Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.
PDUs, main UPSs, air handling systems, and switchgear. Each of these components, if not properly secured, is vulnerable to cyber incidents. These events may be unintentional, such as when an update causing causes a system to become inoperative, or they might be malicious, like when a hacker shuts down a data centerâs cooling systems, destroying a large number of computers (Weiss 2018). Because of the rapid technology growth of IIoT, new sensor devices are regularly introduced, tested, and incorporated into facilities. Evaluating the impact of new sensing technologies, as well as their integration with existing systems, is a significant research task that can provide crucial references and desirable guidelines to the building and HVAC industry (Bae et al. 2021). A sensorâs impact varies significantly depending on the characteristics of the building system (e.g., type, configuration, capacity, efficiency), as well as the control strategies used. Once sensors are deployed within a facility, some sensors may be subject to harsh conditions. Sensor readings may be corrupted as a result, which usually leads to faulty readings. What are the fault characteristics for different sensors? How do sensor faults affect building control performance? How does one distinguish between a sensor fault and a hacked sensor? How can one securely deliver sensor data to control systems? Data delivery for facility controls is a major component of sensor performance. Large commercial buildings might have tens of thousands of sensors, which make data transfer and management critical but challenging. Cyber threats are increasing, and sensor data delivery could be hacked. It is necessary to understand how hacked sensor data might affect building control performance. For instance, sensor data might be hacked, modified, and sent to control loops to create extreme control actions. Unfortunately, many of these challenges remain open questions in literature. Additionally, limited efforts have been made to develop a unified framework for evaluating and verifying sensor impacts through control systems on the building domain. How can such a framework be developed? One document states that, âto the best of the authorsâ knowledge, no such study has examined this challengeâ (Bae et al. 2021). Building control networks include both IT and OT networks. Figure 3 shows an example building control system architecture. The green networks are owned by organizations that manage IP networks. The control systems reside on serial and IP networks with specialized software. Similar to other industries, the facility OT networks are often subnets inside subnets with multiple organizational silos. Facilities can have multiple management platforms that have remote access, which can be a source of cyber vulnerabilities. The cybersecurity of facilities is currently addressed in industry organizations such as BacNet.org, with BACnet Secure (BACnet undated), and ISA111, Unified Automation for Buildings (ISA 2022b). However, these standards do not address the Level 0 and Level 1 devices, so parts of these systems remain vulnerable. FACILITY CONTROL SYSTEM CYBER VULNERABILITIES The number of control system suppliers is limited, and these suppliers serve all industries and organizations and their facilities. Consequently, almost all industries and facilities use similar control system devices with the same cyber vulnerabilities. For instance, some facilities may be using the same programmable logic controllers (PLCs) that were compromised in the Stuxnet attack on the Iranian centrifuge facility. 2 Cyberattacks on building facilities can also impact industrial facilities, as was the 1F case in a malicious Russian cyberattack on the Ukrainian power grid in 2015. Other cyberattacks have targeted the variable frequency drives (VFDs) and water pumps in facilities. This type of equipment is used throughout water and wastewater plants, chemical plants, power plants, refining facilities, manufacturing facilities, and compromising it can alter plant operations. As a result of an unintentional cyber event that resulted from an electrical event compounded by a programming logic error, the Pacific Gas & Electric (PG&E) gas pipeline exploded in 2010. 2 For more information on Stuxnet, see Wolf (2014) and Knapp and Langill (2015). Federal Facilities Council Control System Security White Paper 11
FIGURE 3 Basic building control system architecture. SOURCE: Courtesy of Lyn Gomes, based on and adapted from work by Ron Bernstein, RBCG Consulting. In the case of the 2015 Ukrainian cyberattack, the Russian government hacked the uninterruptible power supply (UPS) system (which is a commonly used building control system) in the communications center (a typical facility) before attacking the grid in order to block communications following the cyberattack. The cyberattack targeted the Simple Network Management Protocol (SNMP), an Internet Standard protocol that was also used in the SolarWinds software. The 2010 PG&E natural gas pipeline rupture in San Bruno, California, illustrated that UPS systems are not just data center vulnerabilities. After PG&E scheduled a SCADA UPS replacement, the UPS replacement led to a SCADA shutdown due to low voltage. As a result, PG&Eâs control system logic opened the control valves which led to over-pressurization and the rupture of a weak pipe, destroying an entire San Bruno neighborhood. The SolarWinds attack was an especially regrettable event, not just because of the extent of the attack, but because this attack bypassed authenticated updates from the manufacturer. 3 Good security 2F practice is to have authenticated firmware updates. As the SolarWinds and Stuxnet hacks demonstrated, good security practice is rendered useless (and can provide a false sense of security) if the update is poisoned even before it is delivered. An attack of this sort could impact almost all building management control systems (Weiss and Hunter 2021). 3 For more information see Oladimeji and Kerner (2022). Federal Facilities Council Control System Security White Paper 12