As infrastructure modernizes, building management systems (BMS) are becoming increasingly sophisticated. They provide automation, control and management of the physical environment of buildings, and to operate reliably, you need to ensure their security. This can be crucial in some buildings, such as hospitals. What can you do to make buildings safer?
An Introduction to BMS
BMS stands for Building Management System. It is a computer-based system that controls and monitors a building’s mechanical and electrical equipment, such as heating, ventilation, and air conditioning (HVAC), lighting, and other building systems.
There are several common BMSs used in buildings today, each with their own specific features and capabilities, these include:
- Siemens Desigo
- Johnson Controls Metasys
- Honeywell WEBs
- Schneider Electric Andover Continuum
- Trane Tracer
- Delta Controls
There are many more systems and the choice of BMS depends on the specific requirements of the building and the needs of the building owner or operator. However, they have one thing in common – the BACnet protocol is frequently used between these systems and HVAC-endpoints.
BACnet Protocol: Essential for Building Management Systems Security
The Building Automation and Control Network (BACnet) protocol is a communication protocol that is widely used in building automation and control systems for HVAC, lighting, and other building systems. BACnet was designed to provide a standard way for different building systems to communicate and share data, and is now used in thousands of buildings worldwide.
One of the key features of BACnet is its support for security. BACnet includes several security features to protect against unauthorized access, tampering, and other types of attacks. These features include:
- Authentication: BACnet supports the use of passwords and other forms of authentication to ensure that only authorized users can access the building automation and control systems.
- Encryption: BACnet supports the use of encryption to protect the confidentiality and integrity of data as it is transmitted between different devices and systems.
- Access control: BACnet includes features to restrict access to specific objects and properties within the building automation and control systems. This allows building operators to control who can access and control different systems within the building.
- Auditing: BACnet includes the capability to record and log all access to the building automation and control systems. This allows building operators to detect and investigate any unauthorized access or tampering.
Despite these security features, the BACnet protocol has some security weaknesses. For example, some security experts have raised concerns about the use of static passwords for authentication, which can be easily guessed or cracked by attackers. Additionally, BACnet does not include support for security certificates or other forms of digital authentication, which can make it more difficult to ensure that devices are communicating with the correct systems.
Another concern with BACnet security is that its security feature is not widely implemented. Many building automation and control systems using BACnet do not have security features enabled or are configured in an insecure way. This leaves them vulnerable to attacks and can make it easy for unauthorized users to gain access to sensitive systems and data.
BACnet is a communication protocol that is widely used in building automation and control systems, and provides several security features to protect against unauthorized access and tampering. However, there are some concerns about the security of the protocol, particularly regarding the use of static passwords and the lack of wide implementation of security features. It is important for building operators to be aware of these security risks and to take steps to secure their building automation and control systems, such as regularly changing passwords, enabling encryption, and monitoring for suspicious activities.
Risk Mitigation in BMS Security
One of the most important aspects of risk mitigation is the visualization of the flows from and to a BMS, whether it is executed via BACnet or a different OT-protocol. This allows a user to optimize their network configuration, mitigating the risks of:
- Static passwords
- Lack of certificates
- Disabled security features on various BACnet-enabled assets
One tool you can use for the flow visualization is GREYCORTEX Mendel, which has protocol parsers and BMS-asset identification built into its core.
Do you want to know more about our solution and how Mendel can help you keep your building management secure? Leave us a note and we will get back to you.