As building management systems grow more intelligent and increasingly connect to the Internet to share data, they can also be the target of cybersecurity threats. In this fourth and final installment on BMS security, we cover a topic that may seem more appropriate for IT groups than facilities managers: ensuring software security and vulnerability management.
Indeed these are both disciplines that IT groups have been practicing for years. But, as with the topics of the three previous posts – network security, password management and threats from within – they are now very real threats to any intelligent BMS as well.
Software management for proper security
IT groups typically follow a list of best practices to ensure the security of the software that runs on their systems. Now that BMSs are heavily software-reliant, many of the same issues apply.
First up is to stay on top of software security patches. All software has bugs in it that, if exploited, can enable intruders to break in to the system. Eventually, many of these bugs are found and vendors come out with fixes, or patches. The easiest target for an intruder is a system with a known bug that has not been patched, so a best practice is to have a plan to ensure that all vulnerabilities get patched – which we’ll discuss more in a minute.
Another is to ensure only authorized employees can deploy software. Installing software often requires running a system in administrator mode. If you open this up to users who are not administrators, you run the risk of them inadvertently (or maybe on purpose) creating a vulnerability (see principle of lease privilege from the last post).
Similarly, another best practice is to install only known, authorized software. A common cyber attack tactic is to distribute doctored software deployment packages that compromise a device’s integrity. Vendors use various methods to verify the integrity of their software packages, including verification codes and cyber certificates. The key is to be familiar with the verification system for any components of your BMS and implement procedures to ensure they are followed.
Best practices for BMS vulnerability management
Vulnerability management is a process through which you determine the severity level and risk associated with each known software vulnerability. Such a process helps you determine which vulnerabilities need to be addressed immediately vs. those that can wait a bit.
The idea is to assign each known vulnerability a qualitative rating, such as “Critical,” “High,” “Medium,” and “Low,” or a numeric system ranging from 1 to 10. Generally speaking, vulnerabilities rated Critical (9-10) and High (7-8) need to be addressed as soon as possible. Less severe vulnerabilities can usually be addressed during regular maintenance.
When assigning a rating, consider issues such as the potential impact of an exploit to the vulnerability, any risks associated with the update process and any factors that will affect the ability to access or update the device.
To learn more about how to protect your BMS against cyber threats, download the free Schneider Electric white paper, “Five Best Practices to Improve Building Management Systems (BMS) Cybersecurity.”
Gregory Strass, CISSP, CEH, is the Building Systems IT Cybersecurity Lead at Schneider Electric. He holds degrees in Electrical Engineering and Computer Science from the University of Illinois in Urbana. Additionally he holds CISSP and CEH certifications. He has worked in the embedded field for over 35 years.