Cybersecurity vulnerabilities can affect our everyday lives. Energy management and control systems (EMCS) are seldom top-of-mind for the general public and is not a term most know about. An EMCS is, in some ways, a glorified thermostat designed to ensure conditions remain comfortable within a building. Normally, there is no cause to worry about it. However, EMCS, and similar systems called supervisory control and data acquisition (SCADA), control equipment whose proper operation is fundamentally critical to a building.
Any modern office building, school, hospital, data center, university, or military facility is served by large, complicated mechanical systems that provide heating, cooling, and ventilation. Shutting down any of these mechanical systems threatens the building’s ability to function properly. For example, a data center cannot operate without air conditioning for more than a few minutes. Sabotaging a building does not necessarily require a direct attack. It can be as simple as shutting down a fan or a boiler at the right moment.
Historically, EMCS security was never an issue. These systems existed out-of-sight, tucked away deep in boiler rooms, isolated from most other operations. Most had limited or no connections to the outside world and operated on proprietary networks, separate from the standard Ethernets of the information technology (IT) world. This anonymity, in some ways, was their best defense since the level of security designed into the systems was often low, and system users gave little attention to the issue.
In today’s Internet of Things (IoT) environment, where so many devices have an IP address and systems can be connected to a laptop, the security of EMCS, SCADA, and similar systems is more important than ever.
Cyberattacks on industrial systems that control processes such as electricity generation, refineries, data centers, and gas pipelines are commonplace. In 2015, 295 attacks on such systems were reported to U.S. authorities. By 2017, that number exceeded 1,000. Despite this, all major communication protocols for facility and industrial control systems are vulnerable to a cyberattack. Some have no data security protocols.
This problem is exacerbated because building and industrial engineers are not typically IT professionals or cybersecurity experts. Their focus is on ensuring the systems perform their intended tasks with security as a secondary concern. In many cases, the specifying engineers, installers, and building operators lack the awareness or training needed to ensure these systems are secure.
Ways to increase system security
Defending these systems against potential attacks can be broadly divided into two categories: internal and external attacks. External attacks are likely to originate from the internet. For this reason, all internet connections should be treated as potentially hostile and secured against intrusion. Several defense options should be explored such as:
- No internet connection – While secure, this severely limits the functionality of modern systems, which need to exchange data with a host of other applications or need to be monitored/controlled from remote locations.
- Remote desktop application – This requires a dedicated software package running on a remote computer. While effective, this creates another point of vulnerability at the remote computer, which must likewise be protected.
- Virtual private network (VPN) firewall – Similar to a remote desktop, but with a more secure connection. The remote computer still requires protection.
- Dedicated EMCS/SCADA web server – Rather than connecting an EMCS directly to the internet, a separate server is placed behind a firewall with restricted access to the server.
Any of these, or implementing a combination of these options, will improve a system’s security. All of them, however, will be useless if a hacker obtains authentication credentials from an end user. Guarding against this requires the same policies found in IT departments, which mandate strong, frequently changed passwords and active protection against probes such as phishing emails that try to lure users into disclosing their passwords. In addition, physically protecting the system components behind locked access is a must.
Ken Robinson is the director of operational excellence for Southland Energy, a division of Southland Industries, a CFE Media content partner. Edited by Emily Guenther, associate content manager, Control Engineering, CFE Media, email@example.com.
KEYWORDS: Cybersecurity, cyberattack
Energy management and control systems (EMCS) control equipment that is fundamentally critical to a building.
Best practices against cyberattacks
A variety of offline/online tactics can be used to improve cybersecurity.
Consider this: Are your employees aware of measures to take to increase cybersecurity?
See additional cybersecurity strategy stories including:
Cybersecurity certification may soon be required for manufacturers
Strategic IT service company recognized by cybersecurity accreditation board
Mitigating OT cybersecurity risks, enforcing best practices