ASHRAE Journal - May 2023 - 23

FEATURE
breaches can come from physical access to the system
like plugging in a USB stick or attaching a computer to
the building network. This requires physical access to
the BAS. Other breaches can come from external sources
who have gained access to the BAS via the control network
or data network using cyber hacking means.
Physical security (i.e., intrusion detection) and cybersecurity
(i.e., a fi rewall penetration) should have the
same level of event response associated with them. Just
because a penetration of the cybersecurity system is
typically not as visible does not mean it should not be
treated as a signifi cant event and managed with a high
level of urgency. System cybersecurity issues should be
part of the overall monitoring and alarming structure.
A signifi cant risk to a facility is also not knowing that a
breach has occurred or that a hack is in process.
BAS equipment and the associated network controllers
are ultimately the fi nal gate to ensure minimized
negative effects of a breach. Equipment suppliers must
ensure that their equipment cannot be put into a mode
that will cause a safety or security issue. This requires
the equipment controls programmer ensure appropriate
fail-safe operations. If, for example, a hacker tries
to change a value of a compressor to something out of
range to compromise the equipment, it is up to the compressor
controller programmer to validate any network
data point changes to ensure it is within safe limits and
to implement all necessary internal fail-safes, safety
checks and alarms.
BAS Intrusions
Security intrusion can be defi ned in two major categories,
internal sources and external sources. Each has a
wide variety of threat vectors or points of entry into the
system where negative effects can be implemented.
Internal threats are typically security breaches
implemented by employees, contractors, occupants,
tenants and others who have been given certain
access privileges that have been abused. Overcoming
these risks requires strong physical access privilege
monitoring and maintenance and ensuring that physical
access restrictions to systems are managed according to
the potential threat level.
External threats typically originate from outside the
facility's physical environment from sources that do
not have access privileges or have stolen privileges from
authorized entities. As more BASs become internet
enabled, the more vectors for accessing building equipment
are opened. Once equipment is exposed, it
becomes a target. Proper fi rewalls and protections are
required to limit these threat vectors.
Design Principles
When designing building automation systems' cybersecurity
requirements, it is critical to understand not
only the initial design of the system, but also its ongoing
monitoring and management. As mentioned, good system
alarming and alerting is crucial. Real-time monitoring
and alerting of anomalies can be specifi ed as a
requirement of the BMS front end and of each controller
and piece of equipment on the network. Many sources
of good design information are available. Notably, work
is currently underway by a team of volunteers with the
Coalition for Smarter Buildings and the Smarter Stack
effort using the CSI Division 25.25 structure. It provides
a framework for interoperability of building controls
data (digital twin), API application integration and a
framework for cybersecurity design.
Internal Threats
These are threats that emanate from internal sources,
typically from personnel who do something either
knowingly or unknowingly that causes a breach.
Internal threats are best managed through proper
access privilege restrictions both physically and logically.
Only personnel with specifi c needs should be allowed
to physically access critical equipment. Keep sensitive
equipment behind locked cabinets and locked doors and
manage access privileges through an ongoing credentialing
program. Access credentials should be reviewed
and become an active part of any BAS/BMS system.
Access to the BAS network should include two-factor
authentication, just like banking systems. If that's not
possible, consider enforcing a more robust password.
Making it harder for intrusion is part of the process. A
balance exists between managing the process and the
incumbrance to the facility staff.
External Threats
These are threats that emanate from outside of the
physical location and typically gain access through
unprotected open communication ports-primarily
the internet. Many building automation systems and
building management systems are directly connected to
M AY 2 0 2 3 ashrae.o rg ASHRAE JOURNAL
23
http://www.ashrae.org
ASHRAE Journal - May 2023

Table of Contents for the Digital Edition of ASHRAE Journal - May 2023
