Page 19 - 241111_BJ_Journal_middleeast_13
P. 19
BACnet Insight
Attack Vectors and Option for IT-Security Strategy for IT security in building
automation. © ICONAG
Management Level Data processing User Interface Client User Interface Client User Interface Client
and -storage
Server
Interfaces to
- systems for special purpose Transmission
- external systems
Database connections
SSL encryption /IP - Protocol
UDP/IP - Protocol TCP/IP - Protocol Bus Protocol via OPC-Server
Automation Level
GW KNX-IP GW
Gateway
BACnet BACnet/SC
OPC OPC/UA (not anonymous)
ModBus ??? (actually no solution)
KNX KNX Secure
HTTP HTTPS AS AS
ModBus/IP
BACnet + BACnet/SC IP Interface (not secure) KNX- + KNX-Secure OPC + OPC UA
Interface
Network
IP Interface
Field Level
KNX KNX Secure
LoRa LoRa (AppKey)
MQTT MQTT (TLS)
Attack points on GA systems
www.iconag.com
and encryption. © ICONAG
definition of a backup concept for automa- Strategy for IT Security in Building Automation
tion stations and management levels along
with instructions for recovery, Damage Prevention
physical securing of control cabinets, tech- • Encrypting Data and Communication
• Hardening Systems
nical rooms, etc., including deactivation of Threat • • Securing Access (Firewalls, Identification, Authentication)
Policies
USB or Ethernet access,
malware protection and the latest security • • Sabotage
Intrusion
patches for engineering tools, • Espionage
project-specific adjustment of access autho- Damage Damage reduction
rizations and password changes (especially • Plant Manipulation • Data Loss • Alerting
on automation stations, BMS), activation of • • Data Manipulation • • Loss of Trust • • Emergency Operation Level
Backups
Production Interruption
Theft
auto-logoff functions, • Personal Injury • Traceability (Audit Trial)
further hardening of the systems by deac- Source: based on VDMA 24774
tivation or deletion of all unused services, www.iconag.com
physical accesses, user accounts, pro-
cesses, and programs (especially on auto-
mation stations, BMS), activation of auto- Summary nection of building automation to the internet,
logoff functions, e.g., due to cloud computing.
preparation of work instructions and behav- Even in building automation, there is no 100% 3. Based on a security concept, estab-
ioral instructions for the permanent mainte- guarantee of availability, integrity, authenticity, lish concrete IT security requirements
nance of IT security by the installer (SOP = and confidentiality of data. However, by spec- for planning, implementation, and opera-
Standard Operating Procedure), ifying and adhering to simple technical and tion based on VDMA 24774. Also, in the
creation and handover of a BA network doc- organizational measures, a good level of secu- context of increasing cloud computing, encrypted
umentation with model designations of the rity can be achieved. The consistent use of protocols such as BACnet/SC should be
components, MAC addresses, installation BACnet/SC is just one, albeit important, com- required for newly installed BA systems and for
location, and firmware versions, ponent for greater future security. In summary, the renovation of existing BA systems.
IT security training for operators. the following 5 tips: 4. Establish work instructions and behavioral
1. Determine the protection requirements for instructions (policies) for damage prevention
Specifications for the operation of BAS: each building based on a risk analysis. This and mitigation. Agree on software maintenance
must be done jointly by specialist planners, cli- and system maintenance to regularly close
Individual usernames and passwords, ents, and operators. known security vulnerabilities.
regular security-relevant updates/upgrades 2. Recognize that BA systems are particularly 5. In the course of regular maintenance, check
(especially for PCs, servers, and rout- vulnerable in terms of IT security, with the not only compliance with policies but also the
ers), ensuring that updates are downloaded greatest risks currently arising from the con- currency of the security concept.
exclusively from unaltered sources with cer-
tificates,
regular backups of system programming, con-
figuration, configuration changes of MBE
software, and stored operating data,
ensuring compliance with work instructions
and behavioral instructions, including reg- Christian Wild
ular updating of the IT security concept as CEOICONAG Leittechnik GmbH Idar-Oberstein
part of BA system maintenance, christian.wild@iconag.comwww.iconag.com
regular IT security training.
19
BACnet Middle East Journal 13 11/24 19
