Building Automation Systems: Addressing Vulnerabilities through Best Practices for Green Builders

In the 2012 James Bond film Skyfall, a cunning cyber-terrorist accesses information obtained from a stolen hard drive to hack into a computer at the headquarters of MI6, the British Secret Intelligence Service. With the virtual gateway to the structure compromised, the hacker manipulates the building’s gas pipeline to blow up individual rooms. At the pleading of M, 007 is cajoled into active duty, this time to thwart the stealthy cyber-attacker and protect England once again.

Although this scenario is more Hollywood fantasy than legitimate security threat, the underlying concept illustrated—that it may be possible to gain access to sensitive information through networked systems of the built environment—is not altogether removed from reality. Given the increasing relevance of building automation systems (BASs) in the design of buildings, it is important to discuss the potential security implications of utilizing this particular form of building technology and how builders, owners, and operators can safeguard their assets. This article offers a starting point to identify the risks associated with BASs, and highlight best practices designed to guard against unwanted intrusions.

“It is important to discuss the potential security implications of [Building Automation Systems] and how builders, owners, and operators can safeguard their assets.”

Due to the high degree of integration with the web and other internal and external systems, BASs may present avenues for unauthorized access similar to other smart devices. BASs in particular may be subject to risk exposure because “they often contain sensitive information, and they offer the ability to affect the physical world.”[i] In concrete terms, unsecure BASs may pose potential risks to people who own, operate, and use the building; technological systems which impact the comfort, safety, and security of individuals who utilize the building; and both the technical and business operations related to building use.[ii]

Broadly speaking, unauthorized access to a building BAS could potentially result in financial, physical, and structural issues. For example, operational disruption could lead to a loss in employee productivity and service delivery; inappropriate changes to a building’s ventilation rate could negatively impact the health of occupants (i.e. “sick building syndrome”); and adjusting device settings beyond reasonable limits could damage equipment or the building itself.

Fortunately, concerns regarding the potential risks associated with BASs can be addressed by employing several strategies. First, cyber security practices should be integrated into training and deployment practices for building administrators.[iii] Second, building operators should implement an array of technological safeguards including anti-virus protection software, firewalls, intrusion detection systems, online vulnerability map tools, passwords, secure communication utilities (i.e. virtual private networks), and user accounts.[iv] Third, building owners should develop contingency plans they are capable of executing in the event that a disruption in BAS functionality occurs in order to maintain an acceptable level of service.[v]

Building Automation Systems and LEED

A building automation system installation can be an important component of achieving the energy efficiency goals of a green building project. According to LEEDuser, a building automation system is a system which “uses computer-based monitoring to coordinate, organize, and optimize building control subsystems, including lighting, equipment scheduling, and alarm reporting.”[vi]

BASs can include on-site or remote smart devices which provide information about energy use, water consumption, or air quality, for example, and allow users to alter the building’s operations when necessary. Smart devices may be connected directly to the Internet and/or feed into a larger smart grid.

LEED v4 indirectly acknowledges the potential benefits of BASs as a green building strategy with respect to the Energy & Atmosphere credit category. BASs may prove useful in assessing energy savings, detecting sources of wasted energy, measuring improvements in energy performance, and monitoring energy data.

“BASs present a means of using technology to better manage building energy use.”

These benefits may help building owners meet the building-level energy metering prerequisites for both LEED O+M: Existing Buildings and LEED BD+C: New Construction projects. In addition, BASs can aid in the pursuit of a new LEED v4 credit for EB and NC projects which requires participation in an existing demand response program or creating the infrastructure for one in the future. In both instances, BASs present a means of using technology to better manage building energy use.[vii]

Green building professionals should maintain a keen awareness to cyber security best practices, IT system separation techniques, and system redundancy contingency planning.

National Security Implications

The “internet of things” is rapidly advancing, and the interconnection of individual building components and larger systems has relevant implications for national security. To be sure, this issue is already on the Federal Government’s radar, as evidenced by a 2012 FBI Cyber Alert describing an unauthorized intrusion into the Industrial Control System (ICS) of an air conditioning company in New Jersey.[viii] The most immediate analog at the federal level involves the security of government-owned and operated buildings at home and abroad. As a case in point, the U.S. State Department’s Greening Diplomacy Initiative (GDI) has facilitated the design and construction of 49 buildings[ix] under various levels of LEED certification throughout the world.[x] Considering the likelihood that a U.S. embassy might contain or provide a means of accessing sensitive and privileged information, the presence of BASs at any one of these sites presents security challenges for the United States Government.

Recognition of these national security considerations is evident in national policy. For example, the 2006 National Military Strategy for Cyberspace Operations[xi] provides a comprehensive framework for addressing security concerns related to our highly networked world and physical infrastructure. This strategy can easily be expanded in several ways to strengthen the protection of BASs at the national level. First, the Department of Defense should continue to invest in developing technology designed to strengthen cyberspace security, and place special emphasis on augmenting the security of networks which interface with BASs. Second, collaborative partnerships should be established with members of industry, other government agencies, and foreign entities to share best practices and enhance the ability to coordinate responses to catastrophic events. Third, “critical infrastructure” should be interpreted broadly to include networks and devices which serve important physical structures around the world.

Providing a sense of security in a world of increasingly automated systems requires finding a balance between human decision making and intelligent operation, flexibility and control, and freedom and privacy. Through careful training, diligent monitoring, and following best practices this balance can be attained. That BASs can help reduce our energy consumption and increase energy security makes striving for this balance all the more imperative. With the right measures in place, BASs can play an important role in our efforts to achieve the joint goals of environmental sustainability and institutional resilience.

[i] “Security in Internet-Connected Building Automation and Energy Management Systems,” White Paper, Incenergy, accessed 15 Nov. 2013, available at <http://www.incenergy.com/resources/files/EMS_Security_White_Paper.pdf>.

[ii] Email Interview—Mark Petock and Ken Sinclair, May 2013, AutomatedBuildings.com, accessed 16 Nov. 2013, available at <http://www.automatedbuildings.com/news/may13/interviews/130418115505petock.html>.

[iii] Email Interview.

[iv] Chee-Wooi Ten, Manimaran Govindarasu, and Chen-Ching Liu, 2007, “Cybersecurity for Electric Power Control and Automation Systems,” Proceedings of the eNetworks Cyberengineering Workshop, IEEE-SMC, Montreal, QC, Canada, 7-10 Oct. 2007, pp. 29-34.

[v] David Fisk, 2012, “Cyber Security, Building Automation, and the Intelligent Building,” Intelligent Buildings International, pp. 1-13.

[vi] “Building Automation System (BAS),” Glossary, LEEDuser, accessed 16 Nov. 2013, available at <http://www.leeduser.com/glossary/term/4691>.

[vii] “LEED v4 Ratchets up the Role of Technology,” Dec. 2013, Institute for Building Efficiency, accessed 31 May 2014, available at <http://www.institutebe.com/Building-Energy-Retrofits/LEED-v4-ratchets-up-the-role-of-technology.aspx>.

[viii] “Vulnerabilities in Tridium Niagara Framework Result in Unauthorized Access to a New Jersey Company’s Industrial Control System,” 23 Jul. 2012, Situational Information Report, Federal Bureau of Investigation, Newark Division, SIR-00000003417, accessed 15 Nov. 2013, available at <http://www.wired.com/images_blogs/threatlevel/2012/12/FBI-AntisecICS.pdf>.

[ix] As of December 2012.

[x] “Eco-Diplomacy: Leading by Example,” United States Department of State, accessed 17 Nov. 2013, available at <http://www.state.gov/documents/organization/213762.pdf>.

[xi] “The National Military Strategy for Cyberspace Operations,” Dec. 2006, Chairman of the Joint Chiefs of Staff, United States Department of Defense, accessed 17 Nov. 2013, available at <http://www.dod.mil/pubs/foi/joint_staff/jointStaff_jointOperations/07-F-2105doc1.pdf>.