People and property are paramount to the mission of most organizations. To reduce risk, organizations lock doors in order to appropriately secure facilities. They give significant attention to the security of information technology (IT) networks and infrastructures. However, unless they take specific steps to secure their operational technology (OT) systems, it is very likely that their people and property, together with their operational readiness, will be exposed to significant risk.
Hidden in the mechanical rooms and ceilings of modern buildings are complex electrical and mechanical systems that protect the health and welfare of the people and facilities they serve. A building automation system uses networks of microprocessors and sensors to automatically monitor the built environment and manipulate its equipment to delicately balance a healthy indoor environment with efficient use of resources. Like IT systems, building automation systems create, process, and store electronic data. When a building automation system integrates with IT systems and infrastructure to monitor and manipulate physical processes, it becomes an OT system.
Although similar, OT systems differ significantly from IT systems. The logic that executes in an OT has a direct, immediate effect on the physical world. This influence can introduce significant risk to the health and safety of human lives, serious damage to the environment, financial impact, and negative influence on an organization’s ability to execute its mission (Stouffer et al., 2015).
Unauthorized access to OT systems and data is exploited with increasing frequency in order to cause tenant discomfort, interrupt facility operations, and damage equipment or facilities (ASHRAE SSPC 135, 2020). It can pose significant risk to an organization’s reputation. Just as we protect IT assets from unauthorized access using cybersecurity, OT systems should provide protection commensurate with the security controls already established in the IT domain. These controls should be commensurate but appropriate to the distinct needs of OT, which requires protections not common in the IT realm (Granzer et al., 2010; Boeckl et al., 2019).
The underlying principle is known as hardening, or the process of improving the security of an information system by reducing exposure of vulnerabilities. Risk cannot be completely mitigated; the goal of hardening is to enhance mission or business capabilities by mitigating risk to an acceptable level (Stoneburner et al., 2004). For OT systems, this means preserving data integrity and availability. Each organization should perform an objective assessment of the potential impact on normal business operations in the event of an OT incident and should balance security controls with performance requirements. There are many public and private resources and standards for comprehensive OT cybersecurity. Fortunately, common sense and a few simple steps can dramatically improve the protection posture of any OT system.
Before You Start
A qualified vendor backed by the system manufacturer is ideally positioned to provide secure design recommendations that reduce vulnerabilities of their hardware and software. Ask for OT hardening experience as a vendor qualification, and work closely with a qualified vendor to establish hardening guidelines appropriate for the needs of your organization.
Secure by Design
Articulate appropriate cybersecurity protection measures and acceptance criteria during the design phase rather than during execution or commissioning. IT and OT networks are different, with distinct access, security, and performance requirements. Their vulnerabilities expose the facility and operational readiness to separate risks. Consider segregating these disparate systems into dedicated network zones with a single access point and common security requirements (ISA/IEC 62443, 2019). This improves security and resiliency for both the IT and OT networks while minimizing interaction and interdependencies. Physical separation is ideal but not strictly necessary.
During the design phase, develop a continuity and recovery plan appropriate to the needs and resources of your organization for a security or network incident. Designate an entity who is accountable for OT cybersecurity plans, execution, and response. If this is not the entity who is accountable for IT security, the two should coordinate closely (Stouffer & Pillitteri, 2021). At a minimum, a continuity plan should consider the following:
- What is the process for keeping assets patched and current?
- What is the response to an incident or network disruption? How can the OT be detached from the network and operate in isolation?
- What is the process for system backup? Frequent backup and secure storage of OT databases, operational logic, and configuration minimize recovery and downtime.
Work closely with your vendor to ensure that hardening guidelines are followed during deployment. Until they are properly hardened, isolate embedded devices, physical and virtual workstations, and servers from production networks and the Internet. Patch and update operating systems and applications using resources from the manufacturer or a trustworthy source. Audit the configuration with the vendor at delivery and prior to deployment.
Direct access to the network or Internet through OT devices often presents a significant security vulnerability and circumvents authentication and protection measures. Disable or carefully authenticate and monitor technologies like cloud-based services, mobile broadband, Wi-Fi, LoRaWAN, Bluetooth, and near-field communication (NFC) that can provide unmanaged or unmonitored access to the local network zone or Internet.
Open protocol OT systems transmit data in plain text using standard, publicly defined processes. This is crucial for interoperation between components but poses a significant security vulnerability as it exposes data to manipulation. User credentials should always be encrypted in transmission and storage. Local transmission of interoperable data is acceptable for most applications. However, when it crosses network boundaries, data should be encrypted and a mechanism for authenticating origin and destination should be implemented. The American Society of Heating, Refrigeration, and Air Conditioning Engineers (ASHRAE) standard for OT interoperability, BACnet, has evolved to feature strong information security for exchanging data across a wide range of IT environments (ASHRAE SSPC 135, 2020). BACnet data encryption through BACnet virtual private networks and secure connect networks is widely available.
User account management simultaneously represents one of the most effective access control mechanisms for—and most dangerous vulnerabilities to—effective network security. To ensure accountability, every user should be assigned unique credentials and appropriate permissions based on the intended level of system access and interaction. This means thoughtfully controlling who can access the system, what they can view, and what they can modify. Proper user account management is quite simple but often ignored or taken for granted, and should include the following steps:
- Disable public and default user accounts.
- Enable automatic sign-off for inactive user accounts.
- Minimize super-user administrators. Consider dual authorization so no single user can change security controls or credentials.
- Consider a role-based access system that categorizes users by the specific permissions required to perform day-to-day tasks rather than the individuals performing the tasks (Reliable Controls, 2019).
- Implement least privilege. Begin with zero trust for each role. Add access and permissions only as they are proven necessary for operational efficacy (Stouffer & Pillitteri, 2021).
- Enforce a reasonable password management policy with appropriate strength. Consider passwords that are hard to guess but easy to remember. Unnecessarily complex password requirements often result in poor personal security hygiene and vulnerable passwords (e.g., recorded on Post-it notes).
As the system enters operation, it is important to inventory OT assets. Document the devices that comprise the system and how each asset is used. Identify the most critical assets. Check for and remove all unauthorized assets. It is critical to maintain good security hygiene. Keep assets up to date and fully patched. Train users on why cybersecurity is an organizational priority, on their responsibilities, and on how to look for things out of the ordinary that may be evidence of a cybersecurity incident. Regularly audit operator activity and disable unused accounts. Revoke access that isn’t strictly necessary. Immediately disable accounts when someone leaves the organization (Stouffer & Pillitteri, 2021).
The health and welfare of people and property in the built environment rely on complex mechanical and electrical systems that are critical to operational readiness and consume significant resources. Poor OT cybersecurity is a clear and present threat to our people and property. A thoughtful approach to OT system security need not be onerous or complex. Even a simple strategy enhances mission capabilities by mitigating risk to an acceptable level. Properly operated and secured, these systems ensure the comfort and well-being of facilities and their occupants.
Levi M. Tully is executive vice president of sales at Reliable Controls Corporation in Victoria, British Columbia, Canada. He can be reached at firstname.lastname@example.org.