Cyberattacks against critical infrastructure are increasing every year. One important piece of critical infrastructure that needs cybersecurity protection is our buildings. Most of today’s commercial buildings are considered “smart” because of the high level of automation and connectivity among the systems that manage functions like climate control, physical access control, lighting, solar energy, and more. Increased cyberattack activity by everyone from hacktivists to nation states, combined with the fact that building management systems are often connected to the internet, mean that buildings need cybersecurity protection more than ever.
Just last year, researchers at Applied Risk identified over 100 vulnerabilities in critical building management systems (BMS) that would allow an attacker to remotely take over the entire system. Shortly after that news, DHS published a security advisory about a critical vulnerability affecting a popular BMS that controls the heating, ventilation and cooling (HVAC) system, access control, and more. If exploited, this vulnerability would let an attacker gain full access to the BMS and potentially disrupt building operations.
In addition to posing a threat to the people inside the building, a successful attack like this brings another scary thought to mind. Thousands of these devices are installed on corporate networks, so once an attacker is inside the BMS, they could theoretically use these devices to take control of other systems that reside within the corporate network. Depending on what’s inside, that could lead to anything from a shutdown of or tampering with a critical manufacturing process, to the theft of valuable enterprise data like intellectual property or customer credit card information, or even compromise the safety of patients in a hospital.
Facilities engineers and IT departments can address this growing threat by safely and effectively collecting, monitoring, and managing security data from BMS devices. In this post, we’ll discuss four important benefits of implementing a strong BMS cybersecurity solution. They include:
A good BMS cybersecurity solution should improve your maturity in all five of these functions and provide accurate data that can be used to benchmark your progress. It should also offer NIST CSF reporting templates and automation so that you can quickly and easily assess your progress and share that data with executive management to demonstrate your cyber risk reduction efforts.
As you can see, implementing the right cybersecurity solution for your building provides crucial benefits that reduce risk from the ever-expanding cyber threat landscape, as well as deliver operational efficiencies. When you begin vetting security vendors, make sure to do a comprehensive evaluation, including a proof-of-concept (PoC), to see how the solution actually behaves in your building and if it truly provides the critical data you need in an easy to understand format.
Another factor to consider is the length of experience the vendor has with cybersecurity. Anyone can claim to be “mature”, but they may not have had real-world deployments longer than a few years. A safer bet is to choose a solution that is state-of-the-art, but also has a proven history. Time is the best teacher, and you’ll likely get higher quality, usable cybersecurity data from a vendor whose product has been deployed in operational settings in the real world for longer than just a few years.
To learn more about how our Building Defender™ solution can help you safely and effectively collect, monitor and manage cybersecurity data for your building management systems, read our solution brief or request a personalized demo.