In my last post I explained why, as building management systems (BMSs) become more intelligent and connected, it’s incumbent on facilities managers to ensure they are properly secured. Because the systems are connected to the Internet, they are susceptible to many of the same security threats as IT systems. As a result, we need to use best practices similar to those used in IT to secure BMSs.
In the last post I went through some of the best practices related to securing network connections, or points of entry. This time I’ll tackle a topic that’s far more basic but no less important: passwords.
Most attacks on BMS devices are successful because a password has been compromised. Simply put, at some point an intruder has to guess a user’s password in order to gain entry to a BMS. A best practice, then, is to make that job far more difficult.
Two simple tactics will go a long way in doing just that: changing default passwords on devices and ensuring new passwords are complex enough that they cannot be easily broken.
Secure your BMS: Change the default password
Virtually any password-protected product ships with a default password that is easily guessed or located, so it’s imperative that they be changed immediately. Failure to take this simple step greatly increases the risk the device will be compromised at some point.
Default credential values for all sorts of devices are readily available on the Internet, a mere Google search away for a would-be intruder. Combine that with search engines that routinely scan for accessible Internet-connected devices, including BMS devices, and you have a recipe for an easy break-in.
At a minimum, then, a device’s default credentials should be changed before it is ever connected to the Internet. A best practice is to change the default credentials when the device is first unpacked.
Best practices for ensuring password complexity
The next question, then, is what is a reasonable password to use? Don’t even think about a 6 or 8-character alphanumeric password; that’s just too simple. Hackers these days have access to inexpensive machines that can easily test up to 348 billion passwords per second. To provide any real level of protection, you need lengthy, complex passwords.
Here are the password best practice guidelines:
- Minimum of 10 characters long; 15 characters for infrequently accessed systems
- At least one numeric, one lowercase alphabetic, one uppercase alphabetic character and special characters in each password
Another alternative is to use a passphrase instead of a password. Remembering even a long phrase will likely be easier than remembering a 10-character, complex alpha-numeric password. The longer the passphrase is, the more difficult it will be to crack. Maybe the phrase has to do with a favorite saying (EarlytoBedandEarlytoRise), sports figure (TheSplendidSplinter), or passage from a poem (AndMilestoGoBeforeISleep). It doesn’t matter so long as it’s easy for the user to remember and sufficiently long. Note that capitalizing letters of each word makes it that much stronger.
The final best practice with respect to passwords is to change them on a regular schedule. The theory is passwords should be changed within whatever period of time it would take to crack them. Based upon that theory, a longer, more complicated password will need to be changed less frequently. (Sites such as The Password Meter can help you assess that.)
Many BMS devices will be the field for 15 to 30 years and may not be accessed often, so making the password more complex is the only good way to adequately protect these systems. When devices aren’t accessed for years at a time, password lengths of 15 characters or more are recommended.
To learn more about how to secure your BMS, check out the free Schneider Electric white paper, “Five Best Practices to Improve Building Management Systems (BMS) Cybersecurity.”
Jon Williamson, CSSLP, is the Schneider Electric Building Systems Communication Officer. Active in the BMS market for over 19 years, he has practical and product management experience in system deployment, networking and protocols. In his current role, he is responsible for system architecture, communication protocols and cybersecurity requirements. Jon holds a Mechanical Engineering degree from the University of New Hampshire in Durham.