SIDEBAR: 10 Questions FMs Should Ask About Cybersecurity
Part 4 of a 4-part cover story on cybersecurity and the BAS.
Billy Rios, an ethical hacker and head of WhiteScope, offers these “top 10” questions facility operators can ask themselves about BAS security:
1. Are our devices configured securely?
How can we verify this?
2. Do we have a security policy deployed to
all of our devices?
3. Are the log files being monitored for
intrusion or malicious activity?
4. How would we know if any of our devices
have been compromised?
5. How can we confirm that the network segmentation or “air gap” is secure? (An air gap is a figurative phrase denoting, in this context, that a company’s corporate network — for servers and employees’ day-to-day work — and the building control system do not touch. If they do, says Fred Gordy, of Intelligent Buildings, it offers intruders a golden opportunity to pivot into the corporate network — “like waving a red shirt in a bull ring.”)
6. Are any of our devices facing the Internet?
Have we confirmed this?
7. Are our devices patched with the latest
version of vendor software?
8. Do we know if any devices were recently replaced?
If so, were they deployed in a way that matches
our security policy?
9. Are any of our old devices deployed to
locations we no longer manage?
10. How do we audit our devices in a
cost-effective and repeatable way?