Building Management

Software Vulnerability Best Practices to Protect Your BMS from Security Threats

As building management systems grow more intelligent and increasingly connect to the Internet to share data, they can also be the target of cybersecurity threats. In this fourth and final installment on BMS security, we cover a topic that may seem more appropriate for IT groups than facilities managers: ensuring software security and vulnerability management.25851115_s

Indeed these are both disciplines that IT groups have been practicing for years. But, as with the topics of the three previous posts – network security, password management and threats from within – they are now very real threats to any intelligent BMS as well.

Software management for proper security

IT groups typically follow a list of best practices to ensure the security of the software that runs on their systems. Now that BMSs are heavily software-reliant, many of the same issues apply.

First up is to stay on top of software security patches. All software has bugs in it that, if exploited, can enable intruders to break in to the system. Eventually, many of these bugs are found and vendors come out with fixes, or patches. The easiest target for an intruder is a system with a known bug that has not been patched, so a best practice is to have a plan to ensure that all vulnerabilities get patched – which we’ll discuss more in a minute.

Another is to ensure only authorized employees can deploy software. Installing software often requires running a system in administrator mode. If you open this up to users who are not administrators, you run the risk of them inadvertently (or maybe on purpose) creating a vulnerability (see principle of lease privilege from the last post).

Similarly, another best practice is to install only known, authorized software. A common cyber attack tactic is to distribute doctored software deployment packages that compromise a device’s integrity. Vendors use various methods to verify the integrity of their software packages, including verification codes and cyber certificates. The key is to be familiar with the verification system for any components of your BMS and implement procedures to ensure they are followed.

Best practices for BMS vulnerability management

Vulnerability management is a process through which you determine the severity level and risk associated with each known software vulnerability. Such a process helps you determine which vulnerabilities need to be addressed immediately vs. those that can wait a bit.

The idea is to assign each known vulnerability a qualitative rating, such as “Critical,” “High,” “Medium,” and “Low,” or a numeric system ranging from 1 to 10. Generally speaking, vulnerabilities rated Critical (9-10) and High (7-8) need to be addressed as soon as possible. Less severe vulnerabilities can usually be addressed during regular maintenance.

When assigning a rating, consider issues such as the potential impact of an exploit to the vulnerability, any risks associated with the update process and any factors that will affect the ability to access or update the device.

To learn more about how to protect your BMS against cyber threats, download the free Schneider Electric white paper, “Five Best Practices to Improve Building Management Systems (BMS) Cybersecurity.”

Contributor:

Gregory-Strass_avatar_1415981358Gregory Strass, CISSP, CEH, is the Building Systems IT Cybersecurity Lead at Schneider Electric. He holds degrees in Electrical Engineering and Computer Science from the University of Illinois in Urbana. Additionally he holds CISSP and CEH certifications. He has worked in the embedded field for over 35 years.


2 Responses
  1. Dario

    Hi, we make a supervisor system and we discussed a lot about how to protect KNX bus but we did not find a good solution.
    For example in a hotel with all the rooms connected with KNX our customer (the installer of our supervisor system) ask us to log what happens on the bus all the day so that if a hacked do something they can see in the log what happened and they can say later to the hotel that a hacker did the problem and they are not accountable.
    Is there a similar best practice or something that i can add to our server to protect the installations?
    For example i go into a room, i connect to the bus in some way and wait for other customers to come in their room while logging the bus.
    Maybe the project is made using KNX system to open the doors and that’s it , i can open doors very easily.
    I thought about something like alarm if i see message not involved in the project but i did not do it yet, do you think it can be a good idea?
    Another solution can be isolate each room using one of our server on each room (in our case is also possible, the server can work on 40 euro hardware and they can work like a star network to a central server).

    Do you have other solutions?

    Thanks
    Dario

    Reply
    • Jon Williamson Jon Williamson

      Thanks for your post. What you have outlined is a challenge as the tools available for non-IP based protocols are limited.

      KNX based devices communicate on a 2-wire serial bus. Like many non-IP based protocols, KNX does not include a cybersecurity feature set. Researchers have studied KNX and have determined that the KNX protocol cannot be protected against cyber attacks when the hacker has physical access to the MNX bus.

      KNX networks are often routed to IP based networks, which provides a path for IP-based attacks. One countermeasure for IP-enabled KNX networks is to assure that the IP routing devices and web interfaces to the KNX networks have sufficient security mechanisms. The security mechanisms can include best practices such as IP white lists, encryption, and authentication of all un-trusted connections. This level of protection is considered to be the minimum stopgap for IP-enabling KNX networks.

      Along with having the proper security features available and configured correctly on the KNX IP routers, it is recommended to monitor communications to those routers. Intrusion detection software can be using to monitor traffic into a site, which is a good defense when remote access to the KNX network is required. However, internal threats are also a concern, so use of end-point modeling can be using to monitor traffic at the device regardless of its origin.

      I located a paper on this topic on the “BCS, The Chartered Institute for IT” website: http://ewic.bcs.org/content/ConWebDoc/53231. You may find this resource helpful.

      Another approach is to base your designs on a protocol that can communicate over an IP network using secure connections. Over the next 10 years, many systems will be moving off serial based buses in favor of standard IT based technologies that can be directly supported and secured by IT departments.

      Best regards,
      Jon

      Reply

Leave a Reply

  • (will not be published)