Old hardware and software pose challenges for cyber security issues in building automation

Everything that functions digitally is potentially vulnerable to attacks. Building automation therefore cannot avoid taking a concrete look at cyber security and further increasing it. During the mini symposium of the GA industry Johan de Wit, Technical Officer Enterprise Security at Siemens, discusses this topic in more detail.

De Wit will give a lecture under the title 'Building hacked? And what could I have done to prevent that?'. He does not want to give away too much about the content of his story, but it should be an awareness session that tells what you can do as an organization to prevent hacking attacks. “First of all, you have to estimate how big the possible problem is,” says De Wit.

“A lot happens live in cyberspace,” he says. “For many people it is abstract, because you don't see it. Live maps visually show how big the problem actually is. But are buildings also hacked? There are known situations where this happens, but many attacks remain under the radar.”

How does that happen? “On average, it takes 280 days before a hack is discovered,” says the cyber security specialist. “And many users in construction technology do not use monitoring tools at all, so they are not actively checked to see if strange things are happening. And sometimes a cyber attack simply goes unrecognized.”

There is therefore plenty of work to be done in the industry: “In our field, we are not sufficiently aware of the danger. One of the goals of my presentation is that our technology, the OT side, is also vulnerable. Often there is no monitoring component and cyber attacks are classified as just a glitch. The client also often does not ask for such tools. When you look at the possible impact, you should not forget that our OT systems in a building are often crucial for business operations.”

Legacy hardware and software

De Wit continues: “During my presentation I will also delve deeper into the differences between IT and OT. One of them is the lifespan of the hardware. With IT hardware it lasts about three to five years and you buy something new. But you don't replace a lighting control system after three years. And updates are often not available.”

“Many buildings are still full of hardware from the last century. Not a problem in itself, because it still functions fine. But back then we thought about cyber security differently than we do today. So legacy equipment is often unsuitable for proper security. Old protocols, such as the BACnet protocol, are also originally a non-secure protocol. It doesn't have any form of authentication for example. Only now is BACnet Secure Connect emerging, which checks whether a device is allowed to control an object.”

Handy tool

Nevertheless, De Wit will help his audience with this complex issue: “It is important that as a company you take security into account in all your processes. During my presentation I will also show how you can make progress with an accessible tool that we have developed together with other parties and the Ministry of Economic Affairs. Some questions are very basic: what equipment do you have, or asset management. And which contracts do I have? Basic questions like that are important. This is a useful tool to get started.”