Page 21 - 240221_BACnet_Europe-Journal_40
P. 21

BACnet Insight

                                                                                                        © ICONAG
            Strategie für IT-Sicherheit in der Gebäudeautomation / Strategy for IT Security in Building Automation

                                          Damage Prevention

                                         •  Daten und Kommunikation verschlüsseln / / Encrypting Data
                                           and Communication
                                         •  Härten der Systeme / Hardening Systems
              Bedrohung / Threat         •  Zugang sichern (Firewalls, Identifikation, Authentifizierung) /
                                           Securing Access (Firewalls, Identification, Authentication)
                                         •  Richtlinien / Policies
              •  Sabotage
              •  Einbruch / Intrusion
              •  Spionage / Espionage
                                             Schaden                       Schadensminderung
                                              Damage                        Damage reduction
                      •  Anlagenmanipulation/Plant Manipulation •  Datenverlust/Data Loss  •  Alarmierung/Alerting
                      •  Datenmanipulation/Data Manipulation  •  Vertrauensverlust/Loss of Trust  •  Notbedienebene/Emergency
                      •  Diebstahl/Theft         •  Produktionsausfall Downtime/   Operation Level
                      •  Personenschäden/Personal Injury  Production Interruption  •  Backups
                                                                        •  Rückverfolgbarkeit/ Traceability
                                                                          (Audit Trial)         Strategie für IT-Sicherheit
                                                                              Source: based on VDMA 24774  in der Gebäudeautomation.
                                                                                                Strategy for IT security in
                                                                                                building automation.
          ƒ  management software with functions for recording   with model designations of the components, MAC   mation to the internet, e.g., due to cloud computing.
           user activities (Audit Trial),     addresses, installation location, and firmware    3. Based on a security concept, establish concrete IT
          ƒ  acceptance of the BA system only with the latest   versions,      security requirements for planning, implementation,
           firmware (automation stations) or software version   ƒ  IT security training for operators.  and operation based on VDMA 24774. Also, in the
           (BMS), at least all security-relevant updates, espe-                context of increasing cloud computing, encrypted
           cially the current patches from Windows, as well as   Specifications for the operation of BAS:  protocols  such  as  BACnet/SC  should  be  required  for
           the current versions of the software systems used.                  newly installed BA systems and for the renovation of
                                            ƒ  Individual usernames and passwords,  existing BA systems.
          Specifications for the implementation and   ƒ  regular security-relevant updates/upgrades    4. Establish work instructions and behavioral instructions
          execution of BAS:                   (especially for PCs, servers, and routers), ensuring   (policies) for damage prevention and mitigation. Agree
                                              that updates are downloaded exclusively from    on software maintenance and system maintenance to
          ƒ  Establishment of physically or virtually separate IP    unaltered sources with certificates,  regularly close known security vulnerabilities.
           networks for building automation along with securing   ƒ  regular backups of system programming, configuration,   5. In the course of regular maintenance, check not only
           particularly vulnerable network segments through    configuration changes of MBE software, and stored   compliance with policies but also the currency of the
           firewalls,                         operating data,                  security concept.              
          ƒ  secure access for remote maintenance,  ƒ  ensuring compliance with work instructions and
          ƒ  definition of a backup concept for automation    behavioral instructions, including regular updating
           stations and management levels along with    of the IT security concept as part of BA system
           instructions for recovery,         maintenance,
          ƒ  physical securing of control cabinets, technical   ƒ  regular IT security training.
           rooms, etc., including deactivation of USB or
           Ethernet access,                 Summary
          ƒ  malware protection and the latest security patches
           for engineering tools,           Even in building automation, there is no 100% guarantee
          ƒ  project-specific adjustment of access authorizations   of availability, integrity, authenticity, and confidenti-
           and password changes (especially on automation    ality of data. However, by specifying and adhering to
           stations, BMS), activation of auto-logoff functions,  simple technical and organizational measures, a good
          ƒ  further hardening of the systems by deactivation or   level of security can be achieved. The consistent use
           deletion of all unused services, physical accesses,   of BACnet/SC is just one, albeit important, component
           user accounts, processes, and programs (especially   for greater future security. In summary, the following
           on automation stations, BMS), activation of auto-   5 tips:
           logoff functions,                1. Determine the protection requirements for each
          ƒ  preparation of work instructions and behavioral   building based on a risk analysis. This must be done
           instructions for the permanent maintenance of IT   jointly by specialist planners, clients, and operators.
           security by the installer (SOP = Standard    2. Recognize that BA systems are particularly
           Operating Procedure),            vulnerable in terms of IT security, with the greatest risks
          ƒ  creation and handover of a BA network documentation   currently arising from the connection of building auto-

                                                              Christian Wild
                                                              GeschäftsführerICONAG Leittechnik GmbH Idar-Oberstein

                                                                                     BACnet Europe Journal 40 03/24 21
   16   17   18   19   20   21   22   23   24   25   26