All buildings, regardless of size and purpose, have systems required to make them run including HVAC, fire suppression, water and waste systems, elevators, security and more. These are the basics, but depending on the purpose of the building, it may also be equipped with additional specialized mechanics. Arguably, every one of these systems is mission critical and requires constant monitoring and control. In recent years, a new category of software known as building management systems (BMS) has emerged to centrally control these discrete mechanical devices and processes.
Pumps play a major role in the successful operation of BMS. In fact, electronically commutated motor (ECM) technology has yielded benefits in terms of exacting run standards while also increasing efficiency and reducing costs when it comes to pumping, heating or chilling. With multispeed smart motors, costs can be reduced by up to 80 percent. But there is a catch.
To realize these benefits, pump technology—a subset of BMS—has become smarter by leveraging internet of things (IoT) technology. For the first time, the BMS environment, which was once isolated from the world by an “air gap,” now is connected via IoT and is vulnerable to outside tampering and security threats.
IoT Security Risks
Imagine an external hacker or rogue employee who wants to shut down or sabotage a system. What better way to do so than by launching an attack on the heartbeat of the facility, namely the BMS. Decreasing pump revolutions could cause a building not to be heated. Increasing the ECM pumps’ revolutions could burn out the motor or cause system failure.
In critical infrastructure environments, shutting down a cooling pump to a nuclear facility could cause a potential meltdown disaster. In fact, the risks could continue to mount because BMS was created when it was isolated from the outside world. This is no longer the case.
The Department of Homeland Security (DHS) recently issued an alert on a vulnerability in a popular BMS with a maximum severity score. The system in question specifically controls cooling and heating through IoT via a web interface.
The DHS advises that smart pumps and ECM are potentially subject to external security threats to BMS that can now be reached via multiple attack vectors. According to global consultancy firm Frost & Sullivan, the BMS market generated $5.8 billion in 2019 and is projected to grow at a compounded annual growth rate (CAGR) of 4.7 percent by 2022. With this rate of adoption, risks are expected to increase as more buildings and infrastructure go “smart” using IoT and BMS.
Vulnerability of BMS-Controlled Processes
In addition to the DHS providing a maximum severity score to a recent BMS vulnerability, the alert further cautioned that in some instances an attacker could gain “full system access” to the BMS and be able to run commands at will on any device. The alert also noted that the expertise required to take advantage of the vulnerability required a low level of skill and could be used to shut down a building with one click.
This development underscores the importance of having a robust BMS security system in place that can provide visibility, security and control across pump and BMS environments. This has long been the de facto posture for information technology (IT) operations due to well-publicized security incidents. But, the same approach has not been applied to industrial environments, such as building operations.
The recent convergence of IT and operational technology (OT) environments that includes ECM, coupled with the increased use of IoT technology, has made security a must-have requirement.
As we have seen from recent industrial attacks on aluminum maker Norsk Hydro and chemical manufacturers Hexion and Momentive, there is a clear and present need for close cooperation between the worlds of IT and OT in order to achieve the requisite levels of protection across both infrastructures. Since IT tools guard against IT threats and OT tools guard against OT threats, identifying threats that can originate in either environment and move laterally between the two requires security integration, collaboration and intelligence sharing.
With the right BMS security solution, organizations can gain the upper hand by:
- Knowing where the weak links reside. By performing a comprehensive risk assessment, organizations can gain clear visibility into their cybersecurity posture and vulnerabilities that require attention before they can be exploited.
- Automatically tracking assets. This happens through automated inventory management processes that provide a fundamental building block for visibility, security and control over BMS. With an up-to-date and accurate account of every device—from the patch list on a Windows machine to a programmable logic controller (PLC)’s backplane configuration—organizations have the detailed information they need to know what to defend.
- Proactively monitoring exposure to risk. Detecting complex and evolving cyberthreats requires advanced tools, knowledge and training. BMS security tools that can work in conjunction with their IT security tool counterparts can provide a 360-degree view of unintended changes to industrial systems right down to PLCs that control pumps.
IoT is unleashing the operational benefits of smart pumps and ECM, while exposing building systems to new security risks. These new threats in turn require cybersecurity capabilities that are integrated with BMS infrastructure and IT security tools to detect, address and remediate vulnerabilities before they can be used to take buildings offline.