Make Your Building Smart

Here’s our summary of their top tips.

1. Make big data smart data

Controls technology such as sensors is gathering huge amounts of data. The secret is to turn this into smart data, by ensuring that it’s all centralised in the BEMS – and this means integrating your building services systems – heating, lighting, cooling. In fact, trying to run these systems separately will almost inevitably lead to inefficiencies as well as discomfort for occupants.

2.  Get into analysis

Once the data is all flowing into a central point, it’s possible to use analysis to pick out the really important information. This can be done in house, but if you haven’t the expertise there are data analytics partners that can help identify areas such as peaks and troughs in energy use, or the fact that heating and lighting are left on when not required.

3. Automation is the future

When smart data is available, it’s possible to automate building controls. Using the smart data, paired with analysis, the system can keep a building in balance – energy efficient and comfortable for occupants.

4. Show building users what’s going on

Energy dashboards are a good way to show building occupants the effects of efficiency strategies. And modern controls technology will give them some level of control over their environment – as long as the automated system returns efficient settings (as users are likely to leave heating or lighting operating when it’s not required).

5. Consider remote control

Although pretty much every building has some sort of control or basic BEMS, it’s often not used optimally. This can be due to lack of in-house expertise, particularly as the work is time-consuming and requires focus to gain all the benefits. For large buildings, or multiple properties, moving energy management via the BEMS to a remote service can make sense. There are many advantages, including access to state-of-the-art monitoring and analysis software. Some controls manufacturers now offer this as a service.

Team of ‘ethical hackers’ shows controls easily compromised, risking HVAC shutdowns

Team of ‘ethical hackers’ shows controls easily compromised, risking HVAC shutdowns

Cybersecurity experts have revealed that poor BMS installation continues to leave the systems vulnerable to hacking. This, say the ’ethical hackers’ risks the scare scenario of an attacker taking control of systems to cause disruption, to trigger fire alarms, to open or shut doors and potentially get on to the IT network itself in vulnerable buildings such as government or military sites. Beyond the security risk, such hacking could simply shut off the heating in any number of buildings controlled by BMS.

The team from security consultancy Pen Test Partners warned BMS manufacturers that they must educate their installers and put them through stiffer accreditation and audit processes. The firm said: ”It simply shouldn’t be possible to install these devices in customer buildings this insecurely.”

Pen consultant Ken Munro hacked into a range of building controllers and found that few had been configured correctly, with many being openly detectable over the public internet, via the Internet of Things search website Shodan. In some cases this would allow an attacker to completely bypass the log-on mechanism to access the device, the firm said, while some of the controllers already contained malware.

Mr Munro found that while some of the hardware had been improved, large numbers were discoverable on the public internet, unprotected, with complete authentication bypasses in some cases.

He said: ”We found them in military bases, schools, government buildings, businesses and large retailers among many, making the organisations ripe for compromise.

He added that the fault was largely laid at the installers’ door: ”Most of these issues have been caused by HVAC & BMS installers, rather than the vendor. The installers have exposed their clients through not following manufacturer security guidelines. The manufacturer could still make improvements though.”

The manufacturer of the controller in the investigation, Trend Controls, offers security advice for installers, emphasising that the devices should be on isolated subnets and never exposed to the internet. However, the advice appears to be routinely overlooked by the installers, since Mr Munro’s initial search found a list of over 1000 controllers on the internet. In many cases the installers had used the name of the facility on the databases, making them easily identifiable.

In addition to the threat via the internet, the controllers are vulnerable to local hacking, since they are often isolated in plant rooms, the consultancy said:

Security can easily be breached by adding a guest user, where the installer hasn’t set this up, Mr Munro added.

Mr Munro issued a warning to building owners, based on the findings. He said: ”Building management systems are often installed by electricians and HVAC engineers who simply don’t understand security. Ask questions about what ‘stealth’ technology is in your buildings. Ask the guys who look after your HVAC how it’s monitored and managed. Whilst you’re there, ask about your door controllers and your IP alarm systems. BMS suppliers need to wake up and smell the coffee: educate your installers, accredit them and audit them. Then ensure your product is as foolproof as possible, making insecure installation as difficult as possible.”

Read the full article here.