Cybersecurity for Building Management Systems

There have in recent times been a number of high profile cyberattacks on organisations stemming from vulnerabilities in what are generally considered low profile systems. We refer specifically here to building management systems (BMS), otherwise known as a building automation systems (BAS). These are computer-based control systems installed in buildings that control and monitor a building's mechanical and electrical equipment. These electrical devices include door locking and access controls, lighting, power systems, ventilation, chiller units, fire systems and security systems but may involve many more interfaced systems.

BMS CyberSecurity For Smart Buildings and Smart Cities
BMS CyberSecurity For Smart Buildings and Smart Cities
High Profile Cyberattacks

By Stephen Berry,  Chief Executive Officer,  DDE Technology
Published on 24 June, 2020

Examples of BMS cyberattacks include the Target retail stores attack in 2013. Bad actors accessed Target's point-of-sale (POS) system software and were able to obtain the credit and debit card data associated with over 110 million user accounts.

The attacks however were not directly aimed at the POS system, but rather began when operatives began stealing login credentials used by Target's heating, ventilation and air conditioning vendor which were connected to the Target corporate network. Attackers were able to gain access to Target's Active Directory and, ultimately, the POS system where it was possible to collect credit card numbers and other sensitive data.

The same attack vector has been used in the case of five-star hotels leading hackers to access sensitive customer data.

And if the stealing of customer data and brand damage is not bad enough, malicious access to building control systems can put human life at risk. Imagine door locking controls in hotels being manipulated such that guests were trapped in their rooms or fire safety systems being compromised. It does not take too much imagination to see the dangers inherent in those scenarios.

BMS Communication Protocol Vulnerabilities

A common communication protocol used in BMS systems is BACnet. BACnet allows technicians and engineers to monitor and control a wide range of critical building systems via built-in web applications, but a vulnerability in the protocol can be exploited by attackers, according to cyber security researcher Bertin Bervis.

The vulnerability can be used to modify the web application code by injecting JavaScript code in the BMS device, exploiting the read/write properties from the BACnet protocol itself, he told attendees of the IoT Village at a DEF CON security conference in Las Vegas.  As explained by Bervis, the code is stored in the BACnet database helping the attacker to achieve persistence on browser devices that are used in building environments or industrial facilities that connect via BACnet.

CyberSecurity for Smart Buildings and Smart Cities

Increasingly, Smart Buildings are being touted as the future of urban construction.  A Smart Building is any structure that uses automated processes to automatically control the building's operations including heating, ventilation, air conditioning, lighting, security, power management and other systems. Given that many of the control systems used in Smart Buildings embody risk in their design (a problem that exists in OT – Operational Technology devices in general) the risks to which we refer here are considerable. 

BMS systems are computer systems that send and receive instructions across a network to control field devices (e.g. door locking controls). Due to the relatively open nature of this architecture, there are numerous cyber and physical risk vulnerabilities evident. Additionally, many companies rely heavily of third-party vendors to manage their BMS systems. 

External access to your systems by vendors is a “black box” with introduces another set of risks that need to be managed (recall the Target example earlier). Similarly, disgruntled employees can gain control of BMS systems relatively easily. CIOs often own the risk of these IT systems but do not have the visibility to effectively manage and safeguard them.  Effective cybersecurity starts with  visibility of assets (which in the case of Smart Buildings and Cities, may be considerable). The next step is effective monitoring of devices for internal and external threats and anomalies coupled with appropriate processes and policies for the people that actually manage the systems bearing in mind that often these people, are external vendors.

DDE has considerable experience working with industrial control systems and BMS systems across large properties such as hotels, casinos, public rides, exhibition centres and theatres and attractions and understands the risks inherent in these systems.  Contact us to learn more about the cyber risks of BMS systems and how operators can quickly deploy threat detection and anomaly monitoring systems and internal process controls to mitigate against these risks.

Advenica products secures critical data
Advenica products secures critical data



DDE Technology is a trusted advisor to companies around the world that rely upon critical operational infrastructure. We provide a range of solutions that ensures industry keeps running and that address the threats inherent in an increasingly interconnected world.