Securing Your #1 Building Data Assets to Provide Remote Visibility and Rule-Based Reporting Insights
Insights by Brad Moore | Director of Sales Engineering | Key2Act
In a Perfect World
Building Automation Systems (BAS) manage an array of operational services for equipment in buildings, including heating, ventilation, air-conditioning, lighting, and security components. Many controls manufacturers utilize the protocols such as BACnet Protocol (ASHRAE 135) to transmit data across BAS networks to control the building and report any anomalous conditions or equipment level alarms.
The challenge for building operators and service providers becomes two things (1) How to establish secure remote access to BAS information and (2) How to quickly prioritize equipment to determine what in the building needs to be serviced or replaced. Building professionals don’t just want building data but rather clear and concise reports on three items:
1. Are all building systems and equipment operating as designed?
2. How can I prioritize building equipment by comfort and performance issues?
3. Can I verify that the comfort and performance of the building improved after corrective action has been completed?
The Achilles Heel of BAS Security
Remote visibility would be great, but providing access to BAS information can potentially create many security risks. The question is, how can building operators and service providers maintain building performance remotely without even needing to log into the network? Oftentimes, access to the BAS is given to building operators via a web-based platform such as Niagara, which, if not implemented correctly, can potentially create new security vulnerabilities. While security is included in the BACnet Standard and Niagara, many controls vendors and installers fail to implement secure practices that could potentially have many disastrous consequences such as security breaches via the BAS. Implementing a secure methodology of isolating and protecting building networks has often been complex and costly when remote network access was required for building operators and service providers. Today, we can send building data outbound to a secure cloud environment, not requiring inbound access, and apply rules-based analytics to provide visualization and context to what’s really going on in the building.
Thoughts from Field Experience on Security Vulnerabilities
Throughout my career, I have had the opportunity to work on some of the largest hospitals, data centers, airports, corporate headquarters, universities and government buildings in the US and have often wondered what kind of damage that someone with malicious intent could cause with access to the network. A simple search on Shodan, a search engine for internet-connected devices, will reveal IP addresses and user credentials for thousands of building automation systems across the world. This access is often unrestricted, allowing anyone with a web browser to send commands and override equipment in buildings all over the world. Scary, huh?
Malicious Intent Disaster Scenarios
Scenario #1: For example, enabling a large number of high energy-consuming pieces of equipment (chillers, pumps, RTUs, etc.) simultaneously could drastically increase the load in the building which could cause equipment failure or even a significant increase in the demand rate ($/kW) charged by the utility provider which could lead to hundreds of thousands of dollars in increased demand cost.
Scenario #2: Space temperature setpoints could also potentially be overridden, causing extreme conditions which would prevent occupant use or even cause an evacuation. Disabling heat to a building could potentially cause pipes to burst and other damage to occur. Many electrical devices have operational limits such as motor speed that limit the device from being operated in a manner that damage may occur. BACnet has a priority system that helps to resolve command contention. Objects can be commanded to a state in a higher priority than normal operation and it may take someone with a fair amount of expertise to identify this problem and correct it. It is even possible to disable equipment or drive it to an alarm state while also overriding and disabling the alarm.
Preventing These Scenarios
Perhaps there is a better way of providing access to building information than requiring operators and service providers to log in to each building network and begin to fish for problems page by page throughout the BAS. Not only is this time consuming and a potential security risk for operators to physically log in to each building network, but there’s still a lot of work to be done to prioritize issues with the mechanical equipment.
Making IT Happy
A much more secure method of delivering useful BAS information could be to encapsulate the information communicated on the local network, compressing it into an encrypted file utilizing SSL through a secure port, and sending that information outbound to a secure cloud environment such as AWS. It is a very rare occurrence that the building IT department is told they no longer need external IP addresses or VPN clients for BAS access and given a list of ports (HTTP, Niagara, email, etc.) that no longer need to be open. IT departments are typically used to the conversation going the complete opposite way.
Doing More with Less Effort
Utilizing a cloud platform, building data can be consolidated to securely deliver building information in a much more sophisticated way than in a typical BAS. This approach gives network administrators much more robust networks and gives facility staff actionable information instead of an overflow of sensor data, which takes human time to analyze.
A cloud platform can provide a simple four-step process to provide you with rules-based insights to simplify your life by consolidating that data into prioritized scorecard reports to focus on daily actions to understand what’s working, what’s not working and did the corrective actions to fix the problem.
The four-step process is designed to turn your building sensor data from sensor/BAS noise into meaning.
What you’ll achieve is building stories from your data in a secure fashion to provide reporting scorecards based on automated rules with site, system and equipment faults to manage your building proactively.
Now it’s time to ask the question if your current processes and tools are providing this type of secure access to manage your building remotely with rules-based reporting insights.
About the Author
Brad Moore | Director of Sales Engineering | Key2Act
10+ years advising clients on how to extract real-world value from building analytics
Designed a process for retro-commissioning utilizing measurement and verification software in buildings at UNT College of Engineering while earning a bachelor’s degree in Mechanical and Energy Engineering
Began career as BAS install technician and moved up to commissioning tech and energy and performance consultant before joining Key2Act to lead client implementations.