Modern web-accessibility of building control systems is both a blessing and a curse. It is a blessing if you’re the facilities manager and you live an hour away from the building you’re responsible for and there is a problem in the middle of the night. Simply fire up the ole home computer, connect to your building, issue a few overrides, clear an alarm, go back to sleep and deal with it in the morning. So what’s the downside?
Let’s take a step back. Over the last decade the automatic temperature controls industry has undergone incredible changes. It's been transformed from a proprietary product-centric model to a model that embraces open and mixed manufacturer systems. These open systems are becoming more and more Internet connected, right down to the controller level. They've also seen isolated software application-based user interfaces transform into web-based interfaces.
These systems are constructed within the “lowest bid” construction model. This lowest bid model creates an incentive for a “get in and get out” approach to installing building management system (BMS) products. Therefore, there is no apparent/direct financial incentive to securing your building's BMS system from the Internet. And, the design engineering community is not generally specifying that these systems be Internet secure on the building owner’s dime (would an architect specify a front door without a lock? And who ultimately pays for the lock and owns its maintenance?). Rather, the focus of the installation contractor is to get the building controls running within job specifications, and move on to the next job.
This might be okay for a larger corporation with an IT department fully staffed with professionals who will ask questions like, “What is this BMS-thing on my network, and who should have access to it?” But for customers like public schools, small local businesses, and even medium-sized corporations with small IT budgets, this can be problematic. What often ends up occurring is that the BMS system is just “put right on the Internet” (in tech talk: given a public IP address or NAT’d through). What does that mean though?
Put It Right Out There
To some degree or another, most people, when accessing the Internet, are behind some type of firewall. This single level of protection by itself is as good as a lock on your front door – it keeps the honest folks out (most of us accept this). When you put a device “right on the Internet,” it’s like putting it outside your locked front door for anybody to access whether you want them to or not.
Yeah, yeah, you might say—“but who even knows where I am on the Internet? I am at some obscure IP address, it’s not like you can drive by my cable-modem and look through the windows.” To that I would reply, “Obscurity is not security.” Here’s why:
Within the last couple of years I found out about a website named SHODAN that crawls the web looking for Internet-connected devices. This is a search engine (like Google, Yahoo, and Bing) looking for systems like a BMS that are instantly accessible without needing anything but an Internet browser. It’s literally looking for your device, outside your front door, and upon finding it, keeping a record of your address for others to use.
At the time of writing this post, doing some quick searches on SHODAN I found:
- 10,686 - BACnet Devices
- 1129 - Tridium Devices
- 590 - Automated Logic Devices
… And the list goes on.
What Should You Ask Yourself?
If you are a building owner, you should ask your IT department (and if you don’t have one, your controls provider), how remote access is achieved. One good quick litmus test (if you’re not a computer savvy person) is: can you access your BMS at home just by opening a web browser and typing in an IP address (which generally looks like “18.104.22.168”)? Can you do this on your phone outside your house? If you can without having to run any sort of extra connection software first, chances are you’re vulnerable.
How Can You Resolve This Problem?
There are several low-cost products out there that provide you some level of protection (which is always better than none). They will hide what’s on your network from the rest of the world and lock that front door. You’ll still be able to access your system, but you’ll keep it off the streets, to continue my analogy. Again, the best thing to do is talk with your controls contractor and ask them about how remote access is achieved. If you don’t get warm fuzzy feelings during that conversation, it might be worth it to contact an IT consultant or your IT department.
The commissioning process, like building systems, is constantly adapting to meet the demands of modern technology. Commissioning your buildings controls systems can identify these types of problems, in addition to flushing out any other issues you may not be aware of. Feel free to contact us if you have any questions.
Two Resources on Building Systems, the Internet of Things and Security
I'd also invite you to check out my colleague Ben Fowler’s posts on building management systems, security and the Internet of Things. The first describes one of the more well-known examples of a compromised system in the last couple years, and the second offers some simple steps you can take to reduce your risk.