Updated: Jun 29
Building Automation Systems (BAS) and management networks are both essential for efficient building operations. BAS networks are responsible for controlling keycard and HVAC systems, while management networks handle back-end administration logins, console access, and more. While these networks serve distinct purposes, they often coexist on the same physical infrastructure. This can be problematic since lateral attacks can compromise one network and spread to the other.
What is a lateral attack? A lateral attack is when an attacker gains access to a network and moves laterally through the network to gain access to sensitive data or systems. In the case of a building, a lateral attack could occur if an attacker unplugs a faceplate for an RJ45, gaining access to both the management and BAS networks.
To mitigate this risk, it's essential to separate your management and BAS networks. By separating the networks, even if an attacker gains access to one network, they won't automatically have access to the other. Additionally, by isolating the BAS network, you can prevent the spread of malware or other attacks.
One way to separate the networks is to use VLANs or Virtual Local Area Networks. VLANs allow you to segment your network, so traffic from one VLAN cannot reach another VLAN without explicit permission. This ensures that the management and BAS networks are completely separate and cannot communicate with each other.
Another way to separate the networks is to use a physical separation approach. This involves physically separating the two networks and using dedicated switches, routers, and cabling for each network. While this approach is more expensive, it provides a higher level of security.
In conclusion, separating your management and BAS networks is crucial for building security. By preventing lateral attacks, you can ensure that your building is protected from cyber threats. Whether you use VLANs or physical separation, it's essential to take action to secure your networks.