The 17 June was an important date for building owners and operators. On that day in 2010 the Stuxnet malware (malicious software) was identified. Unlike conventional malware, which wreaks damage in the virtual world, Stuxnet targeted the software controlling pumps, valves, lifts, lighting and machinery. It was the first computer virus with the potential to cause real-world damage.
Stuxnet was designed to specifically target programmable logic controllers running Siemens software through vulnerability in the Windows operating platform. The internet is awash with theories as to where the virus originated. The most popular is that the US government introduced the virus to target the centrifuges used by Iran in its Natanz nuclear enrichment facility, the output of which was ostensibly for the county’s nuclear power stations but which could also be used for nuclear weapons.
|The Stuxnet virus was one of the first to cause real-world damage|
Imagine the impact on an organisation if hackers were to take over control of the lifts in its headquarters, or turned off the fire alarms and lights and turned up the heating. The building would be unusable and normal business operations would have to halt.
In the past the cyber attacks on building systems was less of a risk because each building service had its own dedicated cabling system and controls protocol. Over time, however, these systems have migrated onto a common internet protocol (IP) based cabling system. A single IP communications cable (such as a Cat 6) might now carry everything from business systems such as voice, data and video, security, energy management, access control, lighting, lift controls, HVAC and fire and life safety systems.
|Many functions can now be carried by one set of cables|
The big advantage of this convergence is that it enables increased interaction between systems to maximise energy efficiency and to providing real-time information on how buildings are being used, often with the ability to access and manage multiple buildings remotely.
The downside of having an external access facility is that it can be exploited by cyber criminals. This was the case with Target stores in the USA. In November 2013, attackers gained admittance to Target’s IT network by stealing access details from the company’s HVAC contractor, which was authorised to access the system to enable it to monitor energy consumption and temperatures in the firm’s stores. Once in the system, the attackers then went on to steal payment card details for the retailer’s customers. According to BSRIA research, over 90% of all larger buildings (those above 50,000m2) in the USA “have some kind of BACS and many are to some degree at risk”.
While the attack on Target was confined to a single business, the government is concerned that vulnerability to cyberattacks can extend outside of buildings and into the electricity network. The Government’s Science and Technology Committee describe the threat as “significant” in its report Resilience of the Electricity System. It is a threat that is likely to increase as the grid becomes smarter and ever more dependent on ICT and two-way communication between buildings, their management systems and the grid.
Until the Stuxnet attack the security of building management systems was not considered a high priority. While security protection of computers and servers was considered, much less attention was given to the protection of HVAC equipment and lighting controls, for example. This is no longer the case; experts now warn that if a device is on a building’s network it can be discovered and used as a launch pad to infiltrate other devices and systems.
It is not simply newer buildings with fully integrated building systems that are under threat, older buildings running legacy BMS systems, which are based on older operating software, are perhaps even more susceptible to attack. This is because the system’s vulnerabilities are well known to hackers and the software provider may have stopped updating the system with security patches, providing an open back door for malicious attacks on a building.
|Older equipment can be a gateway into a building's other systems|
Even with comprehensive security measures in place, experts are warning that building occupiers should still assume that all the preventative measures will fail. As a consequence, they should design the building services to operate for this worst case scenario. This is far from straightforward: if there was a power failure in a building and the standby generators’ firmware had been hacked, which meant the control system failed to recognise a power failure, how easy would it be for a business to manually override these controls and start the generators manually?
David Fisk, Professor of Systems Engineering & Innovation at Imperial College London and a past president of CIBSE says it is critical for building services to have some basic hardwired ‘black-start’ functionality to allow manual operation as a fall-back. “An identified minimum level of service and hardware hardwired that can provide it is thus essential,” he says in his paper Cyber Security and Building Services. “The very existence of such a plan may not make the reward of a targeted attack worthwhile”.