Introduction to Building Management Systems (BMS)/ Building Automation and Control System (BACS) Security

bms Mar 13, 2020

I had a discussion with my colleague on Building Management System (BMS)/ Building Automation and Control System (BACS) capabilities and how to assess them from cyber sec view point on Whatsapp. We thought to create a short crash course to BMS so that everyone can benefit from it.

HVAC Ventilation Exhaust. CC licensed image.


A simple BMS control system consists of three component functions and associated parts: a sensor providing input function, a controller providing decision functions and a controlled device providing a defined system output function. Typically BMS has a 3 tier architecture -

  1. Management
  2. Automation
  3. Field

Optional is Service tier, which is how these are leveraged for extended service.

Management tier comprises of operator stations, monitoring and operator units, programming units and other peripheral computer devices connected to a data processing device to support the information exchange monitoring and management of the automation system.

Automation tier is generally a dedicated communications network for the sole purpose of building device connectivity, communication and control

Field tier comprises of devices that are generally self-contained physical units or sensors. Field level devices are connected to automation level controllers, either application specific or generic controllers.
There are tons of standards and protocols for this - BACnet, KNX, C-BUS, DALI, Dynet, X10, OpenTherm, OPC et al.

BMS/ BACS Security

Typically, security assessment/ vulnerabilities are identified at 3 levels -

  1. Physical - Device and network access
  2. Logical - Device access/ Network Access
  3. Side Channel

Physical Vulnerabilities
Physical access to devices results in various full spectrm vulnerabilities being open to exploitation owing to poor sanity controls. These attacks may range from physical access attacks that bypass on premise physical controls of devices to facilitate auxillary cyber attacks which may compromise the confidentiality, integrity and availability of the BACS software and data, facilitating unauthorized access through back-door, password cracks, brute force attacks, dictionary attacks, denial of service attacks, spoofing, man in the middle attacks, sniffers, key loggers, et al.

Network Access via physical means (tapping ICT network - wire/ radio) to the BMS network may allow access to the wider facility network and to the corporate network. This can be achieved by manipulating physical connectors (RJ45/ RJ11 or similar) to conduct traffic monitoring (active/ passive) and analysis. Additionally, wiretapping may be done to conduct analysis of protocols. Listening devices or software can be installed on the Management level medium or its connected devices, such as routers, etc., to enable nefarious monitoring and control. Taps can be installed just before the transceiver or directly on the network cable.

Logical Attacks
logical access attacks (device/ network)  - Reach out to your local pentesters for this. There are tons of tutorials on exploiting application and network stacks.

Side Channel Attacks
Side channel attacks - this is where things get very interesting as as copper cables leak power (read electromagnetic signals). This may be used to identify keystrokes however, these attacks are hard to perform.

Now, having said that, BMS is very, very complex : it depends on the type of installation we are dealing with. There are electrical requirements, software requirements, premise requirements (the list goes on). In some cases, we have pneumatic control requirements not to mention trainings, documentation, commissioning and testing requirements. Major vendor interfaces are apogee, metasys, entelliweb et al which are interoperable through protocols.

Typical Management tier Requirements

  1. Ethernet TCP/IP network (100 Mbps - 1 Gbps) to facilitate BACnet/IP comms
  2. BACnet discovery support
  3. BACnet Historical Data Archival System support
  4. BACnet Operator Display

Typical Automation tier Requirements

  1. BACnet IP and/or BACnet MS/TP protocol implemented via EIA-485.
  2. BACnet IP protocol implemented via Ethernet.

Then we have a lot of different requirements on communication controls, distributed controls, valves actuators et al

We have Field tier requirements which deals with sensors of bazillion different types customized as per requirements (water/ temp/ as/ air/ hvac/ pressure/ filter -- again, you name it, they have it kind of thing).

A good starting place when we are planning our cyber security exercise would be structure our plans/ IDRs on the three layers. This gives us a good starting point on what to expect from client's BMS/ BACS implementation and how to improve it.

Rishabh Dangwal

Managing resident infosec paranoids at KPMG Cyber Security. Retrogamer, tinkerer and trivia geek. Cogito, ergo sum.