Journal - May 2023 - 35
ASHRAE Journal - May 2023 - 36
ASHRAE Journal - May 2023 - 37
ASHRAE Journal - May 2023 - 38
ASHRAE Journal - May 2023 - 39
ASHRAE Journal - May 2023 - 40
ASHRAE Journal - May 2023 - 41
ASHRAE Journal - May 2023 - 42
ASHRAE Journal - May 2023 - 43
ASHRAE Journal - May 2023 - 44
ASHRAE Journal - May 2023 - 45
ASHRAE Journal - May 2023 - 46
ASHRAE Journal - May 2023 - 47
ASHRAE Journal - May 2023 - 48
ASHRAE Journal - May 2023 - 49
ASHRAE Journal - May 2023 - 50
ASHRAE Journal - May 2023 - 51
ASHRAE Journal - May 2023 - 52
ASHRAE Journal - May 2023 - 53
ASHRAE Journal - May 2023 - 54
ASHRAE Journal - May 2023 - 55
ASHRAE Journal - May 2023 - 56
ASHRAE Journal - May 2023 - 57
ASHRAE Journal - May 2023 - 58
ASHRAE Journal - May 2023 - 59
ASHRAE Journal - May 2023 - 60
ASHRAE Journal - May 2023 - 61
ASHRAE Journal - May 2023 - 62
ASHRAE Journal - May 2023 - 63
ASHRAE Journal - May 2023 - 64
ASHRAE Journal - May 2023 - 65
ASHRAE Journal - May 2023 - 66
ASHRAE Journal - May 2023 - 67
ASHRAE Journal - May 2023 - 68
ASHRAE Journal - May 2023 - 69
ASHRAE Journal - May 2023 - 70
ASHRAE Journal - May 2023 - 71
ASHRAE Journal - May 2023 - 72
ASHRAE Journal - May 2023 - 73
ASHRAE Journal - May 2023 - 74
ASHRAE Journal - May 2023 - 75
ASHRAE Journal - May 2023 - 76
ASHRAE Journal - May 2023 - 77
ASHRAE Journal - May 2023 - 78
ASHRAE Journal - May 2023 - 79
ASHRAE Journal - May 2023 - 80
ASHRAE Journal - May 2023 - Cover3
ASHRAE Journal - May 2023 - Cover4
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_FYONLJ
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2024november_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2024november
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_BDMHLG
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_WJDGRY
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_ATMAHK
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_VHQRAW
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_XGMDXI
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_YELQLJ
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_QJLWMC
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_MCDEBX
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_WNYSQY
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_XATVOD
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_FJSHSS
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_CCBZDS
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_XDEFVG
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2023november_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2023november
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_VHGNBL
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_WPKBNJ
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_UUVCDE
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_RTGDEW
https://www.nxtbook.com/nxtbooks/ashrae/ashraemexico_2023
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_LKRFXS
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_AZSOFG
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_ERCDBH
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_QWDFRV
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_JHGVDF
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_OPUYHG
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_SREIBM
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_LRTGLK
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_OKRFGH
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2022november_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2022november
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_TZSERA
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_LVRUIX
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_RPTVYZ
https://www.nxtbook.com/nxtbooks/ashrae/mini_pub_catalog
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_XIYTGD
https://www.nxtbook.com/nxtbooks/ashrae/ashraemexico_2022
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_RFGDOB
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_PABXNU
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_REMKLS
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_PICVBT
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_AOYTVW
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_JQOPLS
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_IOYTBC
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_SGAJJF
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_IGHYER
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_PDRKLS
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2021november
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2021november_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_XCODFR
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_QSLFGO
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_ILKVNM
https://www.nxtbook.com/nxtbooks/ashrae/ashraemexico_2021
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_OPDJKD
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_VJKSRY
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_SDHUTC
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_JPPKRR
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_SDLTTH
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_CKLLES
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_SLDOX
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_HJETUK
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_OLUHGE
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2020october
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2020october_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_ZERDGH
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_QVMNEO
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_RTPOKE
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_BBATRE
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_STUBMW
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_TPEMPE
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_JNMKDS
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_FBTTPA
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_WQMMNE
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_TVBRYN
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_showguide2020
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_KTUZMA
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_ABEDGD
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201910
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201909
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2019septmeber_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2019september
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201908
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201907
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201906
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201905
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201904
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_2019april
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201903
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_2019march
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201902
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201901
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_showguide2019
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_2018december
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_2018november
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2018fall_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2018fall
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_2018october
https://www.nxtbook.com/nxtbooks/ashrae/ashraemexico_2018
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201810
https://www.nxtbook.com/nxtbooks/ashrae/ashraeinsights_201806
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201805
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201804
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201803
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201712
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201711
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201710
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2017fall_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2017fall
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201709
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201705
https://www.nxtbook.com/nxtbooks/ashrae/ashrae_meetinginsert_201610
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2016fall_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2016fall
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_acrexindia
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2015summer_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2015summer
https://www.nxtbook.com/nxtbooks/amca/2014summer2
https://www.nxtbook.com/nxtbooks/amca/2014summer
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_acma_2014summer
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201311
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201309
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_acmasupp_2013fall
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201305
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201303
https://www.nxtbook.com/nxtbooks/ashrae/pubcatalog_2013winter
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201211
https://www.nxtbook.com/nxtbooks/ashrae/achr_expo_mexico2012
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201209
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201208_v3
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201208_v2
https://www.nxtbook.com/nxtbooks/ashrae/pubcatalog_2012summer
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201205
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201203
https://www.nxtbook.com/nxtbooks/ashrae/pubcatalog_2012winter
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201111_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201109_v2
https://www.nxtbook.com/nxtbooks/ashrae/pubcatalog_2011summer
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201105
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201103
https://www.nxtbookmedia.com