A typical WebCTRl system will include multiple networks: a BACNet/IP network running on an ethernet backbone, a network of BACNet/ARCNet or BACNet MS/TP segments using twisted pair EIA 485 media to connect controllers throughout a building, and short lengths of Rnet twisted pair segments which connect sensors to control modules. While it would be possible for an intruder to physically tap into any of these networks, the physical location of the wiring together with building security would make this an unlikely avenue. As wil be explained later, access gained through this route would be limited to sending and receiving information from the building automation systems (BAS). A tap into one of these networks could not be used to gain access to systems outside the BAS. The more likely avenues for unauthorized access are the ones normally used for authorized communications:  the WebCTRL server, dial-up or network communication to a WebCTRL router, and the Rnet maintenance access port.

The most likey avenue for a “hacker” to try to gain unauthorized access would be through the WebCTRL server, using the same port as a normal WebCTRL user. This is more likely if the port is exposed to the Internet. In this case the primary target would be the computer that is running the WebCTRL server application. This is no different than any other web site, and the computer should be protected by the same level of firewall or other security provisions as other webservers on the network. The WebCTRL application does not present any additional security risk. In many situations, the specialized nature of the WebCTRL software makes it less vulnerable than other web sites. WebCTRL does not use a general-purpose web server like Microsoft IIS, and the more limited WebCTRL engine has been stripped of files and services not needed by WebCTRL. This effectively blocks many intrusion paths, as the resources they rely on simply are not there. The WebCTRL server software is written entirely in Java, which is not subject to the buffer overruns exploited by many Internet worms and viruses.

Acces to the actual BAS is protected by a user-controlled login ID and password. Like any password system, the weakest link in the security is the users themselves. Any user who gives their password to others or who uses and easily guessed password weakens security, and the system administrators can create a security breach if they do not deactivate the login account of a discharged employee. An unauthorized person who gained access to the system by using a stolen password could disrupt building HVAC systems and any other building automation that accepts commands from WebCTRL. The disruption would be temporary; however, as normal operation would be restored either by undoing the unauthorized changes or by restoring the complete files from the most recent backup. A WebCTRL audit log tracks all changes made to the system, and this log would provide the information needed to undo the changes. This log also records who made the changes, and the compromised account login could be easily deactivated to prevent a recurrence.

As undesirable as this situation would be, it should be noted that the intruder could only access the BAS. They would not be able to gain access to any other files or systems on the network. WebCTRL uses a dedicated server and does not share files or computer hardware with any other system. The WebCTRL server software has been engineered to meet the specific needs of WebCTRL and cannot be used as a general purpose server or the respond to commands other than those in its program code.