Building data – As vulnerable as other data in IT?

Building data – As vulnerable as other data in IT?

“Oh, it’s just building automation data. My IT is secure!” – it still rings in my ears today like it did in 2018. With this sentence, the risk manager of a bank in Frankfurt am Main opened the conversation with me. Today I am very appreciative of this opening. This conversation was one of the triggers for the BAScloud.

But is building automation data mission-critical data? Often, building automation and building control systems are neglected but strictly separated from office-IT and production-IT. I would like to explore this question and the possible protection scenarios in the following three articles in order to provide a picture as complete as possible on relevance and criticality.

You will probably guess: No one would take the time to write three series of articles on the same topic if there wasn’t some truth to the need to protect this data. But first things first and feel welcome to be convinced if you still doubt this thesis.

Part 1- Building data – As vulnerable as other data in IT? – “What’s the harm?”
Part 2 – Now what? – How do I protect this data now?
Part 3 – All about the same thing? – Why is rights management useful?

Then let’s dive right in and listen to the little story of a banking risk manager who suddenly turned pretty pale.

Part 1 – “What’s the harm?”

Allow me to begin with a very brief introduction to the world of building automation and its terminology. The measuring and control technology professionals are welcome to continue in section “The Risk Manager”.

What is building data?

There are a lot of technologies in modern buildings. Sensors, actuators, measurement and control technology. Automation everywhere. Today’s and, above all, future requirements for the energy balance and climate neutrality of real estate are unreachable without intelligent systems. And the user, especially of larger commercial properties, has an increasing demand for interaction with his rental property.

All these systems and functions generate and require data. Imagine this: You enter a meeting room and darken it with external blinds, dim the indirect light and activate the beamer. Depending on the equipment, you may have pressed several buttons next to the entry door, used the iPad for multimedia control, or even used your own smartphone with the tenant app. A conventional switch from the 80s of the last century, toggle switches and a key switch you will find more and more rarely. So you’ve just sent a whole bunch of information in the form of commands, feedback and status information through countless bus systems, controllers and IT systems.

What has actually happened: The push button sensor next to the door has sent a telegram via a bus system and the controller for the blinds has received that telegram. It states that the curtain should be completely lowered and the slats should be completely closed. The controller “knows” that the blinds are at half height and are set transmissive. So it also sends a telegram on its way via a bus system and the actuator on the motor of the external blind receives this command. It starts moving and a short time later a sensor at the lower end of the travel path detects that the curtain has arrived at the bottom. It immediately signals this via the bus to the actuator, which stops the motor in the end position. You can easily imagine that there is a lot going on in these data highways.

But this data does not remain unrecognized. All information is listened to by controllers on these bus systems and forwarded to a building management system (BMS). Once there, this data can be visualized. So the building’s operations manager 18 floors below will see on his control monitor that the blinds are now down. And he can move it back up with just a click of the mouse if necessary. Meanwhile, the wind sensor on the roof also supplies data, and if it gets too stormy, it sends a telegram via controller and bus systems to the actuator of the blind, which then brings it into a safe position. From here on, you can play wildly with the buttons on the front door – your wish will have been overwritten by a system with a higher priority.

In building automation, we use the term “data points (DP)”, which can receive information from sensors or deliver information to actuators. Building automation knows about three layers:

  • Management layer (building control system / BMS) with visualization and interaction options
  • Automation layer (DDC / controller) interconnected via bus systems or TCP/IP
  • Field layer (sensors and actuators) directly connected to the devices of the DDC

Depending on the size of the building and the level of automation, 50,000 or more data points can easily be reached. Even buildings with more than 100,000 data points are no longer a rare thing today and require a highly structured approach to planning, implementation and maintenance.

The Risk Manager

After the short excursion into the automation of buildings, however, I will now return to the story of the Banking Risk Manager. Our task at that time was to inspect the BMS system in use and to document the version and configuration. The walk to the building control system server and the controls was easy to manage, and in the operations room there was an open 19″ rack with just one server, one switch, and countless cables that disappeared into cable racks and walls in all directions. Some routers, LTE modems and DSL equipment were placed on the floor of the rack. A special messy GLT cabinet? No, unfortunately more the rule. The staff member of the current FM operator sitting in the room answered all questions by stating that everything was already like this when he started working here and that he has no idea where all the cables and systems lead to. It was also unclear whether they were still necessary.

If you are the person responsible for building automation or IT, call your BMS cabinet to your mind and realize with relief that things are even worse elsewhere. However, do not get excited too soon, because even a seemingly orderly rack with fewer cables harbors a lot of potential problems. Why don’t you check the documentation and the full backup of your GA and BMS systems and take a look at the protocol journal to see when the last disaster recovery restore was successfully tested (cf. VDI 3814– Building Automation).

The scan resulted in the Windows server being hopelessly outdated and standing connections to apparently external remote sites were active. Since no one could say who was responsible for this and who could provide information, we had the bank’s risk manager meet with us. A little later he appeared in the room, which he said he had never entered before, and made the already mentioned statement: “Oh, it’s only building automation data. My IT is secure!“. On the opposite, he was downright pissed why we had called him for such an insignificant system that was not part of his IT.

Bet that …?

There are situations in which a inner voice comes to me and says: ” Wait, I’ll show you. I bet you’ll change your mind in a minute”. And I don’t mean that in a bad way at all, but such ignorant attitudes on the part of those in positions of responsibility do not fit in with the criticality of the issue. I hoped for simple ignorance and not for intention on the side of our counterpart. So I asked for another 5 minutes of his valuable time and made a bet with him that in the future he would pay more attention to this room and everything in it. After all, he was the risk manager for a large bank and has a lot of compliance to define and ensure. The bet attracted and we had his attention.

The scenario

“I take on the role of a criminal for the next few minutes”. We were allowed entry into the building here today because we indicated we had an appointment for building automation maintenance. We were guided to this room and welcomed by the FM service provider’s employee. Access and permission were given without question. To manipulate a system like this, I wouldn’t even need to be in the room, much less know or guess a password; I wouldn’t need to touch a keyboard or have deep hacking expertise. I need a network connector of the building automation and just in this room another small box in the size of a conventional lighter with a network connector will definitely not be noticed. And yet the LTE modem is installed, active and for I can access the building automation network. And yet the LTE modem is installed, active and I can access the building automation network. Worldwide and completely unnoticed.

The risk manager wanted to know what this had to do with “his IT” and his highly protected bank trading rooms. He is right – at least for the time being.

We both agreed that I could now access the building automation from any location. But then again, what impact should that have on the bank and its operations? After all, the systems are not coupled with each other in any way. I sketched “Let’s imagine you receive an email in which an unknown person demands a large amount of money because otherwise he would compromise the building.” “You can’t blackmail us with that,” he laughed. “What do your safety regulations provide for when the lights in the house turn off and the ventilation system floods the rooms at +40 °C?”. He has to get the house evacuated. We soon agreed that this scenario was very realistic and that there was no chance of locating the cause in the short time available. “What happens if your server rooms, which are highly protected at the IT level, no longer have any cooling?” – “You can’t do that, then the trading IT at that critical location goes down and that impacts other locations! We can’t keep that up for long.”


Without going into the details too much here and even providing a blueprint for a concrete blackmail attempt, hopefully one thing will come into focus: Building automation and control systems need to be prioritized in a way that is comparable to office and production IT when it comes to security, operation, documentation and risk scenarios. Because: This is highly sensitive data.

If you consider all this in the context of today’s and future requirements for buildings in the fields of automation, interactivity, optimization and the large complex of topics climate, ESG and EU taxonomy, then one thing for sure is that building data is of great importance and provides the basis for many of the previously mentioned activities. It requires appropriate tools to manage this sophisticated and complex topic. Isolation from outside access is no option and is contrary to the processes currently in place for construction and maintenance, as well as the upcoming trends and requirements for such systems.

In my next blog posts I will discuss this in more detail and provide solutions:

Part 2 – What next? – How do I protect this data now?
Part 3 – All about the same thing? – Why is rights management useful?
Foto: AdobeStock_262086708 (c)