Intelligent building systems: security and facility professionals’ understanding of system threats, vulnerabilities and mitigation practice
Intelligent Buildings or Building Automation and Control Systems (BACS) are becoming common in buildings, driven by the commercial need for functionality, sharing of information, reduced costs and sustainable buildings. The facility manager often has BACS responsibility; however, their focus is generally not on BACS security. Nevertheless, if a BACS-manifested threat is realised, the impact to a building can be significant, through denial, loss or manipulation of the building and its services, resulting in loss of information or occupancy. Therefore, this study garnered a descriptive understanding of security and facility professionals’ knowledge of BACS, including vulnerabilities and mitigation practices. Results indicate that the majority of security and facility professionals hold a general awareness of BACS security issues, although they lacked a robust understanding to meet necessary protection. For instance, understanding of 23 BACS vulnerabilities were found to be equally critical with limited variance. Mitigation strategies were no better, with respondents indicating poor threat diagnosis. In contrast, cybersecurity and technical security professionals such as integrators or security engineering design professionals displayed a robust understanding of BACS vulnerabilities and resulting mitigation strategies. Findings support the need for greater awareness for both security management and facility professionals of BACS vulnerabilities and mitigation strategies.
KeywordsIntelligent Smart Cybersecurity Risk Threat Mitigation Professional Convergence
This article was made possible by research funding and membership participation from the ASIS Foundation, the Security Industry Association (SIA), and the Building Owners and Managers Association (BOMA). The research Report: Brooks, D. J., Coole, M., Haskell-Dowland, P., Griffith, M., & Lockhart, N. (2018b). Building automation & control systems: An investigation into vulnerabilities, current practice & security management best practice.
- Assante, M.J., and Lee, R.L. 2015. The industrial control system cyber kill chain. Singapore: SANS Institute. https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297.
- Brooks, D.J. 2013. Security threats and risks of intelligent building systems: Protecting facilities from current and emerging vulnerabilities. In. Securing critical infrastructures and critical control systems: Approaches for threat protection, ed. Christopher Laing, Atta Badii and Paul Vickers (pp. 1–16). IGI Global. ISBN 978-14-66626-59-1.Google Scholar
- Brooks, D.J., M. Coole, and P. Haskell-Dowland. 2018a. Intelligent building management systems: Guidance for protecting organizations. Alexandria, VA: ASIS Foundation.Google Scholar
- Brooks, D.J., M. Coole, P. Haskell-Dowland, M. Griffith, and N. Lockhart. 2018b. Building automation & control systems: An investigation into vulnerabilities, current practice & security management best practice. Alexandria, VA: ASIS Foundation.Google Scholar
- CIBSE. 2000. Building control systems: CIBSE guide H. Oxford: Butterworth-Heinemann.Google Scholar
- Frost and Sullivan. 2008. Bright green buildings: Convergence of green and intelligent buildings. https://www.caba.org/CABA/DocumentLibrary/Public/Bright_Green_Buildings.aspx.
- Granzer, W., F. Praus, and W. Kastner. 2009. Security in building automation systems. IEEE Transactions on Industrial Electronics 57 (11): 3622–3630.Google Scholar
- High Performance HVAC. 2017. Building automation systems. http://highperformancehvac.com/building-automation-systems-hvac-control/.
- ISO. 2004. ISO 16484-2 Building automation and control systems (BACS): Part 2 hardware. Geneva: International Organization for Standardization.Google Scholar
- ISO. 2007. ISO/IEC 14908-1 Open data communication in building automation, controls and building management—control network protocol: Part 1 protocol stack. Geneva: International Organization for Standardization.Google Scholar
- King, R.O.N. 2016. Cyber security for intelligent buildings. Engineering and technology reference, 1–6, ISSN 2056-4007. 10.1049/etr.2015.0115.Google Scholar
- Marketsandmarkets. 2017. Building automation system market by communication technology (wired, and wireless), offering (facilities management systems, security & access control systems, and fire protection systems), application, and region—global forecast to 2022 (SE2966). http://www.marketsandmarkets.com/Market-Reports/building-automation-control-systems-market-408.html.
- Sall, I. 2017. Does IoT mean the death of the BMS? http://www.facilitiesshow.com/does-iot-signal-death-bms.
- Schneider Electric. 2015. Guide to open protocols in building automation. Andover, MA: Schneider Electric. https://blog.schneider-electric.com/wp-content/uploads/2015/11/SE-Protocols-Guide_A4_v21.pdf.
- Simpson, J.A., and E.S.C. Weiner (eds.). 1989. The oxford english dictionary, 2nd ed. Oxford: Oxford University Press.Google Scholar
- Sinopoli, J. 2012. Security issues with integrated smart buildings. http://www.automatedbuildings.com/news/dec12/articles/sinopoli/121119103101sinopoli.html.
- Technavio. 2016. Global integrated building management systems market 2017-2021. https://www.technavio.com/report/global-automation-global-integrated-building-management-systems-market-2017-2021?.
- TMR Analysis. 2017. Commercial building automation market 2016-2024. http://www.transparencymarketresearch.com/commercial-building-automation.html.
- Wyman, R. 2017. Consider the consequences: A powerful approach for reducing ICS cyber risk. Cyber Security: A Peer Reviewed Journal 1 (1): 1–17.Google Scholar