Control and measurement operation in terms of safety

Although the cyber security of the building management system must be addressed long before the start of operation, ie during design, installation and revitalization, the entity that bears the effects of all problems is ultimately the operator. In the following text, we will show how to minimize operational problems and the resulting risks and damages. More detailed technical information for designers and programmers can be found here and here.

The work of the operator begins at the time of taking over the building or technology from the supplier or the previous owner or operating company. The operator must first find out the following information and process it so that it is available - that is, store it in paper and/or digital form and make backups:

Contacts for suppliers of control and measurement

Name and address of the supplier, names, telephones, e-mails. Contact the service department, as post-warranty care may be provided by a different department of the company than the one that carried out the order. If the implementation company is not known, we can try to find it from the system manufacturer according to the serial number of the installed PLC, I / O modules or other hardware.

The current state documentation

If possible as soon as possible after delivery and directly from the supplier. If the documentation is supplied by the general contractor or the supplier of the parent unit, the actual design may not be complete or current. It is always recommended to verify the up-to-dateness of the documents with the company that put the control system into operation.

Physical ties to the environment

This includes documentation with the location of peripherals and other devices and their availability. This applies, for example, to the communication interface for connecting to the Internet, but also to bus lines, network sockets connected to the technological network - and an important thing: who has the keys to the relevant rooms or switchboards.

Digital links to the environment

By this we mean the dependence of the control system, resp. its required functions, on external sources and services:

  • Is Internet connectivity required? Who provides it?
  • Does the system require any cloud service? What kind?
  • Does it send data to external databases? If so, how is the service contractually provided?
  • Does it use e-mail to send alarms? If so, via which e-mail server, which user account?
  • Are alarms sent via SMS? If so, is an Internet gateway used - with what access data?
  • Is a GSM modem deployed? If so, who manages and pays the SIM tariff? Prepaid service with the need for regular recharging poses a risk that recharging will be forgotten.
  • Is web access used? If so, is it available from the Internet? How is the web server currently secured against attacks?
  • Is a mobile application used for control? If so, are there internal rules for its use?
  • Does the control and measurement supplier use remote access for service? If so, is this relationship based on a written contract setting out the technical standards and obligations of the parties?
  • If a VPN is used, do we have a backup configuration, certificates and credentials?

The next step is to define what levels of security we want to achieve and what resources we are willing to spend on it. Cyber ​​security is not "either - or", it is a continuous process in which we increase security by continuously strengthening measures and controlling them. At the same time, however, security may be reduced either by external influences (more sophisticated attacks, increased interest of attackers) or by internal influences (a new situation that the current measures do not address).

Most likely, in cooperation with the IT department, we will determine the rules that the building management system should comply with. It is important that the IT department takes the issue (IT part) of the security of the control system as its own, especially if the company already has rules for solving cyber security - for example, guidelines for certification according to ISO 27001 or other internal regulations.

The following is an estimate of costs. Most measures are organizational, ie feasible with minimal costs. However, we must not forget the indirect or future costs, for example, if the building management system is not accessible via the Internet for the service company, it may mean higher travel costs, or a longer time from reporting the problem to responding. However, this can extend the downtime of the technology and thus cause operational damage.

Only then does it make sense to appear before the management and have the measures approved. If the company has certified processes according to ISO 9001, it makes sense for these measures to become part of them - the possible consequences of problems in the building management system are likely to affect the quality of products or services.

Basic rules for secure work with data

The two most serious threats are data loss and data leakage. To defend against them, we must take seemingly contradictory measures: it is good to back up losses to more places and to have backups easily accessible and recoverable, while we usually fight against data leakage by making them inaccessible. Therefore, we divide the data associated with the building management system into several groups and handle them accordingly:

Projects, in the sense of implementation documentation and source codes for application programs and SCADA systems, and other documents that describe the functional state of things, such as IP address plans, backups of configurations of some devices, operating manuals for specific installations, etc.

This data is very difficult to replace, the loss of source code to programmable controllers can mean hundreds of thousands of costs for their re-creation. If we lose the project of the actual implementation, the service becomes a very complicated activity - it is basically a survey of an unknown environment and searching for errors blindly.

Wiring diagrams of switchboards are not critical documents from the point of view of data leakage, therefore it is recommended to have one pair in the switchboard and in addition a good backup (preferably in electronic form so that it can be printed at any time).

Source codes for application programs and other data are managed either by the supplier of the control system (or service company), ie an external entity, or the building operator. The question is which is more advantageous: when managing by an external entity, the operator does not have to worry about backup and up-to-date data, but he should have contractually treated their availability in case business interruption is interrupted - for example due to company termination. If the operator takes care of the data himself, he must ensure that the programmer works with the current version during each service intervention. After finishing the work, he should always request a copy, which he will save safely as a version.

Data sheets, general operating instructions, etc. These are documents that are not specific to a particular installation and should be available from equipment suppliers, ideally on their websites. However, it can be useful to have them available offline, categorized so that the information you need can be found quickly and easily. Sometimes SCADA is used for this purpose, which contains links to individual documents stored as part of the implementation of the visualization program (ie somewhere nearby in special directories that are backed up together with the project). We will appreciate offline availability especially after years when the documentation for devices that are no longer supplied may not be available for download on the manufacturer's website.

Records data generated during system operation. These are mainly historical data, including readings from energy meters, event or alarm logs, automatic backups and other data, including non-electronic records (such as regular inspection reports). It is a good idea to scan and store important records in digital form, making backups easier and backups can be available remotely.

Directories with records or their databases should be backed up regularly. We must realize that the measured data can never be measured again. Some data may not be needed for years, for example to perform an energy audit. Backup can also be automatic, it is always necessary to regularly check the availability of backups, ie whether we can reconstruct the backed up data (eg are passwords for access to storage known?) And how long the reconstruction will take.

Backup and the whole agenda around it, of course, entails certain costs for hardware (disks, disk arrays), services (outsourced storage) and its own performance: time spent on backup and control, training, continuous improvement of the whole process. We should be able to quantify these and present them to management for approval.

Another type of data are access names and passwords, VPN certificates, etc. This is already critical information that we must protect from leakage. Therefore, their management will look different than, for example, in the project documentation. General IT rules should apply here, applied to other assets in the organization, including measures such as regular (say, semi-annual) audits of user accounts and termination of accounts that are no longer used.

Let's not forget that, for example, certificates for secure access to web servers (https: //) need to be renewed regularly, their validity is limited to two years (and it is possible that it will be shortened). This is not so much about costs as it is about organizing the whole process, so that web access to the visualization does not suddenly become unavailable and a search for someone who knows what happened and can fix it begins.

Installation and hardware issues

If we are already taking over a functional building management system, we can no longer influence some things too much. These include the layout of switchboards and their connection via buses, usually a technological Ethernet network. This network is either run separately or is part (physical, logical or both) of the company's infrastructure. A separate network represents a significant security advantage, but we must also consider physical security (according to ISO 27002 Chapter 11 - Physical and environmental security), such as setting a security perimeter, access control, but especially the location of equipment and cable security. We often see key components, such as routers and switches, placed in completely unsatisfactory conditions - on a table between cables, under a table with a workstation, in a switchboard without any mechanical fastening, etc.

Therefore, consider whether it is not worth reconstructing the network and bringing it into line with the requirements for a quality IT infrastructure. The minimum standard here is a lockable data cabinet. If the network is managed by the IT department, it should be easier.

A little-known risk is posed by IT components, which transmit data in the technological network that elements of the control system may not always tolerate well. These are, for example, IP V6 packets, protocols for mutual communication between routers, etc. The result is sudden, difficult to diagnose problems where everything has worked properly so far. They manifest themselves in converters or PLCs as communication jams, or entire devices, and can give the impression that it is a conscious attack. However, this is usually not true. When determining the cause of the problem, we first separate the technological network from the IT infrastructure (completely physically or at least a router with only the most necessary rules) and monitor whether the problems will continue to occur.

If there is a UPS in the building management system, it should be checked regularly and the battery sent for overhaul at intervals as recommended by the supplier.

Risk is defined as the product of the probability that an event will occur and the damage that the occurrence of that event would cause. In the case of a well-designed and installed building control system, the probability of failure is relatively low, but the potential damage is high - even if the overall malfunction of control and measurement would not necessarily result in direct losses in production or operation, without up-to-date documentation and software backups original condition. Then it is considered whether preventive reconstruction will not be more advantageous. This can take several forms:

  • recommissioning (complete control of peripherals, as during the first commissioning, and revision or re-creation of software),
  • replacement of the control system with a new one while leaving peripherals and the power part, or
  • replacement of complete installation including peripherals.

When deciding, it depends mainly on the availability and support of hardware and software - substations, I / O modules, development tools and graphics programs (SCADA).

In case of replacement of the control system or complete reconstruction, the assembly work must be preceded by a project. When designing, close cooperation with the supplier of the control system as well as with the IT department is necessary, in order to avoid conflicts during commissioning. Here, the operator should act at least in the role of a consultant, who will acquaint all interested parties in a timely manner with the current state of the equipment and the requirements that it will have for the new system.