4 Benefits of Implementing a Cybersecurity Solution for Building Management Systems
by Erin Anderson
Cyberattacks against critical infrastructure are increasing every year. One important piece of critical infrastructure that needs cybersecurity protection is our buildings. Most of today’s commercial buildings are considered “smart” because of the high level of automation and connectivity among the systems that manage functions like climate control, physical access control, lighting, solar energy, and more. Increased cyberattack activity by everyone from hacktivists to nation states, combined with the fact that building management systems are often connected to the internet, mean that buildings need cybersecurity protection more than ever.
Just last year, researchers at Applied Risk identified over 100 vulnerabilities in critical building management systems (BMS) that would allow an attacker to remotely take over the entire system. Shortly after that news, DHS published a security advisory about a critical vulnerability affecting a popular BMS that controls the heating, ventilation and cooling (HVAC) system, access control, and more. If exploited, this vulnerability would let an attacker gain full access to the BMS and potentially disrupt building operations.
In addition to posing a threat to the people inside the building, a successful attack like this brings another scary thought to mind. Thousands of these devices are installed on corporate networks, so once an attacker is inside the BMS, they could theoretically use these devices to take control of other systems that reside within the corporate network. Depending on what’s inside, that could lead to anything from a shutdown of or tampering with a critical manufacturing process, to the theft of valuable enterprise data like intellectual property or customer credit card information, or even compromise the safety of patients in a hospital.
Facilities engineers and IT departments can address this growing threat by safely and effectively collecting, monitoring, and managing security data from BMS devices. In this post, we’ll discuss four important benefits of implementing a strong BMS cybersecurity solution. They include:
- Detect and Prevent Cyberattacks
As we discussed above, BMS cyberattacks are a looming threat to both building and business systems. The consequences of a successful attack are unpredictable, so detecting a threat before it compromises people’s safety, causes damage to the BMS, or gains access to the enterprise network is extremely important.
To eliminate any unpleasant surprises, you need to implement a cybersecurity solution. Knowing which assets you have in your building is the first step to securing it, so the ideal solution should offer an inventory of all your network-connected BMS servers and devices, as well as the software on them. It should also continuously monitor those devices for anomalies that could indicate a potential cyberattack and deliver an automated alert about what the anomaly is, where the device is located, and who to contact to resolve it.
- Reduce Risk from Emerging System Vulnerabilities
New vulnerabilities in building management systems are constantly being uncovered. The right cybersecurity solution should offer up to date vulnerability monitoring and management to help identify if and where new vulnerabilities are in your building systems to proactively stop a threat before it starts.
Choose a vendor who has the most comprehensive endpoint management capabilities, because you won’t know whether you have a vulnerable system unless you have accurate information. A good solution should automatically layer a complete vulnerability database like NIST’s over that endpoint management capability to deliver information on-demand, and also inform you if there is a security patch available.
- Slash BMS Operating Cost with Automated System Integrity and Revision Level Reporting
Because BMS systems have hundreds and even thousands of intelligent devices, manually collecting system data, and then generating reports, is incredibly time-consuming. In addition to the risk reduction benefits of a BMS cybersecurity solution, automated asset data collection eliminates the labor and expense it normally takes to create these types of reports. A proper cybersecurity monitoring system even lets you share risk reports via email, web, and text, to ensure the delivery of real-time information to those who need it the most.
- NIST Cybersecurity Framework Compliance Reporting
The NIST Cybersecurity Framework (CSF) was created to help critical infrastructure companies manage increasing cyber risks and uses business drivers to guide cybersecurity activities. This framework has quickly gained traction because of its practical approach to risk management and is now one of the most popular security frameworks in use today. Since this framework looks at managing risk holistically, building management system security should be included as part of a NIST CSF risk reduction strategy.
There are five core functions of the NIST CSF:
- Identify– Develop an understanding of their environment to manage cybersecurity risk to systems, assets, data and capabilities.
- Protect– Develop and implement the appropriate safeguards to limit or contain the impact of a potential cybersecurity event.
- Detect– Develop and implement the appropriate measures to quickly identify cybersecurity events.
- Respond- Develop and implement appropriate activities to take action regarding a detected cybersecurity incident.
- Recover– Develop and implement effective activities to restore any capabilities or services that were impaired due to a cybersecurity event.
A good BMS cybersecurity solution should improve your maturity in all five of these functions and provide accurate data that can be used to benchmark your progress. It should also offer NIST CSF reporting templates and automation so that you can quickly and easily assess your progress and share that data with executive management to demonstrate your cyber risk reduction efforts.
As you can see, implementing the right cybersecurity solution for your building provides crucial benefits that reduce risk from the ever-expanding cyber threat landscape, as well as deliver operational efficiencies. When you begin vetting security vendors, make sure to do a comprehensive evaluation, including a proof-of-concept (PoC), to see how the solution actually behaves in your building and if it truly provides the critical data you need in an easy to understand format.
Another factor to consider is the length of experience the vendor has with cybersecurity. Anyone can claim to be “mature”, but they may not have had real-world deployments longer than a few years. A safer bet is to choose a solution that is state-of-the-art, but also has a proven history. Time is the best teacher, and you’ll likely get higher quality, usable cybersecurity data from a vendor whose product has been deployed in operational settings in the real world for longer than just a few years.
To learn more about how our Building Defender™ solution can help you safely and effectively collect, monitor and manage cybersecurity data for your building management systems, read our solution brief or request a personalized demo.