Cybersecurity Measures To Protect The BAS/BMS
So then what cybersecurity measures can be used to protect the BAS/BMS against attack? The solution, just like the problem, is complex and multi-layered. Facility managers have to tailor a response that's predicated upon several things, including the degree to which users of BAS have access to other organizational networks, IT capabilities, use of vendors and outside contractors (and how those vendors are allowed access to networks), and finally, education of staff, who in many ways are the linchpin behind the security of an organization's operational technology and informational technology.
First, experts recommend getting to know and work diligently with IT and the CIO. "Cooperate with them to create a robust system," says Dennis Chapman, chief engineer for Dole Foods. "At its most basic, we have a Websense filter at the front end, and limit which personnel have access to online content, particularly streaming videos or music."
That's an important consideration for more than concerns over lost productivity. Education of staff is vital to security, because using a BAS workstation PC with Internet access to surf the web is not unheard of, says Fred Gordy, operational manager at McKenney's. Managers must educate their staff that this behavior compromises organizational security and allows hackers to exploit the BAS or networked systems.
"Train the facility staff to adhere to the user ID/password policy, explaining why this is important and that it is not just a bureaucratic process," Gordy says.
Education can further extend to password disciplines. It used to be rote habit that all staff used simple, identical credentialing to access the BAS. If that still continues in some organizations, it should stop. Passwords should be complex, defined to a single user, and changed frequently, and access passwords should be changed immediately after staff leaves the organization.
The same holds true for vendors and their access. "This is the one thing that needs to change," says Gordy. "Building owners own the controls system. Not the system integrator. So the building owners need to take ownership of that system and software, including the responsibility for changing passwords regularly." He recommends not using one password for everyone and encourages password changes every 30 days for every user, at minimum.
According to one study Gordy cited, 100 percent of all breaches involved stolen or compromised credentials. "The days of imagining a hacker using brute force to crack the code or the password — that's Hollywood," he says. "It doesn't happen like that anymore."
Gordy also recommends habitually performing audits to ensure that unauthorized access of the BAS is not occurring. Put simply, regular maintenance of staff accounts is vital to today's BAS security.
Most organizations in the United States have been the subject of a cyberattack, or have had hackers probing for attack points, on the network. As such, IT departments have learned that they need to be prepared.
Increasingly, it looks like the question for facility managers may not be if a cyberattack on the building automation system will come, but when. Basic precautions and tips for ramping up cybersecurity in physical plants include:
- Invite critical personnel, including those not connected to the physical plant — like the CIO and necessary IT staff — to talk about cybersecurity.
- Comprehensively examine the information networks used by facilities staff. Predict and plan how to safeguard vital information and network access points.
- If a cybersecurity budget isn't included as part of the facility budget, make it so.
- Remember the value that staff has for security; encourage vigilance, send staff for periodic education, and remember to conduct security audits on network use.
- Draft a worst-case scenario. Prepare for the possibility of attack and train staff how to respond accurately and methodically.
- Encrypt network traffic and secure wireless network access.
- Choose your vendors carefully, and be aware of exactly what BAS functions are
accessible via online portals.
- Look for improbable or easy access points — these are where a hacker will head first.
This last point is one that facility staff often overlook, says Shane Riggio, vice president of information technology for Macerich.
"You should actually make a physical discovery of a building," he says. "More often than not, you'll find a DSL line or something that you didn't know was there."
Sometimes, he says, facility staff will install such lines without asking permission, in an attempt to simplify maintenance communication efforts. "That kind of unprotected line — one you didn't know about — is the only entry point an attacker needs," says Riggio.