printer friendly version

A BMS remains essential, but is it secure?

Building management systems (BMS) have come a long way. They don’t just manage the physical environment of facilities, these platforms now enable the integration, and centralise the control of multiple building systems. Their role is becoming more, not less, important as these systems begin to converge with IT and enterprise systems. However, increased integration creates security loopholes. Is the BMS a weak link?

With more integration and distribution of information between systems, there is greater opportunity to hack into sensitive enterprise systems. It’s a very real risk. The challenge is that it’s difficult to share and keep systems secure, especially when the core functionality of systems is different. Security systems are built to protect people and assets. BMS functionality, because it is focused on managing an internal environment, is not usually security-oriented. Care thus needs to be taken with regard to how systems share information, as well as how much and what information they share.

For example, it may be effective to share basic occupancy information, such as how many people are working in which parts of the facility, to assist the BMS to make decisions about where lighting and ventilation may be switched off; it may be a security risk to also share detailed personal information about who these people are.

Security standards – let’s shake on it

The standards and the technology each system uses will also differ. BMS’s make use of open systems which make it easier to share non-critical information, such as temperatures within the facility, the performance of HVAC equipment and energy usage. Enterprise systems containing sensitive information generally require authentication before granting access.

To get around this, Johnson Controls has found that cybercriminals will make use of systems with low-level security to get into more critical enterprise systems – for a hacker, for instance, it may be just a hop and a skip to the company’s HR database via a controller that is part of a company’s access control system which is being fed information about which areas of a facility a card holder may access. And once inside the enterprise system, access to sensitive customer data is within reach.

To combat this, Johnson Controls has built additional Dark Node security into its Metasys BMS solution that ensures secure handshakes between devices. This capability makes it difficult for hackers to simulate different devices and hack into a system. It’s something that has become increasingly important to be aware of as the computing capacity and the intelligence of controllers – the basic hardware components that make access control systems work, opening and closing doors and turn on the sprinklers when the smoke alarms go off– continue to grow, opening security loopholes that heighten threat risks.

Secure BMS’s are here to stay

Will BMS’s be replaced by, or converge with other solutions like physical security information management (PSIM) software? The short answer is no, the functionality of the BMS is too advanced, too specific and valuable to be easily replaced. What users can expect is greater interoperability between BMS and other systems along with a stronger focus on what is shared, how it is shared, and what information is stored. In other words, security awareness and implementation of security measures within BMS systems will become non-negotiable.

The strategic roadmap for BMS platforms will see them continue to advance, becoming easier to install and operate. Users can expect more interoperability with a lot more plug-and-play integration and wireless information sharing. The winners, however, will be those platforms that put the right security and sharing processes in place to ensure the enterprise, its assets, people and customers are secure.

For more information contact Johnson Controls, +27 (0)11 921 7141, [email protected], www.johnsoncontrols.com

Share this article:

Further reading: