Abstract
Intelligent Buildings or Building Automation and Control Systems (BACS) are becoming common in buildings, driven by the commercial need for functionality, sharing of information, reduced costs and sustainable buildings. The facility manager often has BACS responsibility; however, their focus is generally not on BACS security. Nevertheless, if a BACS-manifested threat is realised, the impact to a building can be significant, through denial, loss or manipulation of the building and its services, resulting in loss of information or occupancy. Therefore, this study garnered a descriptive understanding of security and facility professionals’ knowledge of BACS, including vulnerabilities and mitigation practices. Results indicate that the majority of security and facility professionals hold a general awareness of BACS security issues, although they lacked a robust understanding to meet necessary protection. For instance, understanding of 23 BACS vulnerabilities were found to be equally critical with limited variance. Mitigation strategies were no better, with respondents indicating poor threat diagnosis. In contrast, cybersecurity and technical security professionals such as integrators or security engineering design professionals displayed a robust understanding of BACS vulnerabilities and resulting mitigation strategies. Findings support the need for greater awareness for both security management and facility professionals of BACS vulnerabilities and mitigation strategies.
This is a preview of subscription content, log in via an institution to check access.
Similar content being viewed by others
References
Assante, M.J., and Lee, R.L. 2015. The industrial control system cyber kill chain. Singapore: SANS Institute. https://www.sans.org/reading-room/whitepapers/ICS/industrial-control-system-cyber-kill-chain-36297.
Brooks, D.J. 2013. Security threats and risks of intelligent building systems: Protecting facilities from current and emerging vulnerabilities. In. Securing critical infrastructures and critical control systems: Approaches for threat protection, ed. Christopher Laing, Atta Badii and Paul Vickers (pp. 1–16). IGI Global. ISBN 978-14-66626-59-1.
Brooks, D.J., M. Coole, and P. Haskell-Dowland. 2018a. Intelligent building management systems: Guidance for protecting organizations. Alexandria, VA: ASIS Foundation.
Brooks, D.J., M. Coole, P. Haskell-Dowland, M. Griffith, and N. Lockhart. 2018b. Building automation & control systems: An investigation into vulnerabilities, current practice & security management best practice. Alexandria, VA: ASIS Foundation.
CIBSE. 2000. Building control systems: CIBSE guide H. Oxford: Butterworth-Heinemann.
Frost and Sullivan. 2008. Bright green buildings: Convergence of green and intelligent buildings. https://www.caba.org/CABA/DocumentLibrary/Public/Bright_Green_Buildings.aspx.
Granzer, W., F. Praus, and W. Kastner. 2009. Security in building automation systems. IEEE Transactions on Industrial Electronics 57 (11): 3622–3630.
High Performance HVAC. 2017. Building automation systems. http://highperformancehvac.com/building-automation-systems-hvac-control/.
ISO. 2004. ISO 16484-2 Building automation and control systems (BACS): Part 2 hardware. Geneva: International Organization for Standardization.
ISO. 2007. ISO/IEC 14908-1 Open data communication in building automation, controls and building management—control network protocol: Part 1 protocol stack. Geneva: International Organization for Standardization.
King, R.O.N. 2016. Cyber security for intelligent buildings. Engineering and technology reference, 1–6, ISSN 2056-4007. 10.1049/etr.2015.0115.
Marketsandmarkets. 2017. Building automation system market by communication technology (wired, and wireless), offering (facilities management systems, security & access control systems, and fire protection systems), application, and region—global forecast to 2022 (SE2966). http://www.marketsandmarkets.com/Market-Reports/building-automation-control-systems-market-408.html.
Parasuraman, R., and V. Riley. 1997. Humans and automation: Use, misuse, disuse, abuse. Human Factors: The Journal of the Human Factors and Ergonomics Society 39 (2): 230–253. https://doi.org/10.1518/001872097778543886.
Sall, I. 2017. Does IoT mean the death of the BMS? http://www.facilitiesshow.com/does-iot-signal-death-bms.
Schneider Electric. 2015. Guide to open protocols in building automation. Andover, MA: Schneider Electric. https://blog.schneider-electric.com/wp-content/uploads/2015/11/SE-Protocols-Guide_A4_v21.pdf.
Shang, W., Q. Ding, A. Marianantoni, J. Burke, and L. Zhang. 2014. Securing building management systems using named data networking. IEEE Network 28 (3): 50–56. https://doi.org/10.1109/MNET.2014.6843232.
Sharples, S., V. Callaghan, and G. Clarke. 1999. A multi-agent architecture for intelligent building sensing and control. Sensor Review 19 (2): 135–140. https://doi.org/10.1108/02602289910266278.
Simpson, J.A., and E.S.C. Weiner (eds.). 1989. The oxford english dictionary, 2nd ed. Oxford: Oxford University Press.
Sinopoli, J. 2012. Security issues with integrated smart buildings. http://www.automatedbuildings.com/news/dec12/articles/sinopoli/121119103101sinopoli.html.
Technavio. 2016. Global integrated building management systems market 2017-2021. https://www.technavio.com/report/global-automation-global-integrated-building-management-systems-market-2017-2021?.
TMR Analysis. 2017. Commercial building automation market 2016-2024. http://www.transparencymarketresearch.com/commercial-building-automation.html.
Wyman, R. 2017. Consider the consequences: A powerful approach for reducing ICS cyber risk. Cyber Security: A Peer Reviewed Journal 1 (1): 1–17.
Acknowledgements
This article was made possible by research funding and membership participation from the ASIS Foundation, the Security Industry Association (SIA), and the Building Owners and Managers Association (BOMA). The research Report: Brooks, D. J., Coole, M., Haskell-Dowland, P., Griffith, M., & Lockhart, N. (2018b). Building automation & control systems: An investigation into vulnerabilities, current practice & security management best practice.
Author information
Authors and Affiliations
Corresponding author
Additional information
Publisher's Note
Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.
Rights and permissions
About this article
Cite this article
Brooks, D.J., Coole, M. & Haskell-Dowland, P. Intelligent building systems: security and facility professionals’ understanding of system threats, vulnerabilities and mitigation practice. Secur J 33, 244–265 (2020). https://doi.org/10.1057/s41284-019-00183-9
Published:
Issue Date:
DOI: https://doi.org/10.1057/s41284-019-00183-9