Page 26 - BACnet_Europe-Journal_43
P. 26
BACnet Insight
Vulnerability Management for Hardware and Vulnerability management and Security.txt The international standard IEC 62443 defines a zoning
Software Components model for this purpose that is ideal for use in building
Effective vulnerability management is essential. automation. Networks are divided into security zones,
Components in building automation today often consist Organizations should: for example for management systems, automation
of complex combinations of software and hardware, such Provide a security.txt file in accordance with RFC networks, field devices, and external service providers.
as embedded Linux, web interfaces, network protocols, 9116 to facilitate contact for security notifications The connections between these zones – known as
and physical interfaces. Vulnerabilities in such systems Use the Common Security Advisory Framework (CSAF) conduits – are controlled and secured in a graded
can manifest themselves at many levels. to publish structured, machine-readable advisories manner. Each zone is assigned a defined security level
depending on its risk. This prevents, for example, an
Receiving reports on vulnerabilities The CSAF format allows both affected and unaffected infected IT client from gaining uncontrolled access to
To make it easier for security researchers and others to find parties to communicate (via VEX profiles). the building management system. The defense-in-depth
the right contact person in organizations, organizations model is therefore also the optimal method for securing
should provide a security.txt file on their website in The BSI provides tools, templates, and a central platform networks in building automation.
accordance with RFC 9116. The security.txt is a file that for distribution. 9
provides relevant contact information in a human- and
machine-readable form. It is located at a defined location Cyber Security in Building Automation
on the organization’s website, which simplifies contact
and allows it to be found using automatic tools (e.g., web Asset management in building automation with
crawlers). Those who find the file must be able to trust Malcolm
that the information will reach the right person at the
organization and via the appropriate channels. Since this In networked buildings, asset management forms the
may be sensitive information, it makes sense not only basis for secure and stable operation. Only those who
to standardize the transfer of information, but also to know which devices are connected where and how can
confirm the authenticity of the contact details provided, respond specifically to security incidents, vulnerability
ideally using cryptographic means in . 8 reports, or failures. However, many operators still work
with fragmented lists or incomplete documentation.
Provision of vulnerability information This is where the open-source project Malcolm
comes in. Developed by the Idaho National Laboratory
Effective vulnerability management is therefore (INL), it enables the passive recording and analysis
essential for manufacturers, integrators, and operators. of communication behavior in industrial and building
The Common Security Advisory Framework (CSAF) technology networks. Malcolm automatically detects
provides a structured, machine-readable way to publish assets in the network, classifies them, and visualizes
vulnerability information and share it automatically. their communication relationships. Tools such as Zeek,
Manufacturers can clearly identify which products are Suricata, and Kibana are used for this purpose. This not
affected, which firmware versions are vulnerable, and only gives operators a complete overview of their technical
what countermeasures are available. CSAF significantly infrastructure, but also provides an early warning system
reduces the manual effort involved in searching for for unusual activities. Malcolm provides a valuable From standard to implementation: VDMA and BIG-EU
security information and determining whether or not foundation for compliance, incident management, and provide guidance
a product is affected. It allows manufacturers, users, auditability, especially in heterogeneous networks with
operators, and administrators to automatically retrieve BACnet/IP, KNX, MQTT, and proprietary protocols. 10 The topics of cybersecurity and resilience are also
information about individual vulnerabilities and determine becoming increasingly important in building automation.
whether they are affected. Non-affected items can also Network security in building automation Two current documents provide important guidance on
be communicated in a scalable manner (Vulnerability this subject: VDMA Standard 24774 and the “Security in
Exploitability eXchange (VEX) as a profile in CSAF). Network security is the backbone of building security. Building Automation” guideline from the BACnet Interest
With the increasing networking and external connection Group Europe (BIG-EU) Working Group WG-FM.
In an increasingly networked and complex world, the of automation components, the risks are growing – for
number of security-related vulnerabilities will grow example, through unprotected VPN gateways, directly VDMA Standard Sheet 24774 is aimed at all parties
significantly, and modern vulnerability management accessible controllers, or uncontrolled remote access. involved in the life cycle of technical building equipment
using CSAF documents will become indispensable. Exposed systems must be consistently isolated. They – from planners and installers to manufacturers and
The BSI provides support with platforms and tools should never be directly accessible from the internet, operators. The aim of the document is to transfer the
related to CSAF, including validation tools and templates but secured via secure VPN connections, two-factor information security requirements from standards such
for structured advisories, and provides reports on authentication, and firewalls. Protocols such as as IEC 62443 to the context of building automation in
vulnerabilities and security gaps via the CERT-Bund BACnet/IP or Modbus/TCP may also only be used via a practical manner. The standard introduces basic role
warning and information service. In addition, there is clearly defined communication paths. The transition and concept models, assigns specific responsibilities,
a CSAF lister listing public bodies that publish CSAF between IT and OT networks is particularly critical. and describes measures for risk analysis and risk
documents. This interface must be protected by dedicated zones or minimization. Typical risk situations such as unauthorized
demilitarized zones (DMZ). Only clearly authorized data access, manipulation, or system failure are outlined, and
flows should take place here – ideally monitored by DPI security measures are presented, including network
(Deep Packet Inspection) and logging systems such as segmentation, access control, remote access protection,
Malcolm. and vulnerability and patch management. A central
26 BACnet Europe Journal 43 09/25
