Cybersecurity for Building Automation Systems (BAS)

image credit: Questline
Mike Carter's picture
Senior Engineer Questline, Inc.

Mike Carter is a Sr. Engineer for Tech Resource's Questline service. Mike has a BS Engineering and MBA degree from The Ohio State University. He has worked with various EPRI centers supporting...

  • Member since 2006
  • 8 items added with 6,718 views
  • Nov 9, 2021

Cyber attacks on the confidentiality, integrity and availability of business data and systems are on the rise. Consider some of the more well-known recent incidents:

  • Colonial Pipeline - $4.4 million ransomware plus lost revenues
  • JBS – this meat packer paid $11 million ransomware
  • T-Mobile – 100 million customer records stolen
  • Maine small public wastewater plants – ransomware request (thwarted)
  • Target Stores - 40 million credit card records stolen via HVAC vendor hack

With their large databases of customer information and critical infrastructure, energy utilities themselves may be prime targets of such attacks. Nonetheless, utilities should inform customers of their need for cybersecurity, the common business vulnerabilities to cyber attacks, how to mitigate threats and how to recover after being hacked. Since smart technology and connected energy systems leave businesses vulnerable, customers would trust their utility's advice.

Need for Cybersecurity

So, who cares if someone hacks your customer’s building automation system (BAS) and learns their setpoints (temperature, airflow, pump speeds)? Realistically, there is little to lose if that normally confidential information gets out. But what if they are a hospital, data center, hotel, or even an office and setpoints are changed (integrity) or their HVAC is shut down (availability)? The consequences of those last two cybersecurity threat vectors can be very costly.

Some threats are unintentional, caused by their own employees. Accidently turning off your BAS server, for instance. But what are typically intentional information technology (IT) threats?  Here are just a few major ones:

  • Ransomware – from scam emails, server vulnerabilities, infected websites, online ads
  • Malicious code – in viruses, worms, trojan horses, data files
  • Distributed denial-of-service – floods a business network making it unable to access information systems, devices, or other network resources
  • Phishing - solicits personal information by posing as a trustworthy organization

A company’s cybersecurity need can be estimated by multiplying the likelihood of occurrence (risk) by the cost. There are tangible costs like data loss, idle employees, and lost revenues. There are also intangible costs such as lost opportunities and damage to your brand.

Need = Risk x Cost

Company Vulnerabilities

Where are the vulnerabilities found in most businesses? The biggest vulnerabilities are internal. Lack of data and password management, for instance. According to a Google survey of 3,000 adults in the US, at least 50% of people reuse passwords across multiple sites regularly. Not surprisingly, according to Verizon, over 60% of breaches are attributed to weak, default or stolen passwords.

External vulnerabilities include networks, applications and people. Publicly exposed network IP addresses allows someone to see and manipulate the BAS system or eavesdrop (man in the middle attack). Not implementing upgrades to applications or not using public key infrastructure (PKI) certificates exposes hardware applications.

Threat Mitigation

What can you do to mitigate the threat of cyber attacks? In 2014, NIST introduced the Cyber Security Framework (CSF) reference tool which helps an organization assess and manage cyber security risk across five functions:

  1. Identify – what you have and its mission; risk profile (likelihood of attack)
  2. Protect – access to assets and information; regular backups; employee training
  3. Detect – unauthorized entities and actions; know your data flow levels
  4. Respond - make sure each person knows their responsibilities in executing the mitigation plan
  5. Recover – develop a disaster recovery plan; manage public relations and company reputation

There are several other tools your customers can use for threat mitigation. The Microsoft Threat Modeling Tool creates and analyzes threat models, analyzes security designs for potential security issues, and suggests and manages mitigations for security issues. The Forum of Incident Response and Security Teams (FIRST) has developed the Common Vulnerability Scoring System (CVSS). It provides a way to capture the principal characteristics of software vulnerability and produces a numerical score reflecting its severity.

Third-party certification for cybersecurity of connected energy-using devices is also critical. Several compliance standards are available for help in procurement:

  • National Institute of Standards and Technology (NIST) SP 800-82 Rev 2: Guide to Industrial Control Systems Security
  • Underwriters Laboratories' (UL) Cybersecurity Assurance Program
  • American National Standard Institute (ANSI)/UL 2900 Standard for Software Cybersecurity
  • International Society for Automation (ISA) ANSI/ISA 62443 Security for Industrial Automation and Control Systems
  • Common Criteria for Information Technology Security Evaluation ISO/IEC 15408-1:2019

There are numerous additional cybersecurity resources available to utility customers including the NIST Small Business Cybersecurity Center and Homeland Security’s Cybersecurity Resources Roadmap.


When you are hacked (not if), how should you recover? The Secretary of Defense Cyber Command has excellent tactics, techniques and procedures to follow.

  1. Turn to previously developed mitigation procedures
  2. Compare with normative operational conditions of network entry points
  3. Preserve evidence of a cyber attack for forensic analysis



Building operations are a target rich environment, so anything your customers can do to take them further off a hackers radar is usually worthwhile. Cybersecurity is another area where energy utilities can be the “go-to” resource to protect their customer’s investment in Building Automation Systems. Don’t stand back. Attack the hack!

Connect with Questline Digital

Fill out this form to receive more information from Questline Digital.

Julian Jackson's picture
Julian Jackson on Nov 18, 2021

Thanks for this Mike. I hadn't thought about attacks on BAS before. However, putting my Black Hat on :-) I have to disagree with that "So, who cares if someone hacks your customer’s building automation system (BAS)..." I see that you are making a point, but for example, what if a hacker shuts down the refrigeration in a food processing plant and holds it to ransom. In a few hours the food will spoil, so could be a huge loss to a company.   Or turning off the heating in winter or AC in summer might breach regulations or make the workers walk out.

In addition, if the IoT becomes the norm, we really need to up our security as that will make systems that used to be separate from the internet more vulnerable? A whole new area for malicious actors...even a prankster affecting building controls could cause havoc, even if they were not criminally intentioned.

Mike Carter's picture
Mike Carter on Nov 22, 2021

Julian, The BAS threat is frightening indeed. My point was that there are three threat vectors: confidentiality, integrity and availability. For BAS, confidentiality does not pose much of a threat. Who cares if someone knows your thermostat is set to 65F overnight? But threats to a BAS integrity (changing those setpoints as you point out) or availability (shutting down your HVAC) are true threats. Could not agree more.

Paul Korzeniowski's picture
Paul Korzeniowski on Dec 13, 2021

Good points. The emerging Internet of Things technology pushes intelligence down into new devices, which offers utilities a number of potential benefits. As you noted, the downside is these advances become a potential entry way for bad guys to enter computer systems. Consequently, energy companies need to ensure that they safeguard against such possible attacks. 

Mike Carter's picture
Thank Mike for the Post!
Energy Central contributors share their experience and insights for the benefit of other Members (like you). Please show them your appreciation by leaving a comment, 'liking' this post, or following this Member.
More posts from this member

Get Published - Build a Following

The Energy Central Power Industry Network is based on one core idea - power industry professionals helping each other and advancing the industry by sharing and learning from each other.

If you have an experience or insight to share or have learned something from a conference or seminar, your peers and colleagues on Energy Central want to hear about it. It's also easy to share a link to an article you've liked or an industry resource that you think would be helpful.

                 Learn more about posting on Energy Central »