Building Automation Systems, IoT and Security

( Draft)

Abstract
Buildings have critical and expensive, energy-using equipment that contains many individual
microcomputer-based control devices that control and manage all kinds of different physical and
mechanical equipment, lighting, security, fire and life-safety devices. Building Automation Systems ( BAS)
and Internet of Things (IoT) devices together help to improve the comfort levels, energy efficiencies, and
maintenance of buildings. However, the presence of these systems and devices increases the need for
enhanced and improved security to mitigate the possible threats, vulnerabilities and increased risks. In
this paper, a survey of BAS and IoT devices is done, including outlines of possible threats and attacks; and
the several security instruments that need to guarantee confidentiality, integrity, availability are
discussed. The relevant configuration related issues are also addressed. This paper also addresses the
issue of the need for the proper incorporation of security mechanisms to integrate Building Automation
systems ( BAS) and Internet of Things (IoT) devices.

1
Contents
Introduction ................................................................................................................................ 3
BAS and IoT security risk assessments ....................................................................................11
BAS and IoT security process ...................................................................................................12
BAS and IoT device security challenges ...................................................................................13
Secure BAS and IoT design & development guidelines .............................................................14
Summary ..................................................................................................................................20

Page 2
Introduction
Building Automation Systems (BAS) are computer-based control systems installed in buildings
that controls and monitors the building's mechanical and electrical equipment such as
ventilation, lighting, power systems, fire systems, and security systems. A Building Automations
System (BAS) consists of software and hardware; these are usually configured and managed
with various protocols1. A popular protocol used in the in the BAS industry is BACnet. The
Internet of things (IoT) is the network of devices, vehicles, and home appliances that contain
electronics, software, actuators, and connectivity which allows these things to connect, interact
and exchange data.2

Building Automation Systems(BAS) integrated with Internet of Things (IoT) devices are
sometimes known as ‘Smart’ buildings. These are buildings with functions that are automated
using owner or management specifications. Important functions of these systems are HVAC (
Heating, Ventilation and Air Conditioning), Lighting, Air quality, Physical Security and Sanitation.

Figure 1 below shows how building automation systems are an integral part of Smart City
projects.

1Kastner, Wolfgang, et al. "Communication systems for building automation and control." Proceedings of the IEEE 93.6 (2005):
1178-1203.
2
Internet of things. (2018). En.wikipedia.org. Retrieved 31 December 2018, from
https://en.wikipedia.org/wiki/Internet_of_things#cite_note-ITU-3

Page 3
Figure 1. BAS and Smart City Projects

Building Automation Systems(BAS) integrated with Internet of Things (IoT) devices are
sometimes known as ‘Smart’ buildings. These are buildings with functions that are automated
using owner or management specifications. Important functions of these systems are HVAC (
Heating, Ventilation and Air Conditioning), Lighting, Air quality, Physical Security and Sanitation.

Figure 2 shows a ‘Smart building’ with BAS and IoT

Page 4
Figure 2. A 'Smart' building with BAS

The objectives of building automation systems (BAS) are improved occupant comfort, efficient
operation of building systems, reduction in energy consumption and operating costs, and
improved life cycle of utilities. Many buildings and facilities depend on building automation
systems, IoT and integrated control systems; most are now networked and potentially easily
exploitable, i.e. utility, water, wastewater, natural gas, facility lighting, smart meters, building
heating and air conditioning equipment, and fire and life safety systems.

Damage to or compromise of any BAS system or IoT devices as part of the BAS system may
result in business or critical building function disablement; as in how disruption of a
computerized chiller controller could adversely impact network or data-base servers. Perhaps
more concerning and incapacitating would be when the BAS system or IoT devices part of the
BAS system are used as a gateway into the organization's information system or the
organization's broader global information networks. BAS systems consisting of automated
networks of sensors, actuators and controllers require unique cyber security requirements from
those used to secure traditional information systems. A simple example of a security
vulnerability is a conference room thermostat converted into a microphone.

Page 5
Distinct attention needs to be paid when designing and building BAS using IoT devices and
installing and configuring them, especially in its design and commissioning and the use of anti-
virus and malware systems, firewalls and network security, and the patching and security
update of the BAS and IoT devices.3

Figure 3 shows a typical BAS and IoT system

Figure 3. BAS and IoT system

3
Alasdair Gilchrist
Walter de Gruyter GmbH & Co KG, 2017

Page 6
Focus should be on the design and implementation of security of the network and end-
point/device and in vulnerability management. Verification of device identity and adoption of
encryption and cryptographic standards is especially critical for BAS using IoT devices. By
ensuring that malware and bad actors are denied access to these devices and proper patching
of vulnerabilities are done in a time bound manner, we can mitigate and control security
concerns of BAS and IoT devices.

Almost all multi-story green buildings are designed to accommodate a BAS for the energy, air
and water conservation characteristics.

Figure 2 shows the network layout of a typical Building Automation System

Figure 4. Typical network layout of a Building Automation System

File:RiserDiagram.svg - Wikimedia Commons. (2007). Commons.wikimedia.org. Retrieved 31 December 2018, from

https://commons.wikimedia.org/wiki/File:Ris

Buildings can be exploited by hackers to measure or change their environment: sensors allow
surveillance (e.g. monitoring movements of employees or habits of inhabitants) while actuators
allow to perform actions in buildings (e.g. opening doors or windows for intruders). Despite
advances in protocols like secure versions of BACnet for BAS systems using IoT devices, there
are several open problems in BAS security.4

4 Dickson, Ben (16 August 2016). "How to prevent your IoT devices from being forced into botnet bondage".
techcrunch.com. Retrieved 4 September 2016.

Page 7
Figure 3 shows a map of some of the complexity of designing BAS and IoT system functions.

Figure 5. Design Architecture of BAS and IOT devices and system functions.

Since cyber risk is a product of impact and the probability of occurrence, the greater the
likelihood of a threat occurring, the greater the risk. An important consideration therefore is that
customers need to screen BAS using IoT devices that are available in the market for potential
security vulnerabilities and privacy violations before adopting them. A key reason why BAS and
IoT security issues arise is that BAS using IoT Technology is actually an aggregation of various
other Technologies, with possible underlying, unknown security issues. The entire system,
including mobile devices, need to be incorporated into well-defined security procedures and
processes.

Key areas of BAS and IoT security that need to be investigated are: web interfaces,
authentication/authorization, network services, transport encryption, privacy issues, cloud

Page 8
interfaces, mobile device interfaces, configurability of devices, software/firmware and the
physical security of the devices itself.

Various organizations5 have come up with security guidelines for manufacturers, developers,
and users of IoT devices.6 A key recommendation for manufacturers is that they avoid the
potential for persistent vulnerabilities in devices that have no update capability. Also, these
devices should be properly configured so that unnecessary or unintended services do not
remain running or active.

Developers of all user interfaces should avoid potential misuse of BAS and IoT accounts by
ensuring that valid user accounts can’t be identified by interface error messages,, strong
passwords are required by all users, and account lockout is implemented after 3-5 failed login
attempts.

Figure 4 shows an example of the connectivity of BAS systems using IoT devices and the
network connectivity.

Figure 6. Example of the network connectivity of BAS systems and IoT devices.

5
https://www.gsma.com/iot/wp-content/uploads/2016/02/CLP.11-v1.1.pdf
6
https://www.owasp.org/index.php/IoT_Security_Guidance

Page 9
Consumers, Implementers and users of BAS using IoT devices need to include security among
the feature considerations when evaluating BAS and IoT products and put BAS using IoT
devices on a separate network, if possible, using a firewall. The major security challenges for
BAS and IoT are: Availability, Identity, Security and Privacy.

Figure 7. BAS and IoT in 'Smart buildings'

Page 10
Figure 7 above shows the use of BAS and IoT in ‘Smart’ buildings.

BAS and IoT security risk assessments

The goal of the risk assessment is to create ( or update) a set of policies, procedures, controls
that review, remediate and respond to gaps in BAS and IoT security. By describing the value of
the information and the resources used, the business and BAS and IoT devices can be secured.

Key points in the risk assessment process are identification of the BAS using IoT devices and
physical and digital assets to be protected; identification of threats, vulnerabilities, threat actors;
impact and the probability of the compromise, value and safety impact, remediation and
mitigation processes, BAS and IoT security gaps, and the budget to be applied for the BAS and
IoT security incident response, monitoring and risk remediation.

Figure 7 shows the security issues in BAS and IoT systems.

Figure 8. Security issues and considerations in BAS and IoT systems

Page 11
BAS and IoT security process
With thermostats, lights, meters, and sensors joining the “Internet of Things” (IoT) , it not only
increases the power and ease of use of Building Automation Systems (BAS) , but also their
complexity . The transition from isolated systems operated from a computer in the basement, to
internet connected systems accessed from mobile devices causes security challenges. While
the greatest advantages of this revolution are mobility and portfolio view, both of which increase
ease of use and operational efficiencies; the Internet connectivity which also allows the
correlation of a variety of data sources and the coordination of controls across disparate devices
enabling increasingly complex sophisticated system results in increased and unexpected cyber
security threats and vulnerabilities.

Serious security and privacy vulnerabilities exist in some of these systems placing critical
infrastructure at risk to malicious intent. We highlight why vendors of Building Automation
Systems (BAS) using IoT devices need to take these concerns seriously and offer secure
solutions.

The key to the security of BAS using IoT devices are the use of security processes which are:
Evaluation and review of the BAS and IoT product or service security model, review, evaluate,
implement the security recommendations, and make it as part of an ongoing lifecycle and
maturity model.

Page 12
BAS and IoT device security challenges
Figure 9 is an infographic showing some of the key security challenges of BAS use of IOT 7

BAS

Figure 9. BAS use of IoT security challenges

The key security challenges are:

1. BAS and IoT products may be deployed in insecure or physically exposed environments
2. Security is new to many manufacturers and there is limited security planning in
development methodologies
3. Security is not a business driver and there is limited security sponsorships and
management support in development of BAS and IoT products
4. There is a lack of defined standards and reference architecture for secure BAS and IoT
development
5. There are difficulties recruiting and retaining requisite security skills for BAS and IoT
development teams including security architects, security hardware and software
engineers, and BAS and IoT security testing staff.
6. The low-price points of many BAS and IoT devices increases the potential for a much
larger adversary pool and number of insecure devices
7. Resource constraints in embedded BAS and IoT systems limit the number of security
options.

7
https://inform.tmforum.org/internet-of-everything/2016/09/iot-isnt-secure-people-wont-use

Page 13
Secure BAS and IoT design & development
guidelines
The following are the major guidelines for designing & developing secure IoT devices
provided by the cloud security alliance organization. 8
1. Use a secure development methodology
Key steps in this process are identifying BAS and IoT security requirements, processes,
performing a safety impact assessment of the BAS and IoT device and performing threat
modeling.

The below diagram (Figure 10) provides a graphical guidance for designing and developing
reasonably secure IoT devices by mitigating some of the common issues with IoT development
as described the IoT working group of the Cloud Security Alliance.9

The BAS and IoT software development process should have substantial software security
feedback loops in order to make the product better and more secure. This could include things
like identification of a vulnerability in the code, update of product design on identification of

8
https://cloudsecurityalliance.org/
9
“Security Guidance for Early Adopters of the IoT” The Cloud Security Alliance (CS) IoT Working group
April 2015

Page 14
security issues, continuous quality software and security testing, etc.

Figure 10. Secure BAS and IoT software development

An important aspect of secure BAS and IoT development is performing threat modeling.
Identifying the BAS and IoT security surface areas, threat agents, attack vectors, vulnerabilities
and impacts associated with these enables organizations and customers to make better BAS
and IoT security decisions.10

Figure 10 shows the Secure BAS and IoT software development. ⒸCloud Security Alliance

2. Implement a secure development and integration environment for BAS and IoT devices.
Important steps are evaluating various programming languages, integrated development
environments, continuous integration plugins and implementing secure testing and secure code
quality processes.

While choosing a programming language for doing BAS and IoT development, BAS and IoT
developers should familiarize themselves with the recommended security guidelines available
for their respective programming languages. E.g.: Guidelines for the Use of the C Language in
Critical Systems, ISBN 978-1-906400-10- 1 (paperback), ISBN 978-1-906400-11-8 (PDF),
March 2013

10
https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project

Page 15
Identification of the BAS and IoT micro-controller unit (MCU) and the security services to make
use from the MCU is a critical part of the BAS and IoT security selection process.

Choice of security testing tools as part of the testing and code quality process is critical, along
with static analysis checks and the use of unit testing along with code coverage metrics.

Secure configuration management and use of a process in place to validate the code and use of
secure code libraries are also critical parts of the BAS and IoT security development and
integration process.

3. Identify secure BAS AND IOT frameworks and platform security features.
Key steps in this process are selecting a secure BAS and IoT integration framework and
evaluating the platform’s security features.

While selecting an integration framework for BAS and IoT devices, we need to examine the
security characteristics of the integration frameworks including security of the onboarding,
configuration, asset management, discovery and whether connections, gateways of the BAS
and IoT devices are secure.

Various frameworks are available for doing secure BAS and IoT development and it is important
to identify and evaluate the security functionality and features available in each of these
frameworks before selecting one.

It is important to evaluate the security features available in each of the layers of software,
hardware, and the security requirements for various categories of BAS and IoT devices in
environments like Safety critical, Industrial, Business, Consumer, etc. and whether they meet
industry specific certifications like IEC 61508, DO-178B, ISO 62304, etc. Another important
consideration is to choose operating systems that are secure and suitable for BAS and IoT
devices.

4. Establish Privacy protections

Important steps in this process are designing BAS and IoT devices, services and
systems to collect only the minimum amount of data necessary. Analyzing BAS and IoT devices
use cases to support compliance privacy and security mandates as necessary is thus critical in
ensuring security and privacy, as in designing opt-in requirements for BAS and IoT devices.
Services and system features which implement technical privacy protections using privacy
enhanced discovery services features and use of rotating certificates should also be considered.

To protect privacy, emphasis should be on reducing to minimum the data stored in BAS and IoT
devices and to avoid data leakages. BAS and IoT devices related to health need to be compliant
with privacy directives of regulations like HiPAA in the United States.

Page 16
5. Design in Hardware-based security controls.
Key hardware based security controls for BAS and IoT’s are the use of secure hardware
mechanisms in microcontrollers (MCU), use of trusted platform modules, memory protection
units (MPU), incorporation of physically unclonable functions, use of specialized security chips /
coprocessors, use of cryptographic modules, use of physical device protections and tamper
protections, guarding the supply chain to analyze whether the use of each component would
additional security risk, doing self-tests on the BAS and IoT devices on startup, and securing the
physical interfaces by using active tamper protections.

6. Protect the BAS and IoT data

One of the key considerations for protecting BAS and IoT data is the security
considerations while selecting BAS and IoT communication protocols and understand the
various interactions between different types of BAS and IoT protocols, and the optimal approach
for layering security across these protocols.

Figure 11. BAS and IoT layers and impact on security

Page 17
Figure 11 gives an overview of the various BAS and IoT layers we need to consider while
selecting the IOT communication protocols.

The selected communication protocol must guard against a variety of attacks against BAS and
IoT devices like wired and wireless scanning and mapping attacks, protocol attacks,
eavesdropping attacks ( loss of confidentiality), cryptographic algorithm and key management
attacks, spoofing and masquerading ( authentication attacks), denial of service and jamming
attacks, etc. Controls should be also put in place to ensure that only legitimate devices are
paired / able to join the network

7. Secure the associated applications and services of the BAS and IoT devices
Privilege access capabilities need to be considered for both the configuring of the BAS
and IoT device and the applications interacting with them. It should be ensured that apps and
services that are paired with BAS and IoT devices have been developed using secure
development best practices.

8. Protect the logical interfaces / API’s

BAS and IoT devices may interface with various services and it important to guard these
interfaces against various attacks. Proper formatting of messages, use of valid data types,
secure error handling, identifying the application layer API’s that are exposed, verifying the trust
relationships and connections, etc. are needed to secure the BAS and IoT device interfaces.

A key method of protecting the logical interfaces is to implement certificate pinning support by
embedding the services’ certificate or public key in the application / firmware itself. This can
protect against attacks where the BAS and IoT devices are configured to interface with an
improperly authenticated malicious server or proxy( man-in-the-middle attack).

9. Provide a secure update capability

Insufficient security of firmware updates may allow a malicious person to modify
legitimate firmware and upload new malicious firmware into the product. Designing the update
process to ensure that proper validation and protection of the firmware and the update process
during the entire lifecycle happens.

10. Implement authentication, authorization and access control features

Key considerations for implementing authentication, authorization and access control
features are the use of certificates for authentication, considering biometrics for authentication,
considering certificate=less authenticated encryption (CLAE), using OAuth 2.0 authentication
and user managed access (UMA).

Page 18
Figure 12. . Credentials used for securing BAS and IoT in the cloud

The above figure gives an example of credentials used for securing IoT in the Amazon cloud.

If we were to use the Amazon cloud as an example, Figure 12 shows the use of credentials for
securing BAS and IoT in the cloud 11

11. Establish a secure key management capability

A key step in this process is the design of secure bootstrap functions

12. Provide logging mechanisms

13. Perform security reviews ( internal and external)

11
https://www.slideshare.net/AmazonWebServices/best-practices-for-iot-security-in-the-cloud-73443599

Page 19
Summary
When intelligent devices with sensors and actuators are connected to the internet, the security
issues at the hardware and software layers along with the network layer together get
compounded. Potential issues of abuse and hacking of BAS using IoT devices get translated
into monetary and even losses at the physical and human level like loss of data, being exposed
to ransomware and hacking. The security issues of integrity, availability, and confidentiality of
BAS systems using IoT devices, along with the privacy impact become exponential. However,
security is as strong as only the weakest link in this chain. Hence, testing of the BAS system
and IoT devices along with patching of their vulnerabilities is of utmost priority because of the
interconnectedness of these devices and possible subversion of critical mechanical and
electronic components.

The most important step is to get the BAS using IoT security requirements correct and build
security into the design of the BAS itself. It is important to design securely the BAS use of IoT
devices against well-known and possible attacks at the different software and hardware layers.
Well thought out quality assurance and quality control and testing procedures should be done
on a continuous basis, throughout the product cycle. As connecting BAS with various IoT
devices exposes new vulnerabilities, there should be proactive testing done to identify and
mitigate these vulnerabilities.

It is thus important that organizations, building managers, and building owners have a well
thought out policy for installing and maintaining the BAS and IoT devices in a safe, secure and
compliant manner. It is also important that the BAS use of IoT devices comply with security
guidelines of government regulations and various regulatory agencies.

Page 20