Protecting Against Building Automation Vulnerabilities. Dave Brooks, PhD Michael Coole, PhD

Similar documents
GIBRALTAR ERDF OPERATIONAL PROGRAMME POST ADOPTION STATEMENT

Facts about DOT Audits

Smart grids in European Union. Andrej GREBENC European Commission "Energy Awarness Seminar Villach

Alfen Connect TM Grid Automation

Brain on Board: From safety features to driverless cars

Autonomous Vehicles: Status, Trends and the Large Impact on Commuting

A new motorcycle graduated licensing system

Mansfield Oil Voyager Fuel Card Program Procedures

Critical Power: What s New in Electrical Engineering: Smart Grid and Transformers. Sponsored by:

Vehicle-Grid Integration

Recommendations of the Expert Group on Preventing Motorcycle Injuries in Children

V2X Outlook. Doug Patton. Society of Automotive Analysts Automotive Outlook Conference January 8, 2017

Electric Vehicle Cyber Research

IEEE-PES Chicago Chapter Presentation November 11, Smart Grid. Mike Born. Principal Engineer, Capacity Planning

Enhancing T&E and SE Alignment Using Database Driven Documentation

3/16/2016. How Our Cities Can Plan for Driverless Cars April 2016

EPSRC-JLR Workshop 9th December 2014 TOWARDS AUTONOMY SMART AND CONNECTED CONTROL

Vehicle Anti-Theft System Market by Product (Steering Lock, Alarm, Biometric Capture Device, Immobilizer), Technology (GPS, GSM, RTLS), Vehicle Type

Tobin Richardson Director, Smart Energy ZigBee Alliance ZigBee Alliance. All rights reserved.

SUBSIDIARY BODY FOR SCIENTIFIC AND TECHNOLOGICAL ADVICE Fourteenth session Bonn, July 2001 Item 3 (b) of the provisional agenda

Electric buses Solutions portfolio

Global Status Report on Road Safety: Respondents' Questionnaire

Lucintel. Publisher Sample

Electric Vehicle Cyber Research

Professional Engineering Services. Service Focus. PowerChain Management Audit

Our Approach to Automated Driving System Safety. February 2019

COUNTY OF RIVERSIDE, CALIFORNIA BOARD OF SUPERVISORS POLICY. Policy Subject: Number Page OVERNIGHT RETENTION OF COUNTY VEHICLES D-10 1 of 5

CHEMICALS AND REFINING. ABB in chemicals and refining A proven approach for transforming your challenges into opportunities

Guidelines for the Safe Use of Mobile Electric Patient Lifting Hoists

Safety Considerations of Autonomous Vehicles. Darren Divall Head of International Road Safety TRL

Committee on Transport and Tourism. of the Committee on Transport and Tourism. for the Committee on the Internal Market and Consumer Protection

New Jersey Motor Vehicle Commission

Smart MMR Overview. 25 th May 2015

Automotive Electronics/Connectivity/IoT/Smart City Track

The competitiveness of the European automotive software industry

Vehicle Disabling Systems

Effects of Smart Grid Technology on the Bulk Power System

Becoming the wireless standard for tomorrow s smart grid. Tobin Richardson Director, Smart Energy ZigBee Alliance

Certification Memorandum. Additive Manufacturing

Rhode Island Division of Public Utilities and Carriers & Office of Energy Resources. Power Sector Transformation

SUBJECT CODES FOR VARIOUS COURSES UNDER JNTU KAKINADA

Understanding a FMCSA Compliance Investigation Presented by Chad Hoppenjan April 2015

Share with the GHSEA. Smart Energy Initiatives. Collaboration and a partner eco-system to achieve results

The Road to Safety and Compliance Starts with You! ISRI DOT Self-Audit Checklist

Research Challenges for Automated Vehicles

Commercial Interlock. Debra Coffey Vice President of Government Affairs Stephen George Director of Commercial Business

Global Status Report on Road Safety: INSTRUCTIONS FOR COMPLETION OF RESPONDENTS' QUESTIONNAIRE

Compatibility of STPA with GM System Safety Engineering Process. Padma Sundaram Dave Hartfelder

July 17, Software and Systems Teach-in

Electrification Products United Kingdom. Buildings & Infrastructure Enhanced energy efficiency & performance

Fleet Data Organization and Compliance are Keys to CSA 2010 Preparedness

China Intelligent Connected Vehicle Technology Roadmap 1

Road Map For Safer Vehicles & Fleet Safety

Beyond Design Basis Analysis:

REGULATORY CONTROL OF X-RAY SCANNING OF PASSENGER CARS

Category V. Criterion 5H: Hazardous Materials (Hazmat)

Police Operations: Tachograph Equipment Inspection

About Automated Driving Functions

Electrical Safety CSA Z462 & NB Regulations

Electric Transportation and Energy Storage

Tram Driver. Mentor s Q&A

Sumitomo Rubber Industries, Ltd., Receipt of Petition for. AGENCY: National Highway Traffic Safety Administration (NHTSA),

Automatic Number Plate Recognition Cars (ANPR), Penalty Charge Notice (PCN) Petition from Taxi/Hackney Carriage Drivers in Dunstable

INDEX COMPANY PROFILE. Based. Heald 800 (M800CR4) Roadblocker Test B Heald 1200 European Vehicle (HCR4M1200RB Test B

SMART ROAD. The innovative road that runs with progress

Kathrine Wilson-Ellis Strategic Safety Team. Phil Proctor Future Technologies

Alcohol and Drug Testing Requirements

LOXAHATCHEE ELECTRONICS

Access to Archives - A2A: A strand of the UK archives network

Nancy Homeister Manager, Fuel Economy Regulatory Strategy and Planning

January 18, ZERO-SUM,LTD. TOYOTA InfoTechnology Center Co., Ltd.

Building a Stronger and Smarter Electrical Energy Infrastructure. Smart Grid. A Necessary Component in the Remaking of America

JOB DESCRIPTION COMMUNITY TRANSPORT DRIVER. Assistant Head of Community Transport Unit (CTU)

Update on the ODVA Energy Initiative

Safe Driving Policy. 1. Objectives of the policy. 2. Code of conduct. 3. Responsibilities as an employee. Rev. Number 4 Page: Page 1 of 5

Fuel Cells and Hydrogen 2 Joint Undertaking (FCH 2 JU) Frequently Asked Questions

The FIA s involvement in Connected Vehicles. Marcin Budkowski ITU symposium, 5/3/2015

Seoul Transportation

An Architectural View of Emerging Changes to the Grid

Low and medium voltage service. Power Care Customer Support Agreements

ADA Policy Deviated Fixed Route Procedures

Conduct on-road training for motorcycle riders

June 27, About MEMA

Charge up at Work! Intelligent E-Mobility Solutions for Companies

Utility Distribution Planning 101

State-of-the-Art and Future Trends in Testing of Active Safety Systems

Future Propulsion Systems

Axiata Group Berhad (AXIATA) - Financial and Strategic SWOT Analysis Review

Managing Grey Fleet Safety Authors Luana Bidasca Ellen Townsend

Aerodrome Operating Procedures

Medium Voltage Drives. ABB Value Provider Program Partnership for growth and profit

COSTS IN PREVENTION OF CRIME ON PUBLIC TRANSPORT

Lighting and Lighting Controls Energy Savings Opportunities Technical Training Series

Centerwide System Level Procedure

INJURY PREVENTION POLICY ANALYSIS

6 York Region Transit (YRT/Viva) On-board Security Camera System Upgrade Contract Award

ADVANCED DRIVER ASSISTANCE SYSTEMS, CONNECTED VEHICLE AND DRIVING AUTOMATION STANDARDS

When Grids Get Smart - ABB s Vision for the Power System of the Future

Strategic Plan Performance Metrics & Targets

Motorcycle Safety Program Assessments

Transcription:

Protecting Against Building Automation Vulnerabilities Dave Brooks, PhD Michael Coole, PhD

Overview Background of study What are Automated Buildings BACS security problem Practitioner understanding BACS Security Guidance: Criticality Mitigation Strategies Security recommendations

Background of Study 2010 exploratory study Funded & supported by ASIS Foundation, BOMA & SIA Objectives: Articulate current BACS vulnerabilities Evidence based understanding of security professionals BACS awareness & practice BACS Report 3

What are BACS?

What are BACS? IDS HVAC Lighting ACS BACS Power CCTV Water Fire & Life Safety Lifts

What are BACS? Automated system that converges at a central point to integrate building technology & process the flow of information... to create a facility that is safer, more comfortable & productive for its occupants, & more efficient for its owners & operators AKA: EMS, BAS, FMS, BMS, BACS, IB, Smart Building, +++ Integrates disparate plant Free flow of information Central monitor & control

BACS Architecture? Corporate Network Management Gateway Controller #1 Controller #2 Automation Actuator Sensor Actuator Sensor Field Devices

The Security Problem BACS market value US$54-78 billion, @ annual growth 12-34% Converging all building systems Converging functionality at enterprise level Legacy issues Internet of Things Who owns & is responsible? Whole of building Loss Marketsandmarkets. (2017). Building Automation System Market by Communication Technology (Wired, & Wireless), Offering (Facilities Management Systems, Security & Access Control Systems, & Fire Protection Systems), Application, & Region - Global Forecast to 2022 (SE2966). TMR Analysis. (2017). Commercial Building Automation Market 2016-2024. Denial of Monitor of Control Manipulate

BACS Security Problem: Attacks Management Automation Field Devices

BACS Security Problem: Vulnerabilities Management Level Device access Workstation Insert illegal storage device Communication network access Logical connectivity Wiretapping Monitor & analyze traffic Field Level Device access Manipulation (on/off/alter) Destruction Connection access Manipulation Destruction Automation Level Controller access Cover Manipulate inputs/outputs Tamper detection Field programmer Embedded functionality Power Communication network Wiretapping (sniffing) Monitor & analyze traffic Open source programs Data injection (fabrication) Illegal Controller

Practitioners Understanding of BACS

Practitioners BACS Understanding Majority of Security & Building Operators had neutral understanding of BACS vulnerabilities Security: Very limited BACS responsibilities 50% of BACS had integrated security systems Diverse views on integration & systems Integrators & cyber displayed understanding Perceived Criticality of BACS Vulnerabilities

BACS Security Guidance 1. Understand Context 2. Identify Criticality: Operations Occupancy Board Financial Reputation Safety Regulatory Information 3. Respond to Questions: Management Security risk Personnel security Physical security Cyber security Incident response Continuity planning Maintenance

Security Guidance: Criticality Level Operations Financial Safety Regulatory Information Occupancy Critical Extreme High Moderate Low Impact across all functions with extreme effect to all operations Substantial degradation of operations with impact to multiple functions No measurable operational impact Financial loss >10% Financial loss >3% Financial loss <1% Multiple deaths Injuries or illness that results in hospitalization No resulting lost work Loss of statutory accreditation to operate for extended period Record of noncompliance against statutory accreditation No effect on statutory accreditation Significant commercially sensitive info exposed Restricted commercial info exposed Limited info exposed Unable to occupy whole facility for extended period Unable to occupy major parts for extended period Limited effect on occupancy

BACS Security Guidance Security Level 1 Low Do you have a written & endorsed Security Policy? Is BACS formally assigned to the facility manager's portfolio & if so, who? Do your personnel security practices include pre-employment screening? Do you have an auditable procedure to authorize access to BACS? Are BACS Controllers, routers & network switches physically protected? Do you have a procedure for (mechanical) key control? Do you control your BACS remote and/or external logical access? Are your BACS logical program & configuration details held in a secure off-site location?

Security Guidance Security Level 1 High Is BACS specifically included in your security policy? Do you undertake & propagate environmental scanning to stay informed on best practice to protect BACS? Are BACS security audits undertaken? Are regular audits of BACS Maintenance personnel status undertaken? Are the BACS Automation level communication network cables protected? During incident response training, are the facility's BACS included in response strategies? Do your BACS have an auditable log of all hardware & software changes & alterations?

BACS Security Guidance Security Level 5 Critical Do you undertake a BACS specific threat assessment? Are BACS equipment or devices security tamper seals audited on a regular basis? Does your physical protection of BACS equipment or devices provide evidence of attempted or actual unauthorized access? Do you carry out technical surveillance counter measure evaluations on your BACS on a regular, but random schedule? Do your scan for unauthorized wireless BACS connectivity to a defined schedule? Are all wireless connectivity devices disabled? Are your BACS maintenance personnel escorted at all times whilst on-site?

BACS Security Recommendations Gain awareness of BACS & it s functionality Form a BACS Working Group Include BACS in risk management reviews: Criticality register Audit BACS Collaborate with BACS experts ASIS Foundation: Intelligent Building Management Systems: Guidance for Protecting Organizations

Concluding Remarks BACS will continue to grow, converging more building plant & business functions Responsibilities lie across multiple groups BACS have vulnerabilities & are a security risk Generic security strategies mitigation BACS risks Be aware & Ask the Questions https://www.securityindustry.org/wp- content/uploads/2018/08/intelligent-building-management- Systems-Guidance-for-Protecting-Organizations.pdf

Thank you Questions? ASIS Foundation, BOMA & SIA are acknowledged for their support in this research project

2024 © autodocbox.com Privacy Policy | Terms of Service | Feedback