Securing the Building Management Systems (BMS)

I’m old enough to remember when elevators told you what floor they were on using a needle that looked like something from a grocer’s scale. Admittedly, that was a building built in the 1920s, but the truth is it really wasn’t that long ago that building management was entirely analog. Not anymore. Today’s buildings invariably feature a sophisticated Building Management System (BMS) that monitors and controls core building functions like HVAC, fire alarms, lighting, power and more.

A BMS falls into the operational technology (OT) category. Like most OT systems today, BMS’s are now connected with IT networks, which creates risk exposure. “OT and IT have converged in the BMS space,” explained Megan Samford, VP, Chief Product Security Officer for Energy Management at Schneider Electric, which produces BMS’s. “There are no air gaps, realistically. An OT system can be an attack surface that threatens any connected IT system. Your HVAC becomes a hacker’s way into your email server, and so forth. These are the kinds of risks that our industry is working to mitigate.”

Reducing risk exposure means securing the BMS. This is partly a matter of process and controls. For example, one best practice is to adopt a secure reference architecture for a building that involves effective network segmentation, event monitoring and intrusion detection. Security teams representing both the IT and OT sides of a facility also need to come together to coordinate their work and systems. However, at a foundational level, the BMS itself must be developed using secure principles.

For Schneider Electric and its peer firms in the BMS industry, creating a secure BMS means adhering to the International Electrotechnical Commission (IEC) 62443 standard, which was developed to address the unique security issues affecting industrial automation and control systems (IACS) and OT. IEC 62443 takes on the complex challenges inherent in securing OT systems, some of which are legacy and not easy to defend, while also protecting IT systems that are connected to OT.

According to Samford, the best practice is to employ IEC 62443 in a “defense in depth” approach. She said, “It’s about a layered approach to defense within an OT network. It starts with the people and process, but also encompasses individual products and components that make up the system.”

Megan Samford, VP, Chief Product Security Officer for Energy Management at Schneider Electric

In particular, Samford called attention to section 3-2 of the standard, which relates to “Security Risk Assessment, System Partitioning, and Security Levels.” A BMS should have countermeasures based on relevant threats, risk exposure, inherent vulnerabilities, the likelihood of an event and the consequences of compromise—adapting the system to its own risk tolerance for risk. This principle applies both to the design of the BMS as well as its implementation at a given facility.

Then, with IEC 62443-3-3, which covers “System Security Requirements and Security Levels,” the OT team needs to define security assurance levels and cybersecurity functions embedded in whatever products are used the BMS environment. By working through these, and other IEC 62443 parameters, a BMS can achieve certification at a specific level of defense capability. Level 1 means the BMS can withstand an attack from a casual or inexperienced attacker. Level 2 refers to more experienced malicious actors. Levels 3 and 4 are more sophisticated, with level 4 representing nation state actors. As Samford noted, few if any BMS’s in deployment are yet at level 4, but that is coming.

“One point of defense we’re seeing more consistently now is zero trust,” Samford then remarked. “We are starting to assume that attackers are already in the system. We need to defend from the inside, and ZT offers a great countermeasure to that threat.”

What will it take to succeed in deploying, and then sustaining secure BMS’s? For Samford, the first step is to acquire the right technology. “You need a system that’s built for IEC 62443 certification and defense in depth.” However, as she added, “That’s just the start. It’s critical to identify who owns all the various systems and who is responsible for keeping policies up to date and enforcing them. HR might need to get involved, with recruiting people who know how to handle these responsibilities and engaging in cybersecurity training for building management personnel. Security has not been o ne of their areas of responsibility until recently, but now it’s critical.”