There is a ton of noise around cybersecurity lately. And I'm sure a lot of you are getting questions about how to make sure your building automation system is secure.
In this episode, we discuss a practical approach to assessing, auditing, ranking and implementing cyber-security for your building automation system.
Click here to download or listen to this episode now.
Resources mentioned in this episode
Transcript
Phil Zito 0:00
This is the smart buildings Academy podcast with Phil Zito Episode 251. Hey folks, Phil Zito here and welcome to Episode 251 of the smart buildings Academy podcast. In this podcast, we're going to be talking through how to secure your building automation system. So lately, you've seen a lot of attacks in the news, you've heard of the colonial pipeline, you've seen the meat manufacturers attack, you've heard of entire cities getting ransomware. And you're most likely getting questions from your customers around how do you secure your building automation system? So in order to answer that, we first need to look at why we would secure our building automation system. Now, as always, everything that is discussed in this podcast episode will be available at podcast smart Billings, academy.com, forward slash 251. Once again, that is podcasts smart buildings academy.com Ford slash 251. So why do we need to secure our building automation system? Well, when we think about systems that have a direct impact on the functionality and operation of a building, building automation systems rank up, they're pretty high. You know, we definitely have business systems and specialty systems that support the business and the operations that go on within a building. But in order to support the environment, to achieve whatever the business's goals are, we need to have the right temperature, we need to have the right humidity. And in order to do that, we need to have a secure building automation system. But one thing I see often said on LinkedIn and in webinars and things like that, is that we need to have every building automation system at a high level of security. Now, if you've listened to any of my podcasts in the past, you've heard me mention that we only need to have a level of security that matches up to the level of threat that we face within the building. And the level of threat that we face is going to be different for a commercial office building from you know, like a government facility. So we need to take in that into account when we are making decisions on what level of security we want to implement within our buildings. So what do you secure, the first thing we need to do is we need to perform a site audit. And I'm going to take you through the three areas. And if like I said, if you've listened to any of our past podcast episodes, this is going to be familiar. But I'm going to take you through the three areas of a site audit. And that is going to be the physical, logical and administrative aspects of a building automation system. So when we're looking at the physical aspects of a building automation system, we want to make sure that the building automation system is physically secure, we want to make sure that it's isolated and cannot be attacked physically, because if you can access something, you can hack it, that is kind of the general rule that if you can get physical access, you can with enough time compromised the system. So we want to try to protect physical access to the building automation system. And we do that by going and making sure our building automation systems are in locked rooms, we make sure that they have video surveillance, card access, etc, that are keeping people from accessing the building automation system. But also from a physical aspect, we want to make sure that we are building redundancy, you know, having uninterrupted power supplies, having redundant emergency power that fails over if the building automation system were to lose power on normal power. Next we look at logical logical is going to be what we most commonly associate with cybersecurity, this is going to be things like certificates, having you know, mast addresses, going and having firewalls, intrusion detection, intrusion prevention, patching, making sure everything's up to date. So we're going to be checking that we have a baseline of security based on the level of risk that we've associate assessed for the building. Next up, we have administrative and that is going to be things like password policies, unique usernames, login policies, etc. And we're going to want to make sure that we check for those and that we ensure that the building automation system is using those. So how do you secure your building automation system? Well, now that you've audited it, you should have created an Excel sheet. And this Excel sheet should have deficiencies listed for these three areas.
Phil Zito 4:51
Now once again, we go back to understanding the risk exposure to the building and the likelihood of that risk and the potential cost To that risk, and then based on that potential cost, we can then align controls. And when I say controls, I'm talking cybersecurity controls, we can align cybersecurity controls to our specific needs. So in the case of physical systems on that Excel sheet, maybe we say that our building automation system is under someone's desk, that is a low cost control the fix, right, that's moving it maybe to a data closet, or in an IDF or an MDF, maybe it's moving it into a locked room, maybe it's virtualizing it. But that is a physical control we can implement. Maybe we also notice that our main supervisory devices do not have backup power. Well, that's also a physical control that we can implement within our building. We can implement uninterrupted power supplies, we can interrupt, or we can connect our building automation systems to emergency power. Next, we move on to the logical category. And this is where you're going to have less stuff that you can do necessarily, in most cases, because outside of the basic building automation configuration, most of this is it centric and dependent on the IT group. But from a logical perspective, you can go and you can configure certificates, you can make sure that HTTPS is enabled, you can go and make sure that you're building automation systems on its own sub net, and that that's something that is air gapped, there's a lot of things you can implement on the logical side. And then finally, we move to the administrative side. And now we can pick out our controls for our administrative processes. So we can say, Hey, we're going to use a password policy, it's got to be this long, it's going to be changed this often. Everyone's going to have a unique username, we're gonna use audit logs, etc. So you can implement all of these controls. But it's one thing to implement controls, where a lot of people fall short is sure they implement the controls. But what they don't do is they don't go then and actually implement processes, policies and procedures. So a policy is what needs to be done. Right? The procedures slash process is how it will be done. So we need to establish policies related to how do we physically secure our building automation system? How do we implement a certificate? And when do we implement certificate? How do we have our password set up? Those are all policies? And then how do we set up the passwords? How do we set up the user accounts? Those are procedures. So my recommendation to you in the short episode is that you audit your building automation system, you understand what is potentially at risk based on some of the ideas I just discussed, you create a list and you figure out how costly it's going to be to implement those controls. And once again, those are cybersecurity controls. And then once you know that you implement the cyber security controls that match up with the appropriate level of risk for your building automation system. I'm sure you have a ton of questions. These how to episodes are going to be shorter, because I want you to be able to listen to them in less than 10 minutes and directly go and apply them in the field today. So feel free to reach out to me with any questions you have. Thanks a ton, and I'll see you in our next episode. Take care
