Video: Monitoring Building Management Systems with Industrial Defender and Splunk

April 21, 2021

Learn how to leverage Splunk and Industrial Defender to give IT teams and SOC analysts visibility into the traditionally hard to reach building management and building automation environments.

Video Transcript & Slides

Hi, this is Peter Lund, Vice President of Product Management at Industrial Defender. In this short video, I’m going to spend a few minutes showing you how you can give IT teams and SOC analysts visibility into the traditionally hard to reach building management and building automation environments.
This is done by leveraging Building Defender’s best in class data collection, taking that data, normalizing it, and then sending it to Splunk for analysis and visualization using our new Splunk app.
Let’s take a minute to pull up Splunk and you can see that I’ve got a basic Splunk Enterprise instance here. If we go into Apps, we can pull up some of the dashboards available within Industrial Defender.
We’ve got our traditional SOC dashboard, looking for security events across the environment. Maybe they’re worried about authentication or potentially antivirus events, removable media — all things to be very much concerned about in OT. But let’s say you wanted to take a closer look specifically just at your building automation environment, for example.
If we switch to a dashboard, this is really just a clone of that main dashboard trained against, in this case, BACnet events. We can see we’ve had a number of BACnet events come through detected by our intrusion detection sensor. We can see we’ve got some alarms acknowledged and we’ve had maybe a few events here which may not be normal operation. Let’s drill through on one and this will bring us to a deeper asset context in this building automation environment.
You can see we’re immediately brought into a detailed, asset-centric view. In this case I believe we’re looking at a door controller. You can see that we do see some communications with it. We do have a few exceptions or anomalies against this asset. No vulnerabilities, so that’s good.
As we scroll down we see that — it looks like this is just a net new door controller that’s been added to the building automation network. It looks like it’s from AXIS. It’s got that specific version of firmware. The nice part about the app is we’ll even get you into the deeper asset context, where we’ll give you where the asset is physically located, who the asset owner might be, its address, so it really gives the SOC analyst kind of a deep view point as to what’s going on.
Let’s take a deeper dive and look at some of the other assets we’re monitoring in this environment. This is a security camera. It looks like its got similar communication to these ones. It only has one baseline deviation and no vulnerabilities which is good.
It looks like for this endpoint, really someone had just updated the firmware on there, which is very important to know. Again, we still get that same context on the endpoint.
Let’s kind of get into something more interesting. So let’s look at one of our Jace controllers, for example. The Jace controller is quiet. It doesn’t have any baseline deviations, which is good. Nothing has changed, but it does have vulnerabilities. In this case, one very specific vulnerability related to TLS handshaking.
We’ll actually let you drill through to the National Vulnerability Database, where that vulnerability is coming from, and we can quickly see it’s because of the Tridium software that’s running on this endpoint.
We can then flip back, and then as we can with all of our other assets, we can figure out who the asset owner is and work with them to potentially get an upgrade going for that endpoint.
Now that I saw this vulnerability on this one Jace controller, it’s got me wondering about my other Jace controller in the environment to see if it has it as well. It does have a few baseline deviations but no security events, so that’s good. It doesn’t list that vulnerability, and I kind of wonder why.
If we take a look, it’s because our asset has actually had its software and firmware updated, so it’s actually got newer software compared to the other Jace controller that we looked at. So that’s good. It looks like my system integrator is in the process of doing upgrades. I’m going to want to follow up with them.
So that’s just a quick tour of how you can use Splunk together with Building Defender to get deeper asset insights as to what’s going on in your building environment. If you’re interested in more information, feel free to reach out to us at Thanks everyone.