Best practices keep BMS safe from cyber attacks
“Cyber crime is a $400 billion criminal enterprise worldwide — making it bigger than global drug trafficking.”
The last two decades have seen tremendous growth in the integration of building management systems. With networked information systems becoming more commonplace, facilities managers of buildings that often include access points to corporate or organisational networks must be vigilant of the risk of cyber attacks on their Building Management Systems (BMS). BMS that were once proprietary and stand-alone now are integrated with other systems. Today’s intelligent building management systems (iBMS) are networked with IT data centres, remote access servers, and utilities through open protocols. While these iBMS provide significant benefits, they also open companies up to greater cybersecurity vulnerabilities.
Avoid becoming a victim of cyber criminals by employing five best practices to improve cybersecurity in BMS. One international law enforcement agency estimates that victims look at a loss of about $400 billion each year worldwide – making cyber crime a bigger criminal enterprise than the global trade in cannabis, cocaine, and heroin combined. Another report states that globally, the cost of malicious cyber activity ranges from $300 billion to $1 trillion. Financial impact on companies varies from country to country, with the average cost of cyber crime to companies in Australia averaging $3.67 million.
The financial consequences of a cybersecurity attack include direct costs — forensic investigation into the breach, technical support, lost revenue, upgrading cybersecurity technologies and activities — and indirect costs such as loss of productivity, regulatory noncompliance, loss of intellectual property, service or product quality degradations, and, harder to quantify but perhaps most costly of all, the damage to the company’s reputation and/or customer desertion.
The white paper ‘Five Best Practices to Improve Building Management Systems (BMS) Cybersecurity’ discusses in depth, practices and procedures, that will lead to more secure iBMS in the field. Areas covered include:
While it is a given that changing default passwords on devices is mandatory, there are many out there who overlook this vulnerability. Properly managing users and passwords is critical to securing any BMS. Most attacks on BMS devices are successful because a password has been compromised. There are many password-related subjects that could be covered. This paper addresses the two most important: changing default passwords, and ensuring password complexity.
Once all devices have adequately secure credentials, the next step is to safeguard other places and ways a hacker could get into the system. Such other points of entry include the Web interface, USB ports, open IP ports, and building automation devices communicating over open protocols.
Once the BMS has been cyber-secured from external threats, the next issue to address is safeguarding the system from within. Over the past several years, BMS have evolved from “single user – command line” systems to full-blown, multi-user GUI systems. Along with this expansion in functionality has been a significant increase in the types of operations a user can perform. In order to secure systems from within several steps must be taken such as limited privileges and giving each user only enough access privileges to allow them to do their job. User accounts must also be managed and for devices without services to automate this process there are several practices that need to be implemented such as auto-expiring all accounts, disabling accounts immediately for employees who leave, and changing accounts when employees switch roles.
While it is common sense to ensure systems are up-to-date with the latest security updates, this is an area that sometimes is overlooked. Hackers, when attacking a device, first determine if all security patches have been installed. When these features are not up-to-date, there are usually areas that can be exploited to compromise vulnerable devices. Another good practice to put in place is to ensure only authorised users deploy software. This means that only highly trusted users will be able to install software, thus reducing the risk of attacks.
Patching devices with vulnerabilities requires planning. Different companies have different policies for performing BMS updates. It is important to understand these requirements as well as to determine any operational impact caused by the temporary service outage needed to complete the update process. A Vulnerability Management Plan takes into consideration all aspects of the vulnerability update.
It is an established fact that hackers are more likely to attack weakly defended systems, ignoring systems that require too much effort to crack.
Learn the ‘best practices’ to thwart such attacks, or at least make things significantly more difficult for hackers. Some are simple, commonsense tactics while other measures will require more sophisticated technical IT skills. Effective and regular cybersecurity training makes everyone aware of vulnerabilities. Ultimately, the level of cybersecurity is directly related to the effort expended in making it difficult for hackers to access valuable systems. Download the white paper ‘Five Best Practices to Improve Building Management Systems (BMS) Cybersecurity’ from Schneider Electric here: http://www.fmmagazine.com.au/schneider-electric-2/
Gregory Strass is the Building Systems IT Cybersecurity Lead at Schneider Electric. He holds degrees in Electrical Engineering and Computer Science from the University of Illinois in Urbana. Additionally he holds CISSP and CEH certifications. He has worked in the embedded field for over 35 years.
Jon Williamson is the Schneider Electric Building Systems Communication Officer. He holds a degree in Mechanical Engineering from the University of New Hampshire in Durham. Active in the BMS market for over 19 years, he has practical and product management experience in system deployment, networking and protocols. In his current role as Communication Officer, he is responsible for system architecture, communication protocols and cybersecurity requirements.
Schneider Electric is a Facility Management Content Partner
A Facility Management Content Partner is an organisation which we’ve entered into a partnership to provide expert insight from their respective industries for the benefit of the FM community.