3) Configuration of the application 4) Useradministration
5) Security policies and procedures
At a minimum, network access must be restricted to authorized users, all communications should be encrypted and systems should never be discoverable over the Internet. You depend on the OT server to operate the sys- tem. It doesn’t belong under a desk. It should be treated like any IT server with restricted access and environmen- tally protected. Only the application should be running to minimize malware infection from visiting web sites, emails or running other types of software. And most importantly, the server should be backed up regularly to a separate and secure location.
All system manufacturers have recommended guidelines for setting configuration parameters such as password strength, default accounts, and auto-logoff. These best practices should always be followed. It is also critical to run supported software with all security patches installed.
In the fragmented world of OT, each system type often involves a different manufacturer and a different local service provider, making user administration the single biggest challenge. Unlike IT departments that administer users through Active Directory, this is not an option in most OT systems. Therefore, it becomes largely a manual task and one that starts with granting network access and then separately assigning access to each OT system.
Finally, there is the issue of cybersecurity policies and procedures.Thereismuchworktobedonehereacrossall stakeholders. In addition to policy management and con- tinuous training, it is becoming increasingly practical to run phishing campaigns to test user cybersecurity awareness.
The chain is only as strong as its weakest link, so spend considerable time researching and dissecting the problem and then design a risk management platform to address all five of these areas.
How are suppliers addressing the challenge?
Many suppliers are now including security dashboards with their management consoles. This is helpful but also challenges building owners because they always have multiple system types and often different OEMs for each one. The BAS industry’s most familiar open protocol stan- dard, BACnet, has released a much more secure version called BACnet / SC to address the significant security vulnerabilities in the current version. Although a major step forward, BACnet is only one of many protocols in use across the industry.
What about engineering firms?
The MEP consulting firms that specify the majority of OT systems in new projects have also been slow to incorpo- rate cybersecurity protections and policies into their spec- ifications. There are a handful of specialized consulting and services firms that address this, but the vast majority
Continued on page 62
  The Leading IoT Data and Analytics Platform for the Built Environment
SkySpark® Analytics automatically analyzes data from building automation, metering systems and other smart devices to identify issues, faults and opportunities for savings. Learn why SkySpark has been deployed to over 1 Billion square feet of facilities around the world for energy management, optimization, monitoring-based commissioning and fault detection.
Find What MattersTM to Improve Equipment Performance and Reduce Operational Costs. www.skyfoundry.com