BACnet Insight


          IT Security in BAS – What Contribution


          Does BACnet/SC Make?





         Both economically and legally, there are high
         demands on IT security for building man-
         agement. The legal requirements, risks, and
         opportunities have changed significantly. This
         article examines the role of BACnet/SC in this
         context.

         System disruptions can occur from both inter-
         nal  and  external  sources.  Internally  induced
         disruptions to availability, integrity, authentic-
         ity, and confidentiality affect the fundamental
         operational security of the infrastructure. Exter-
         nal disruptions typically involve sabotage, espio-
         nage, or unauthorized access. The usual points
         of attack on automation systems are primarily
         at the automation and management levels of a
         building, less so at the field level or the higher
         levels in technical building management. There-  From an economic and legal perspective, there are high demands on IT security in the BAS.
         fore, there is a particular need for action here.

         Regulations for IT security in building   ƒ  faulty integration of building services engi-  foresighted planning of GA systems and a
         automation                           neering systems into building automation or   strategic approach. The following specifica-
                                              faulty configuration of building automation,  tions should therefore always be considered
         Fundamental regulations for IT security in build-  ƒ  use of insecure systems and protocols   in the planning of GA systems.
         ing automation in Germany include the standards   in building automation, such as the “old”
         and the Basic Protection Compendium of the   BACnet protocol, as well as KNX or ModBus,  Specifications for the planning of BA
         Federal Office for Information Security (“BSI”).  ƒ  manipulation of interfaces of standalone   systems:
         The Basic Protection Modules Infrastructure   building services engineering systems to
         for Building Management (INF.13) and Building   building automation (for example, via a   ƒ  Encrypted data transmission/communication
         Automation (INF.14) are mandatory for federal   manipulated fire alarm that opens all doors),  (especially BACnet/SC, KNX-Secure, etc.),
         authorities and operators of critical infra-                          ƒ  deactivation of all unnecessary services and
         structures (information available at  www.  Deficiencies in Technical Building Manage-  accesses ex-works (“hardened” devices and
         bsi.de).  The  VDMA  24774  standard  ment (TBM) as sources of risk:    software) along with documentation of the
         sheet (2023-03) describes the current                                   used ports,
         requirements for IT security in building automa-  ƒ  Lack of basic IT security principles for TBM   ƒ  management software with functions for
         tion (guideline for building automation), and EU   planning, since, for example, operators are   recording user activities (Audit Trial),
         Regulation 2016/679 provides information on   often not yet determined during planning,  ƒ  acceptance of the BA system only with the
         the General Data Protection Regulation for the  ƒ  insufficient documentation in TBM leads to   latest firmware (automation stations) or
         protection of personal data in building automa-  uncertainties about the current status quo of   software version (BMS), at least all secu-
         tion. Nevertheless, there is no 100% IT security   IT security,         rity-relevant updates, especially the current
         even for building automation. Specific precau-  ƒ  deliberate or unconscious compromise of   patches from Windows, as well as the cur-
         tions to be taken in the field of building auto-  interfaces in TBM, especially when protected   rent versions of the software systems used.
         mation must be derived from a risk analysis for   areas are
         the respective use case. The BSI standards and  ƒ  connected like burglar- or fire-detection,   Specifications for the implementation and
         Basic Protection Compendium identify the fol-  ƒ  inadequate monitoring of building services   execution of BAS:
         lowing threat situations for building automation  ƒ  engineering, so that, for example, system-
         as particularly significant:         critical malfunctions are not detected,  ƒ  Establishment of physically or virtually sep-
                                            ƒ  inadequate role and authorization manage-  arate IP networks for building automation
         ƒ  Inadequate planning of building automation,   ment (e.g., multiple persons sharing one   along with securing
           for example, due to lack of redundancies or   user account).          particularly vulnerable network segments
           high complexity in the collaboration of differ-  ƒ  Additionally, the long life cycles of building   through firewalls,
           ent trades,                        technical systems require a special level of   ƒ  secure access for remote maintenance,




          18 18  BACnet Middle East Journal 13 11/24