Page 26 - BACnet_Europe-Journal_43
P. 26

BACnet Insight



          Vulnerability Management for Hardware and   Vulnerability management and Security.txt  The international standard IEC 62443 defines a zoning
          Software Components                                                  model for this purpose that is ideal for use in building
                                            Effective vulnerability management is essential.   automation. Networks are divided into security zones,
          Components in building automation today often consist   Organizations should:  for example for management systems, automation
          of complex combinations of software and hardware, such  ƒ  Provide a security.txt file in accordance with RFC   networks, field devices, and external service providers.
          as embedded Linux, web interfaces, network protocols,   9116 to facilitate contact for security notifications  The connections between these zones – known as
          and physical interfaces. Vulnerabilities in such systems  ƒ  Use the Common Security Advisory Framework (CSAF)   conduits – are controlled and secured in a graded
          can manifest themselves at many levels.   to publish structured, machine-readable advisories  manner. Each zone is assigned a defined security level
                                                                               depending on its risk. This prevents, for example, an
          Receiving reports on vulnerabilities  The CSAF format allows both affected and unaffected   infected IT client from gaining uncontrolled access to
          To make it easier for security researchers and others to find   parties to communicate (via VEX profiles).  the building management system. The defense-in-depth
          the right contact person in organizations, organizations             model is therefore also the optimal method for securing
          should provide a security.txt file on their website in   The BSI provides tools, templates, and a central platform   networks in building automation.
          accordance with RFC 9116. The security.txt is a file that   for distribution.    9
          provides relevant contact information in a human- and
          machine-readable form. It is located at a defined location   Cyber Security in Building Automation
          on the organization’s website, which simplifies contact
          and allows it to be found using automatic tools (e.g., web   Asset management in building automation with
          crawlers). Those who find the file must be able to trust   Malcolm
          that the information will reach the right person at the
          organization and via the appropriate channels. Since this   In networked buildings, asset management forms the
          may be sensitive information, it makes sense not only   basis for secure and stable operation. Only those who
          to standardize the transfer of information, but also to   know which devices are connected where and how can
          confirm the authenticity of the contact details provided,   respond specifically to security incidents, vulnerability
          ideally using cryptographic means in .    8  reports, or failures. However, many operators still work
                                            with fragmented lists or incomplete documentation.
          Provision of vulnerability information  This  is  where  the  open-source project Malcolm
                                            comes in. Developed by the Idaho National Laboratory
          Effective vulnerability management is therefore   (INL), it enables the passive recording and analysis
          essential for manufacturers, integrators, and operators.   of communication  behavior  in industrial and  building
          The Common Security Advisory Framework (CSAF)   technology  networks.  Malcolm  automatically  detects
          provides a structured, machine-readable way to publish   assets in the network, classifies them, and visualizes
          vulnerability information and share it automatically.   their communication relationships. Tools such as Zeek,
          Manufacturers can clearly identify which products are   Suricata, and Kibana are used for this purpose. This not
          affected, which firmware versions are vulnerable, and   only gives operators a complete overview of their technical
          what countermeasures are available. CSAF significantly   infrastructure, but also provides an early warning system
          reduces the manual effort involved in searching for   for unusual activities. Malcolm provides a valuable   From standard to implementation: VDMA and BIG-EU
          security information and determining whether or not   foundation for compliance,  incident  management, and   provide guidance
          a product is affected. It allows manufacturers, users,   auditability, especially in heterogeneous networks with
          operators, and administrators to automatically retrieve   BACnet/IP, KNX, MQTT, and proprietary protocols. 10  The topics of cybersecurity and resilience are also
          information about individual vulnerabilities and determine           becoming increasingly important in building automation.
          whether they are affected. Non-affected items can also   Network security in building automation  Two current documents provide important guidance on
          be communicated in a scalable manner (Vulnerability                  this subject: VDMA Standard 24774 and the “Security in
          Exploitability eXchange (VEX) as a profile in CSAF).   Network security is the backbone of building security.   Building Automation” guideline from the BACnet Interest
                                            With the increasing networking and external connection   Group Europe (BIG-EU) Working Group WG-FM.
          In an increasingly networked and complex world, the   of automation components, the risks are growing – for
          number  of  security-related  vulnerabilities  will  grow   example, through unprotected VPN gateways, directly   VDMA Standard Sheet 24774 is aimed at all parties
          significantly,  and  modern  vulnerability  management   accessible controllers, or uncontrolled remote access.   involved in the life cycle of technical building equipment
          using CSAF documents will become indispensable.   Exposed systems must be consistently isolated. They   – from planners and installers to manufacturers and
          The BSI provides support with platforms and tools   should never be directly accessible from the internet,   operators. The aim of the document is to transfer the
          related to CSAF, including validation tools and templates   but secured via secure VPN connections, two-factor   information security requirements from standards such
          for structured advisories, and provides reports on   authentication, and firewalls. Protocols such as   as IEC 62443 to the context of building automation in
          vulnerabilities and security gaps via the CERT-Bund   BACnet/IP or Modbus/TCP may also only be used via   a practical manner. The standard introduces basic role
          warning and information service. In addition, there is   clearly defined communication paths. The transition   and  concept  models, assigns  specific  responsibilities,
          a  CSAF  lister  listing  public  bodies  that  publish  CSAF   between  IT  and  OT  networks  is particularly  critical.   and  describes  measures  for  risk  analysis  and  risk
          documents.                        This interface must be protected by dedicated zones or   minimization. Typical risk situations such as unauthorized
                                            demilitarized zones (DMZ). Only clearly authorized data   access, manipulation, or system failure are outlined, and
                                            flows should take place here – ideally monitored by DPI   security measures are presented, including network
                                            (Deep Packet Inspection) and logging systems such as   segmentation, access control, remote access protection,
                                            Malcolm.                           and vulnerability and patch management. A central


          26  BACnet Europe Journal 43 09/25
   21   22   23   24   25   26   27   28   29   30   31