Nearly every commercial building has a level of physical security that includes access control, cameras and fire alarms. Cybersecurity used to be an IT challenge, while physical security was siloed under facilities management. However, building owners are increasingly integrating physical security into the entire automation system, which could bring opportunities for new threats, but also for a more flexible, intelligent and failproof security system.
Building automation systems produce data that owners, managers and sometimes tenants can access. The question is how to provide a secure link to systems such as CCTV, the elevator network and doors. Low-voltage installers continue to deliver key physical security technology that keeps buildings safer, and today they can work as part of a holistic approach to building intelligence, said Ron Bernstein, CEO of RBCG Consulting, Encinitas, Calif. He is a member of the specifying building automation systems committee within ASHRAE, which offers Standard 135-2016, BACnet—A Data Communication Protocol for Building Automation and Control Networks.
Bernstein has seen the transition underway. Traditional building security—access control, intrusion detection, video camera systems, etc.—is still typically separate from the building automation system. However, physical security plays a role in a fully controlled building, since the security system helps enable building owners to control whether people enter and know where people and assets are or if they’re allowed to be in a certain area. Building automation can track whether something out of the norm takes place based on security information, and it can present a picture related to how everything is running throughout the building. Security technology spills into the world of IT because data from the security side relates to the control side of lighting, air conditioning and heating and the features that create a comfortable environment.
“So what’s happening is now we have two different sets of information coming from, in some cases, multiple sources: an occupancy or proximity sensor, one from the HVAC system, one from the lighting system and even one from the security system,” Bernstein said.
Creating an integrated view
Integrated building systems means bringing the Construction Specifications Institute’s divisions together, including divisions 26 (electrical), 25 (integrated automation), 28 (safety and security) and 21 (fire).
“The challenge with that is you have different entities involved in those systems,” Bernstein said, including different suppliers feeding products and solutions to contractors for each division. “These teams [traditionally] haven’t been coming together from an integrated automation standpoint.”
He noted that projects have launched with more integration requirements, including that a security system needs to provide the building management software the current status of security equipment, any operational alerts and maintenance and fault protection information. Some security product lines have standard building automation control interfaces, including a Modbus IP communication protocol that users can leverage to monitor these systems.
Today, building owners ask, “Can I integrate my fire system, lighting system, security system and HVAC system into a common building management system (BMS),” all in a single pane of glass?
“The answer is yes,” Bernstein said. He noted a project in the healthcare sector he is consulting for where there are 32 different subsystems in the building that will be integrated into one environment. In such a medical facility, that can mean compressors, backup power, power monitoring, irrigation, kitchen equipment and vending machines, not to mention the security features.
However, the cybersecurity hurdle builders face may be ensuring the security system, when integrated into a cloud-based, building-wide system, isn’t exposed to something or someone it shouldn’t. Could a hacker bypass a door lock? Could they disable a camera or alarm system? Could they turn off a vital medical device?
As a solution, ASHRAE guidelines suggest a one-way flow of information so the BMS cannot control the security equipment. That means the BMS can receive data from fire, smoke or evacuation systems and feed that data into the HVAC system to close dampers or shut down air handlers, but data cannot flow back to the security or fire systems.
Cybersecurity in the building
Cybersecurity concerns in buildings continue to evolve, and they may not always be recognized or appreciated.
“What makes me nervous is the owners and operators who still don’t think cybersecurity on OT [operational technology] networks is important,” said Mike Galler, mechanical engineer for the National Institute of Standards and Technology, Gaithersburg, Md.
A recent report found that only 8% of small businesses have a dedicated budget for cybersecurity.
Galler pointed out that cyberthreats such as malware, ransomware and phishing do not discriminate based on the size of the company they are attacking.
Increasing awareness of the importance of cybersecurity seems an important challenge, he said. There should be an understanding, on the part of the building owner and installers, that each additional system potentially increases the attack surface area. That’s something the system integrators should attempt to minimize.
But the solution to such risks isn’t as daunting as some think. As long as each system is designed to be secure and is properly installed and maintained, there should be little concern. As the physical security system manufacturers adopt standard communications protocols such as BACnet, the integration complexity will be reduced, helping to diminish any remaining concerns.
The weakest link
Galler added, however, that one of the most important parts of any solution is training the people who will be using it. They can be the greatest vulnerability.
“It is vital that every person using the BMS, or any system on the IT or OT network, has at least a basic understanding of cybersecurity principles,” he said.
This includes picking a strong password; recognizing malware, spam and phishing attempts; and knowing not to run unauthorized software on the BMS or OT network.
Integrating cybersecurity planning into the life cycle of each facility as early as possible will benefit all involved, Galler said. The configuration of the IT and OT networks must be designed around cybersecurity.
The best way to protect a building automation system is to include both physical and cybersecurity that's integrated and accessible.
Image: Siemens
“Retrofitting cybersecurity onto the network at a later stage may result in more work with less effect,” he said.
In the meantime, ongoing advancements in analytics and artificial intelligence (A.I.)—enabled by cloud connectivity—continue to add value to building automation systems, according to Michael White, director of business development and senior engineering technologist for intelligent buildings, Americas, at Siemens USA, Washington, D.C. That value can be gained by way of operational efficiency, energy performance and sustainability, user experience, resilience or safety and security.
Every building is different. The intelligence built into a data center is not the same as a lab. In a data center, White said, “a Siemens automation system might employ a rich network of sensors at the IT equipment, cooling unit controls and A.I. to balance facility cooling with real-time IT load.”
“It is vital that every person using the BMS, or any system on the IT or OT network, has at least a basic understanding of cybersecurity principles."
--Mike Galler, National Institute of Standards and Technology
On the other hand, a lab building, while also energy-hungry, differs in the way people interact with the equipment on site.
“A Siemens BAS [building automation system] in this type of environment, where 60% of the energy is consumed by fume hoods and ventilation systems, would operate as a single platform and interface to create and automatically assign interfaces,” White said. It could respond dynamically to occupancy. That can include heating, cooling, fume hood controls, lighting and shades.
Values and challenges
Cyberthreats now extend beyond the typical purview of IT.
“Increased connectivity means a growing attack surface, which has brought the focus of IT and cybersecurity professionals to OT systems security,” White said.
The value of connected building systems is clear; however, managing and decreasing the attack surface is more challenging.
He advised that the best way to properly protect systems is to incorporate elements of the defense-in-depth approach where organizational, personnel, procedural, physical and technical security controls are all grouped into common layers. Guidance for this approach can be found in the standards and frameworks from the Department of Defense, the National Institute of Standards and Technology, the International Society of Automation and the International Electrotechnical Commission.
“There will continue to be challenges to the cybersecurity of BAS as its design and [as] implementation expands across multiple domains,” White said, including where responsibilities fall within varying project entities. “The facility owner is ultimately responsible and needs to ensure a full risk assessment and security plan are implemented very early in the planning of the project and clearly communicated to all project teams, from concept through delivery and ongoing operations.”
Siemens offers a dedicated cybersecurity center of competence team that can provide services to its customers. In the meantime, next-generation BAS, such as Siemens Building X, will further expand connectivity at the edge.
“Unified onboarding will accommodate larger data sets and building portfolios with increased efficiency and economy,” he said.
Challenges will persist as cyber criminals find new vulnerabilities. There are millions of unfilled cybersecurity jobs worldwide, while annual cybercrime damage has grown to trillions of dollars.
“We need to encourage public-private partnerships that inspire more people to pursue options such as career technical education in high school, two-year technical programs at community colleges or apprenticeships that help people build cybersecurity skills,” White said.
Header image: stock.adobe.com / AndSus
About The Author
SWEDBERG is a freelance writer based in western Washington. She can be reached at [email protected].