Page 25 - index
P. 25
is the responsibility of executive management, who recognize your BAS devices. Use unique and strong passwords. Use pass-
cyber attacks are a real threat to their business bottom line. This word management software, if necessary.
also includes the question of ownership: Who’s in charge of 5. Device management
building system security? Is it facilities or is it IT? Utilize the security features of the device itself, where supported.
B. Risk assessments and auditing This may include end-to-end encryption and/or authentication
Once empowered, the next step is to become aware of potential by protocols such as TLS, IPsec or IEEE 802.1X.
risks. This includes identifying areas of vulnerabilities and likely 6. Vendor management
targets and implementing the tools and technologies to mitigate Limit access to your building networks; but, where required,
this risk and protect those assets, all while minimizing the impact ensure vendors are using appropriate levels of security (such
on the normal operations. Strict rules are counterproductive if as two-step authentication). Write your requirements into your
they are circumvented by users because they are too inconve- vendor contracts. Vendors should be more secure, not less, than
nient or can’t be accommodated into normal workflows. the host organization.
7. Monitor/log suspicious activity
Once implemented, periodic auditing becomes essential to Implement security information and event management (SIEM)
ensure the mitigation strategies are effective and up to date. software to track incidents and events, or use other anomaly
C. Incident response plans detection tools to identify and track security threats. These tools
Response plans should be crafted for when, not if, a cyber attack use behavioral analytics to identify threats and security events on
occurs. Clearly identified chains of commands and incident a continuous basis.
reporting can drastically minimize the length and damage of a 8. Continuously update your software
cyber attack. If possible, drills and war games can be conducted, While fairly uncommon in the BAS space, update device firmware
in the same manner as fire drills. when provided by the device manufacturer. This is the best way
to ensure that the devices in your building are not vulnerable to
Starting from the bottom–best practices known attacks.
While technology is useless without the proper personnel to im-
plement it, there are a number of ways technology can improve Be resilient
the security of a smart building. Security is about creating layers More than ever, the threat of a cyber attack affects the deploy-
of protection. While no security setup is impenetrable, improve ment of technologies within a smart building. Deployed properly,
your security by implementing as many layers as possible to the risk of installing the latest and greatest technologies can
thwart attackers: be minimized, along with any damages resulting. But make no
1. Separate building systems from IT networks mistake—intrusions will still occur.
Physical isolation is the easiest way to ensure outsiders cannot
gain access to assets on one system from the other. Building Cybersecurity needs to be a priority for the entire organiza-
systems are fundamentally different than IT networks and there tion. This must involve both executive management to drive
are no good reasons why they should run on the same physical security as a corporate value and the IT team to recommend and
infrastructure. Logical separation is not enough, because it is too implement best practices. While a building will never be entirely
easy for mistakes to be made as building systems scale into the impenetrable, a little knowledge and some common sense goes
hundreds and thousands of devices. Don’t leave your company a long way to securing your smart building.
open to vulnerabilities.
2. Use firewalls Pook-Ping Yao is CEO of Optigo Networks (www.optigo.
If communication between physically separated building systems net), a company making smart buildings smarter with an
and IT networks is required, implement firewalls at the gateways integrated networking solution for connecting the smart
between the two systems. Firewalls should also be placed dili- building and protecting it from network anomalies. Ping is a
gently around sensitive assets (i.e. servers, databases, etc.). recognized expert in networking with years of network security
3. Minimize access to building systems experience. He has over 12 years at PMC-Sierra in
Minimize access between building networks to the lowest re- networking design and applications.
quired state. This includes disabling unused ports, implementing
Access Control List (ACL) rules to limit and direct the flow of traf- Byron Thom is General Counsel of Optigo Networks. Byron
fic, and logically separating independent services. While access has delved into digital privacy and informational security issues
control may need to ride on the same virtual local area networks as a researcher for the Samuelson-Glushko Canadian Internet
(VLANs) as security cameras, use separate VLANs for each service Policy and Public Interest Clinic (CIPPIC) in Ottawa and
where intercommunication is not required. the Electronic Privacy Information Center (EPIC) in
4. Password management Washington, DC.
It goes without saying: always change default passwords for all
Realcomm 23
