Bulding Management System Security / BMS

Ireneusz Krajewski, on November 18, 2019 Updated: September 1, 2023

Both BMS and SCADA systems are traditional solutions used in real estate/manufacturing to support technical and production systems. While role of SCADA is much different than BMS, many of these systems have common roots and more importantly - security rules and vulnerabilities.

Traditional BMS/SCADA systems versus the Cloud and proptech solutions

Main difference between BMS and SCADA systems and more modern approach which employ cloud or proptech solutions is internet connectivity. Most of BMS and SCADA systems is expected and even advised to work in isolated networks. By isolated it means that it has no access to Internet. In fact, as we look at it, both need only access to local resources to do their job.

Proptech and cloud solutions in essence are all about transfer of data and device automation to the cloud. We have to be clear, that time sensitive operations can’t, or are hard to be moved outside of building itself. Thus, what data and processes can be moved, still depends on actual use case.

The most common objections regarding Cloud BMS - Data security

One of the common concerns of Property Managers or Maintenance Teams is off-premises data security. The fact that the traditional solution - a computer with an operating system and BMS / SCADA software which is physically located within the property creates a false sense of security. Have you heard of ransomware which encrypts data on computers and request a ransom to decrypt it? Let’s see, why network isolation makes a false sense of security.

Are local systems secure or is it just an assumption?

We recommend the presentation by Michał Kurek from the OWASP organization which you can find below. It outlines that isolated network is not sufficient in modern days. This is due to the fact that networks are more and more often segmented and connected together.

OWASP Poland Day 2018 - Michal Kurek - Application Security in IIoT World Material by OWASP Poland.

A quick recap of above material - never, ever put your BMS in public network. Network which is reachable from Internet without proper firewall is subject of many threats. A BMS system won’t survive it for sure.

Security vulnerabilities in the Local BMS

Local systems and networks are safe as long as the people responsible for their operation follow the principles of safe operation. Unfortunately, not all of them are easy or pleasant to implement. The latest recommendations from security experts recommend migrating to “zero trust” policies instead of network segmentation and “zero trust architecture” at the application level.

We have identified several very important gaps, which are presented below:

  • Workstations used to launch BMS (workbench or browser) are very often based on Windows operating system. While it might not be the most vulnerable system out there, it is for sure most popular one, making it a common target of attacks. Based on statistics - still 70% of desktop computers (laptops included) is based on Microsoft Windows.
  • Engineering software used is commonly based on Windows, thus engineers who work on their laptops will plug their machines into your network anyway. It is something which is hard to avoid, since adjustment of BMS and controllers in most of the cases requires use of dedicated software.
  • Most powerful controllers can host basic BMS functionality themselves. A lot of them, due to the complexity of their operating system, will require a regular software and firmware maintenance. Leaving such controller alone, without patches for period of several months will start making it more and more vulnerable to wider spectrum of threats. Even linux devices, without proper security measures can be exploited to launch an attack. See Mirai Malware.

All above present a significant threat, as the lack of proper procedures for maintaining and securing data and systems, will lead to accumulation of risks. Given that most of BMS installations and SCADA systems are networked, infection of one device can quickly spread over leading to damage propagation.

While many of network attacks can work on most common vulnerabilities, the first infection can lead to installation of dangerous exploits and follow on attacks. There are known cases of infections which remained invisible for long time, to prepare attack surface towards desired system. Such preparation might lead to a BMS ATTACK which will bring dangerous effects on the entire hardware infrastructure. Many of automation devices usually do not have any additional layer of security, and even if, they will often listen to spoiled BMS.

In the case of BMS infection, it will often be necessary to perform its installation from scratch, along with inventorying, updating or replacing some devices.

Security of IoT and IIoT devices

A properly crafted IoT and IIoT devices should follow up on industry standards and practices towards security.

Below we outline primary goals for IoT/IIoT equipment, following IoXT Alliance Pledge. The following recommendations are also worth considering in the case of ordinary BMS installations:

  1. No common or universal passwords: one of first attacks towards networked devices are dictionary attacks which are fully automated.
  2. Secured interfaces: make sure that firewalls are turned on and running, and that the software that connects to the network actually needs it.
  3. Proven cryptography: rely on industry standards when it comes to cryptography; track advisories of which algorithms are insecure.
  4. Security by default: products must be appropriately secured by manufacturer, out of the box or installation.
  5. Verified software sources: digitally signed software, packages and installers limit the use of unauthorized software.
  6. Automated updates: both the operating system and the software itself should be automatically updated when new vulnerabilities appear.
  7. Vulnerability reporting: make sure that reported threats are evaluated and patched in timely manner.
  8. Security expiration: be clear how long security updates will be provided.

You can look at the above as an assessment sheet and see how safe your BMS is already.

Extraction of BMS data into Cloud with ConnectorIO

Building operational data can be extracted from either BMS or automation systems. At ConnectorIO we rely in most of the cases on automation systems, because many of them have standardized interfaces. We can provide a functionality which will work with BMS installation, once such system have a clear communication interface (API).

Choosing the ConnectorIO solution enables you to benefit from the advantages offered by cloud computing solutions:

  • Automatic updates - if you decide to use ConnectorIO® Gateway, we can take care of operating system and software updates.
  • Uniform version - our ConnectorIO® Agent is modular thus does not require deep customizations, making it easy to maintain.
  • High reliability and availability - all your systems data can be stored in the cloud.
  • Lower maintenance cost - our system rely heavily on automation and configuration management, it can be implemented without on-site visits.