According to a report by McAfee and the Center for Strategic and International Studies businesses worldwide lose billions each year to cybercrime. Unlike traditional, stand-alone systems, today’s intelligent building management systems (BMS) connect to the Internet and are networked through open protocols to IT data centers, remote access servers, and utilities. While benefits far outweigh the risks, a BMS can open a company up to greater cybersecurity vulnerabilities.
Cybersecurity “best practices” to mitigate vulnerabilitiesCommonsense measures can help to mitigate building management cybersecurity risks and any resulting financial losses. The following best practices can boost system resiliency and make BMS installations less vulnerable to cyberattacks.
Hackers find it simple to intrude upon a building system via devices that retain default credentials (user name and password). After consulting the operator’s manual to determine any device password limitations, users should change default credentials and make passwords more complex. A recommended best practice is to change the credentials when devices are unpacked, before connecting them to the Internet, and avoid connecting a “demo unit” to the Internet while it contains default credentials. For organizations with multiple locations, each site should have unique credentials.
In addition to security devices, it’s essential to safeguard all other points of entry into a system: web interfaces, USB ports, open IP ports, and building automation devices communicating over open protocols. Firewalls can help protect against intrusion for devices with vulnerable web interfaces and any devices with unused open IP ports. The best practice for USB ports is to disable the “AutoRun” feature or, at minimum, limit physical access to the ports. For systems that run on open protocols, a risk assessment can determine any need for added security.
Safeguarding a system from within has become a paramount concern as building systems have evolved into multi-user GUI systems.
One best practice is to grant users only the minimum amount of authority necessary to perform their jobs. Proactive user account management and limits on control access levels are keys to reducing risks, as in the case of a “disgruntled” employee, who could become a major threat to all systems. Other effective elements of user management include setting all accounts to auto-expire; disabling without delay accounts of employees who leave; and changing accounts when employees change roles.
Software security patches should be applied as soon as they are available. However, only authorized, trusted users should deploy and install software. Those users should adhere to software authentication processes prior to deployment, and it’s important that they’re familiar with deployment system security features.
Patching vulnerable devices requires planning with consideration of an organization’s policies for performing system updates. Determining any operational impact caused by a temporary service outage is essential. Developing a vulnerability management plan can address these concerns and may include a “severity rating” that sets a timeframe for implementing updates. Establishing a formal vulnerability management document for each installation is a recommended best practice.
Hackers take the path of least resistanceThe harder a system is to crack, the better the chances that it will be ignored by a would-be hacker. Following these best practices can make hacking a building system more difficult for cybercriminals.
Bolstering awareness of cybersecurity across an enterprise can also help guard against hackers. Not all employees can be experts in cybersecurity, but effective and regular cybersecurity training makes everyone aware of vulnerabilities and improves the chances of identifying and denying cyberattacks.