Cyber Protection for Building Automation and Energy Management Systems

PROTECT

YOUR INVESTMENT Gone are the Days of “Security through Obscurity” Cyber threats and security compromises directed at building and facility control operations are swiftly becoming a monumental issue in the buildings industry. While cyber security has always been a concern when it comes to protecting traditional devices such as computers, routers and servers, innocuous devices such as thermostats, HVAC equipment, access control and lighting controls seemed to escape the attention of hackers. But a look at today’s headlines inform us that building automation systems (BAS) are leading targets for compromise with a 42% increase in the number of cyber-attacks from 2011 to 2012. Attacks are from Outside and Inside Your Network Cyber security is a complex issue that has progressed alongside the BAS industry’s mission for connectivity, interoperability and openness, attributes achieved by integrating disparate control systems with the IT network. This level of connectivity and integration has enabled building owners to achieve precise control over some of the largest expenses for any organization such as building operations, energy management and efficiencies, but it is these same attributes that now make these systems exponentially vulnerable to viruses, security breaches and attacks. Hacking, breaches and unauthorized access into facility automation systems is not just about turning lights on and off or raising the temperature a few degrees. Characterizing such possible disruptions as harmless mischief dramatically underestimates the value of these systems to the productivity, safety and overall bottom line of a business. If someone hacks the building automation system or energy management system, they now have an attack vector into the company network, and a hacked device can become a pivot point that can bypass existing network defenses. Attacks that originate in these systems are perceived as coming from within the secure and trusted IT infrastructure and thus explains why, on average, it takes a company 243 days to discover a cyber-attack has occurred.

Statistics are Showing Cyber Security is a Mounting Issue • Average number of attacks per week increased to 102 (2012) vs. 72 (2011) • 66% of organizations learn about a breach after hearing about it from an external source • 35% of industrial control system security incidents were initiated through remote access • 51% of companies struggle to prevent cyber attacks • 49% of companies are poorly positioned to quickly detect attacks • 34% of companies had more than one security breach in the past year that they were aware of

* Contact Lynxspring for source list

Potential Consequences of a BAS Cyber Attack The Moment a Malicious Hacker Exploits a BAS/EMS, the Countdown to Chaos Begins The negative consequences that BAS/EMS-initiated cyber incidents can cause are disruptive and potentially catastrophic. Such events may impact

Physical • Uninhabitable facilities • Uncontrollable and locked out systems

occupant productivity and personal safety, disrupt critical processes, and

• Equipment damage and replacement

shut down business operations entirely. The social implications can be as

• Inefficient systems

equally devastating with negative publicity and loss of customer confidence

• Sprinkler and smoke alarm failure

while the financial ramifications may be compounded with lawsuits

• Disabled elevators controls system

and equipment replacement and repair. It is estimated that the average annualized cost of a cyber-breach for a company is $8.9 million3.

• Unauthorized penetration of access control systems

Building Automation Networks and IT Networks Should NOT be Treated Differently

• Lighting failure

Building automation networks and IT networks should NOT be treated

• Interruption of business and operations

differently when it comes to cyber security and threat protection. Just like an IT network, building automation networks should have policies and procedures that must be continuously addressed throughout the whole

Business • Introduction of malicious files and viruses into the corporate IT network

system lifecycle using multiple layers of defense and protection.

• Exposure and compromise of sensitive information

A comprehensive cyber security program leverages industry standards and

• Company reputation

best practices to protect systems and detect potential problems along

• Litigation

with processes to understand current threats and enable timely response

• Attack vector into corporate network

and recovery. Cyber security should be an integral part of the design of

• Occupant harm; loss of life

the automation system, not an afterthought or addendum.

• Financial Loss

LYNX CyberPRO – Real time, Continuous Cyber Protection for Building Automation and Energy Management Systems Lynxspring’s LYNX CyberPRO, a cyber-threat protection solution is designed specifically for building automation and energy management networks. Lynxspring has partnered with Netop, the premier developer of secure remote access solutions for complex global IT environments, to create a simple, cost-effective additional layer of security and for the mechanical and electrical devices and systems that reside on the enterprise network including HVAC, lighting and

“Cyber-threats remain one of

utility measuring systems.

the most insidious issues

LYNX CyberPRO creates “shields of security”, and layers of cyber security

within the building automation

protection that re-enforces the integrity of the corporate firewall by eliminating attack surfaces created by exposed devices on the Internet and within the

industry today; threats are

network. Designed with building operations in mind, LYNX CyberPRO creates

becoming more frequent,

network by securing, managing, controlling, tracking and monitoring all account

pre-emptive threat protection for the devices and systems across a building

becoming increasingly

access and activities. The solution supports leading building automation

sophisticated and are now at a

anywhere without exposing building system devices to the public internet.

point where we have legitimate and reasonable concern” Terry Swope

President, CEO of Lynxspring

protocols with TCP/IP networks, open and legacy systems and can be accessed

Lynx CyberPRO consists of a CyberPRO Key and an encrypted LYNX CyberPRO Secure Connect Cloud connection. It is simple to install, configure and operate and does not require any changes to a device’s existing network settings. There are three simple steps with setting up a key: 1. The Key is plugged into the corporate network. 2. Devices needing secure remote access are added to the Key. 3. Users are added to the Key.

How it Works Lynx CyberPRO reduces the security risk

contractors secure remote access to the

presents the user with a list of devices

by removing all devices from the public

systems they were contracted to maintain.

and randomly generated ports the user

Internet, closes all the ports on the corporate firewall and eliminates the need to have to add and manage authorized

systems, the user logs into the encrypted Lynx CyberPRO Cloud. The user is

users and third-party vendors to their active directory to allow VPN access into the corporate network. This hardens

authenticated via distinct checkpoints and presented with a list of Keys they have access to. The user then logs

and re-establishes the integrity of the

into the selected key, and once they

corporate firewall and still allows

are authenticated by that key, the key

authorized users including third-party

will use during the session. At no time

To gain secure remote access to these

does the user use IP addresses for the devices; they only use the randomly generated ports the key provides. During this session, an audit log is created by the key, recording everything the user is accessing. When the session is over, the key closes all of the ports.

INTERNET

LYNX CyberPRO Ladder Diagram

AX Supervisor Firewall

CyberPro Key

Remote WorkPlaceAX or Browser

Remote Applications

LAN/WAN Building Automation

Energy Management

Building Security

DVR Plant Control

HVAC

Open ADR & Generation

1

2

3

4

5

6

7

8

9

*

0

#

Lighting

Asset Monitoring

Utility Metering

Card Access & Intrusion

CCTV

LYNX CyberPRO is scalable and can be deployed on existing buildings or new construction for single or multi-facility environments. Installation of LYNX CyberPRO Key and

A separate list of randomly generated

construction for single or multi-facility

LYNX CyberPRO Connect software is

ports for the listed devices is generated by

environments. It is a non-disruptive

simple and designed to be deployed on

the LYNX CyberPRO Connect software

installation easily integrated on existing or

live networks. A LYNX CyberPRO Key is

and is mapped to the list provided by the

new networks with no physical changes

installed on the network behind the firewall

CyberPRO Key. With the ports mapped

to the BAS network. LYNX CyberPRO

and configured to the LYNX CyberPRO

and forwarded appropriately, clients may

maintains the integrity of a company’s

Cloud. This is the single access point into

use their standard BAS user interface

building automation systems, equipment

the network and becomes a forensic

or an Internet browser to connect and

and applications as well as the critical

tool for the entire building control network

control the nodes connected to the

data—employee records, customer

with an auditable access trail. Once a

LYNX CyberPRO Key.

data and intellectual property—with a

connection is approved by the LYNX Key creates a secure tunnel between the

Establishing an Auditable Access Trail

two devices by generating a list of devices

LYNX CyberPRO is scalable and can be

and required ports for connection.

deployed on existing buildings or new

CyberPRO Cloud, the LYNX CyberPRO

preventative threat protection layer that monitors all access points and activities.

LYNXCyberPro™ Cloud (Router)

LYNX CyberPRO™ Protects & Connects

LYNXCyberPro Connect (Remote Client)

Encrypted Tunnel

LYNXCyberPro Key (Network Client)

LYNX CyberPRO powered by Netop is… Customizable. Specify which devices are allowed remote access through single entry point Auditable. Forensic reports detail network traffic to device in and out of firewall Simple to use. Easily managed and implemented using a single-user interface Protocol-agnostic. Supports leading building automation protocols utilizing TCP/IP networks as well as open and legacy systems Scalable. Ideal for existing buildings and new construction; single facility or multi-facility environments

“In combining efforts with

Non-Disruptive. May be installed on new or existing networks with no physical changes to the existing BAS network

we have created a single,

Firewall Integrity. Devices are not exposed to the Public Internet and ports remain closed Isolated. Vendors are isolated and removed from the Corporate Active Directory Compliance. Adheres to multiple compliance regulations

Lynxspring on LYNX CyberPRO, secure, monitored and audited access point to building control systems. This will give authorized personnel timely and secure access to building data while reducing external threats to building automation systems”

Kurt Bager



CEO, Netop

About Lynxspring Lynxspring is changing the way devices and systems communicate and collaborate across enterprises. Our technologies enable users to manage and operate their facilities and equipment smarter, safer, more efficiently and at peak performance levels within a secure IT environment. Embracing open framework platforms, Lynxspring designs, manufactures and distributes JENEsys® brand Internet-based automation infrastructure technology and device-to-enterprise integration solutions for Building Automation, Energy Management, Cyber Security, Equipment Control and other Specialty applications. www.lynxspring.com

About Netop Netop develops and sells market leading software solutions that enable swift, secure and seamless transfer of video, screens, sounds and data between two or more computers. Used by half of the Fortune 100, Netop’s solutions help businesses provide better customer service, reduce support costs and meet security and compliance standards. Headquartered in Denmark, Netop has offices in the United States, China, Romania and Switzerland. The company sells its solutions to public and private clients in more than 80 countries. Netop Solutions A/S shares are listed on the Copenhagen Stock Exchange. www.netop.com

Lynxspring – GO FURTHER. For more information on Lynxspring’s National Account Services, please contact us at 816-347-3500 or at www.lynxspring.com. LYNXCyberPRO is a trademark of Lynxspring