Page 21 - 240221_BACnet_Europe-Journal_40
P. 21
BACnet Insight
© ICONAG
Strategie für IT-Sicherheit in der Gebäudeautomation / Strategy for IT Security in Building Automation
Schadensvermeidung
Damage Prevention
• Daten und Kommunikation verschlüsseln / / Encrypting Data
and Communication
• Härten der Systeme / Hardening Systems
Bedrohung / Threat • Zugang sichern (Firewalls, Identifikation, Authentifizierung) /
Securing Access (Firewalls, Identification, Authentication)
• Richtlinien / Policies
• Sabotage
• Einbruch / Intrusion
• Spionage / Espionage
Schaden Schadensminderung
Damage Damage reduction
• Anlagenmanipulation/Plant Manipulation • Datenverlust/Data Loss • Alarmierung/Alerting
• Datenmanipulation/Data Manipulation • Vertrauensverlust/Loss of Trust • Notbedienebene/Emergency
• Diebstahl/Theft • Produktionsausfall Downtime/ Operation Level
• Personenschäden/Personal Injury Production Interruption • Backups
• Rückverfolgbarkeit/ Traceability
(Audit Trial) Strategie für IT-Sicherheit
Source: based on VDMA 24774 in der Gebäudeautomation.
Strategy for IT security in
www.iconag.com
building automation.
management software with functions for recording with model designations of the components, MAC mation to the internet, e.g., due to cloud computing.
user activities (Audit Trial), addresses, installation location, and firmware 3. Based on a security concept, establish concrete IT
acceptance of the BA system only with the latest versions, security requirements for planning, implementation,
firmware (automation stations) or software version IT security training for operators. and operation based on VDMA 24774. Also, in the
(BMS), at least all security-relevant updates, espe- context of increasing cloud computing, encrypted
cially the current patches from Windows, as well as Specifications for the operation of BAS: protocols such as BACnet/SC should be required for
the current versions of the software systems used. newly installed BA systems and for the renovation of
Individual usernames and passwords, existing BA systems.
Specifications for the implementation and regular security-relevant updates/upgrades 4. Establish work instructions and behavioral instructions
execution of BAS: (especially for PCs, servers, and routers), ensuring (policies) for damage prevention and mitigation. Agree
that updates are downloaded exclusively from on software maintenance and system maintenance to
Establishment of physically or virtually separate IP unaltered sources with certificates, regularly close known security vulnerabilities.
networks for building automation along with securing regular backups of system programming, configuration, 5. In the course of regular maintenance, check not only
particularly vulnerable network segments through configuration changes of MBE software, and stored compliance with policies but also the currency of the
firewalls, operating data, security concept.
secure access for remote maintenance, ensuring compliance with work instructions and
definition of a backup concept for automation behavioral instructions, including regular updating
stations and management levels along with of the IT security concept as part of BA system
instructions for recovery, maintenance,
physical securing of control cabinets, technical regular IT security training.
rooms, etc., including deactivation of USB or
Ethernet access, Summary
malware protection and the latest security patches
for engineering tools, Even in building automation, there is no 100% guarantee
project-specific adjustment of access authorizations of availability, integrity, authenticity, and confidenti-
and password changes (especially on automation ality of data. However, by specifying and adhering to
stations, BMS), activation of auto-logoff functions, simple technical and organizational measures, a good
further hardening of the systems by deactivation or level of security can be achieved. The consistent use
deletion of all unused services, physical accesses, of BACnet/SC is just one, albeit important, component
user accounts, processes, and programs (especially for greater future security. In summary, the following
on automation stations, BMS), activation of auto- 5 tips:
logoff functions, 1. Determine the protection requirements for each
preparation of work instructions and behavioral building based on a risk analysis. This must be done
instructions for the permanent maintenance of IT jointly by specialist planners, clients, and operators.
security by the installer (SOP = Standard 2. Recognize that BA systems are particularly
Operating Procedure), vulnerable in terms of IT security, with the greatest risks
creation and handover of a BA network documentation currently arising from the connection of building auto-
Christian Wild
GeschäftsführerICONAG Leittechnik GmbH Idar-Oberstein
christian.wild@iconag.comwww.iconag.com
BACnet Europe Journal 40 03/24 21