ASHRAE Journal - May 2023 - 23
FEATURE
breaches can come from physical access to the system
like plugging in a USB stick or attaching a computer to
the building network. This requires physical access to
the BAS. Other breaches can come from external sources
who have gained access to the BAS via the control network
or data network using cyber hacking means.
Physical security (i.e., intrusion detection) and cybersecurity
(i.e., a fi rewall penetration) should have the
same level of event response associated with them. Just
because a penetration of the cybersecurity system is
typically not as visible does not mean it should not be
treated as a signifi cant event and managed with a high
level of urgency. System cybersecurity issues should be
part of the overall monitoring and alarming structure.
A signifi cant risk to a facility is also not knowing that a
breach has occurred or that a hack is in process.
BAS equipment and the associated network controllers
are ultimately the fi nal gate to ensure minimized
negative effects of a breach. Equipment suppliers must
ensure that their equipment cannot be put into a mode
that will cause a safety or security issue. This requires
the equipment controls programmer ensure appropriate
fail-safe operations. If, for example, a hacker tries
to change a value of a compressor to something out of
range to compromise the equipment, it is up to the compressor
controller programmer to validate any network
data point changes to ensure it is within safe limits and
to implement all necessary internal fail-safes, safety
checks and alarms.
BAS Intrusions
Security intrusion can be defi ned in two major categories,
internal sources and external sources. Each has a
wide variety of threat vectors or points of entry into the
system where negative effects can be implemented.
Internal threats are typically security breaches
implemented by employees, contractors, occupants,
tenants and others who have been given certain
access privileges that have been abused. Overcoming
these risks requires strong physical access privilege
monitoring and maintenance and ensuring that physical
access restrictions to systems are managed according to
the potential threat level.
External threats typically originate from outside the
facility's physical environment from sources that do
not have access privileges or have stolen privileges from
authorized entities. As more BASs become internet
enabled, the more vectors for accessing building equipment
are opened. Once equipment is exposed, it
becomes a target. Proper fi rewalls and protections are
required to limit these threat vectors.
Design Principles
When designing building automation systems' cybersecurity
requirements, it is critical to understand not
only the initial design of the system, but also its ongoing
monitoring and management. As mentioned, good system
alarming and alerting is crucial. Real-time monitoring
and alerting of anomalies can be specifi ed as a
requirement of the BMS front end and of each controller
and piece of equipment on the network. Many sources
of good design information are available. Notably, work
is currently underway by a team of volunteers with the
Coalition for Smarter Buildings and the Smarter Stack
effort using the CSI Division 25.25 structure. It provides
a framework for interoperability of building controls
data (digital twin), API application integration and a
framework for cybersecurity design.
Internal Threats
These are threats that emanate from internal sources,
typically from personnel who do something either
knowingly or unknowingly that causes a breach.
Internal threats are best managed through proper
access privilege restrictions both physically and logically.
Only personnel with specifi c needs should be allowed
to physically access critical equipment. Keep sensitive
equipment behind locked cabinets and locked doors and
manage access privileges through an ongoing credentialing
program. Access credentials should be reviewed
and become an active part of any BAS/BMS system.
Access to the BAS network should include two-factor
authentication, just like banking systems. If that's not
possible, consider enforcing a more robust password.
Making it harder for intrusion is part of the process. A
balance exists between managing the process and the
incumbrance to the facility staff.
External Threats
These are threats that emanate from outside of the
physical location and typically gain access through
unprotected open communication ports-primarily
the internet. Many building automation systems and
building management systems are directly connected to
M AY 2 0 2 3 ashrae.o rg ASHRAE JOURNAL
23
http://www.ashrae.org
ASHRAE Journal - May 2023
Table of Contents for the Digital Edition of ASHRAE Journal - May 2023
Contents
ASHRAE Journal - May 2023 - Intro
ASHRAE Journal - May 2023 - Cover1
ASHRAE Journal - May 2023 - Cover2
ASHRAE Journal - May 2023 - 1
ASHRAE Journal - May 2023 - Contents
ASHRAE Journal - May 2023 - 3
ASHRAE Journal - May 2023 - 4
ASHRAE Journal - May 2023 - 5
ASHRAE Journal - May 2023 - 6
ASHRAE Journal - May 2023 - 7
ASHRAE Journal - May 2023 - 8
ASHRAE Journal - May 2023 - 9
ASHRAE Journal - May 2023 - 10
ASHRAE Journal - May 2023 - 11
ASHRAE Journal - May 2023 - 12
ASHRAE Journal - May 2023 - 13
ASHRAE Journal - May 2023 - 14
ASHRAE Journal - May 2023 - 15
ASHRAE Journal - May 2023 - 16
ASHRAE Journal - May 2023 - 17
ASHRAE Journal - May 2023 - 18
ASHRAE Journal - May 2023 - 19
ASHRAE Journal - May 2023 - 20
ASHRAE Journal - May 2023 - 21
ASHRAE Journal - May 2023 - 22
ASHRAE Journal - May 2023 - 23
ASHRAE Journal - May 2023 - 24
ASHRAE Journal - May 2023 - 25
ASHRAE Journal - May 2023 - 26
ASHRAE Journal - May 2023 - 27
ASHRAE Journal - May 2023 - 28
ASHRAE Journal - May 2023 - 29
ASHRAE Journal - May 2023 - 30
ASHRAE Journal - May 2023 - 31
ASHRAE Journal - May 2023 - 32
ASHRAE Journal - May 2023 - 33
ASHRAE Journal - May 2023 - 34
ASHRAE Journal - May 2023 - 35
ASHRAE Journal - May 2023 - 36
ASHRAE Journal - May 2023 - 37
ASHRAE Journal - May 2023 - 38
ASHRAE Journal - May 2023 - 39
ASHRAE Journal - May 2023 - 40
ASHRAE Journal - May 2023 - 41
ASHRAE Journal - May 2023 - 42
ASHRAE Journal - May 2023 - 43
ASHRAE Journal - May 2023 - 44
ASHRAE Journal - May 2023 - 45
ASHRAE Journal - May 2023 - 46
ASHRAE Journal - May 2023 - 47
ASHRAE Journal - May 2023 - 48
ASHRAE Journal - May 2023 - 49
ASHRAE Journal - May 2023 - 50
ASHRAE Journal - May 2023 - 51
ASHRAE Journal - May 2023 - 52
ASHRAE Journal - May 2023 - 53
ASHRAE Journal - May 2023 - 54
ASHRAE Journal - May 2023 - 55
ASHRAE Journal - May 2023 - 56
ASHRAE Journal - May 2023 - 57
ASHRAE Journal - May 2023 - 58
ASHRAE Journal - May 2023 - 59
ASHRAE Journal - May 2023 - 60
ASHRAE Journal - May 2023 - 61
ASHRAE Journal - May 2023 - 62
ASHRAE Journal - May 2023 - 63
ASHRAE Journal - May 2023 - 64
ASHRAE Journal - May 2023 - 65
ASHRAE Journal - May 2023 - 66
ASHRAE Journal - May 2023 - 67
ASHRAE Journal - May 2023 - 68
ASHRAE Journal - May 2023 - 69
ASHRAE Journal - May 2023 - 70
ASHRAE Journal - May 2023 - 71
ASHRAE Journal - May 2023 - 72
ASHRAE Journal - May 2023 - 73
ASHRAE Journal - May 2023 - 74
ASHRAE Journal - May 2023 - 75
ASHRAE Journal - May 2023 - 76
ASHRAE Journal - May 2023 - 77
ASHRAE Journal - May 2023 - 78
ASHRAE Journal - May 2023 - 79
ASHRAE Journal - May 2023 - 80
ASHRAE Journal - May 2023 - Cover3
ASHRAE Journal - May 2023 - Cover4
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_FYONLJ
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2024november_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2024november
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_BDMHLG
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_WJDGRY
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_ATMAHK
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_VHQRAW
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_XGMDXI
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_YELQLJ
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_QJLWMC
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_MCDEBX
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_WNYSQY
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_XATVOD
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_FJSHSS
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_CCBZDS
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_XDEFVG
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2023november_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2023november
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_VHGNBL
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_WPKBNJ
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_UUVCDE
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_RTGDEW
https://www.nxtbook.com/nxtbooks/ashrae/ashraemexico_2023
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_LKRFXS
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_AZSOFG
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_ERCDBH
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_QWDFRV
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_JHGVDF
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_OPUYHG
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_SREIBM
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_LRTGLK
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_OKRFGH
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2022november_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2022november
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_TZSERA
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_LVRUIX
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_RPTVYZ
https://www.nxtbook.com/nxtbooks/ashrae/mini_pub_catalog
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_XIYTGD
https://www.nxtbook.com/nxtbooks/ashrae/ashraemexico_2022
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_RFGDOB
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_PABXNU
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_REMKLS
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_PICVBT
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_AOYTVW
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_JQOPLS
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_IOYTBC
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_SGAJJF
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_IGHYER
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_PDRKLS
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2021november
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2021november_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_XCODFR
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_QSLFGO
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_ILKVNM
https://www.nxtbook.com/nxtbooks/ashrae/ashraemexico_2021
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_OPDJKD
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_VJKSRY
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_SDHUTC
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_JPPKRR
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_SDLTTH
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_CKLLES
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_SLDOX
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_HJETUK
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_OLUHGE
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2020october
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2020october_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_ZERDGH
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_QVMNEO
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_RTPOKE
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_BBATRE
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_STUBMW
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_TPEMPE
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_JNMKDS
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_FBTTPA
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_WQMMNE
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_TVBRYN
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_showguide2020
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_KTUZMA
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_ABEDGD
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201910
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201909
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2019septmeber_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2019september
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201908
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201907
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201906
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201905
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201904
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_2019april
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201903
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_2019march
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201902
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201901
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_showguide2019
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_2018december
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_2018november
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2018fall_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2018fall
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_2018october
https://www.nxtbook.com/nxtbooks/ashrae/ashraemexico_2018
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201810
https://www.nxtbook.com/nxtbooks/ashrae/ashraeinsights_201806
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201805
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201804
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201803
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201712
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201711
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201710
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2017fall_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2017fall
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201709
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201705
https://www.nxtbook.com/nxtbooks/ashrae/ashrae_meetinginsert_201610
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2016fall_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2016fall
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_acrexindia
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2015summer_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_amca_2015summer
https://www.nxtbook.com/nxtbooks/amca/2014summer2
https://www.nxtbook.com/nxtbooks/amca/2014summer
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_acma_2014summer
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201311
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201309
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_acmasupp_2013fall
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201305
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201303
https://www.nxtbook.com/nxtbooks/ashrae/pubcatalog_2013winter
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201211
https://www.nxtbook.com/nxtbooks/ashrae/achr_expo_mexico2012
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201209
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201208_v3
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201208_v2
https://www.nxtbook.com/nxtbooks/ashrae/pubcatalog_2012summer
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201205
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201203
https://www.nxtbook.com/nxtbooks/ashrae/pubcatalog_2012winter
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201111_v2
https://www.nxtbook.com/nxtbooks/ashrae/ashraejournal_201109_v2
https://www.nxtbook.com/nxtbooks/ashrae/pubcatalog_2011summer
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201105
https://www.nxtbook.com/nxtbooks/ashrae/meetingplanner_201103
https://www.nxtbookmedia.com