The Impact of CybersecurityThreats in Building Automation Systems
Building automation systems (BAS) are increasingly interconnected with the internet, making them more vulnerable to cybersecurity threats. These threats can significantly impact the operation and security of buildings, as well as the safety of their occupants.
One recent example of a cybersecurity attack on a BAS is the attack on Johnson Controls, a leading provider of building automation systems. In October 2023, Johnson Controls was hit by a ransomware attack that encrypted some of its systems. This attack caused disruptions to the company's operations and led to concerns about the security of its customers' BAS systems.
Cybersecurity threats to BAS can have several impacts, including:
Disruption to building operations: BAS controls various building functions, such as HVAC, lighting, and security. A cybersecurity attack can disrupt these functions, leading to uncomfortable or even dangerous conditions for building occupants.
Theft of sensitive data: BAS can contain sensitive data about building occupants, such as access control codes and floor plans. A cybersecurity attack could lead to this data being stolen and used for malicious purposes.
Damage to building systems: In some cases, a cybersecurity attack can cause damage to building systems. This could include physical damage to equipment or software corruption.
Safety risks: A cybersecurity attack could also pose a safety risk to building occupants. For example, an attacker could gain control of a BAS and use it to turn off fire alarms or security systems.
Building owners and operators can take several steps to mitigate the risk of cybersecurity attacks on BAS, including:
Implement robust security controls, including strong passwords, multi-factor authentication, and firewalls.
Keep systems up to date: Software updates often include security patches that can help to protect against known vulnerabilities.
Segment networks: Segmenting the BAS network from other networks can help to limit the spread of an infection.
Monitor systems for suspicious activity: Implementing security monitoring tools can help to identify and respond to attacks early on.
In the wake of the Johnson Controls attack, building owners and operators need to be aware of the cybersecurity risks to BAS and take steps to mitigate these risks.
In addition to the steps listed above, building owners and operators can also consider the following further to mitigate the risk of cybersecurity attacks on BAS:
Use a zero-trust security model: A zero-trust security model assumes that no device or user can be trusted by default. This approach can help prevent unauthorized access to BAS systems, even if an attacker can compromise a single device or user account.
Invest in cybersecurity training for staff: BAS administrators and other staff members with access to BAS systems should be trained on cybersecurity best practices. This will help reduce the risk of human error, a common cause of cybersecurity breaches.
Have a plan to respond to an attack: In the event of a cybersecurity attack, it is essential to have a plan in place to respond quickly and effectively. This plan should include steps to contain the attack, mitigate the damage, and restore systems to operation as soon as possible.
By taking these steps, building owners and operators can help protect their BAS systems from cybersecurity threats and ensure their buildings' and occupants' safety and security.