The IoT Security Foundation and Institute of Workplace and Facilities Management offer guidance on securing Building Management Systems and Internet of Things systems
The impact of the COVID-19 Pandemic is being felt right across society; with the primary focus being that of saving lives and maintaining public health. The current emergency has necessitated new ways of working and changes such as:
- Homeworking, contractor shutdowns or furlough of staff may mean new, inexperienced or possibly unqualified staff being given access to systems, to login remotely to Building Management Systems (BMS) for maintenance, updates or systems changes.
- Changes in staffing arrangements and routines may mean patching of software is delayed or not completed.
- Reduction or changes in on-site physical security arrangements may allow unauthorised access to server rooms or ICT infrastructure.
These new ways of working and changes add risk and creates opportunities for unauthorised exploitation or compromise of facilities and building management systems. Most buildings have a number of systems, which are connected to the internet and are used to control a variety of functions. These range from IP based CCTV and access control systems through Building Management Systems controlling heating, ventilation, lighting etc. to fully fledged “Smart Buildings” with sophisticated and fully integrated systems.
Any system, which is connected to the internet, is potentially vulnerable to attack from criminals, hacktivists and in some cases foreign state sponsored actors. Attacks on building systems may allow the attacker to not only take control of building systems, but also to use these systems to breach corporate IT networks to which they may be connected.
The Institute of Workplace and Facilities Management (IWFM) have been working with the Internet of Things Security Foundation (IoTSF) to produce guidance on managing potential security risks associated with building management systems and other IoT building systems in the current emergency. This guidance and a range of other valuable resources can be found on the IoTSF website.
The following guidance checklist is aimed at Building Owners and Facilities Managers and is intended to assist securing BMS/OT Systems and IoT Devices.
Checklist for BMS with remote or Corporate network access for operations or maintenance
- Assess the potential cyber security risks and agree, with the building stakeholders (Owners, Facilities Managers, IT /Cyber Security teams), a mitigation plan and process for continual review/action.
- Check/scan for unknown IoT devices that may be connected to your network/systems.
- Ensure that any IoT devices are secured behind a firewall/DMZ with appropriate network segmentation deployed.
- Change any factory default credentials and ensure passwords are unique per building/account/devices. Enforce password policies (password history, minimum characters & complexity). If you can use 2FA (like an authentication app or SMS code) then do so.
- Rename default accounts, and disable any unused accounts.
- Check that the systems and devices software/firmware are at the latest version as specified by the system/device vendor. Any required updates should be conducted securely.
- If possible, offer authorised staff remote access to your BMS via a corporate network VPN, rather than you directly connecting from the Internet.
- Ensure any staff or third-party contractors with access to the BMS who are working from home follow suitable security guidance such as the UK’s National Cyber Security Centre (NCSC) issued ‘Home working: preparing your organisation and staff’
- Ask your IT/Cyber Security function to monitor attempts to access your BMS system (both unsuccessful and successful) and agree how they can alert you to suspicious activity.
- Check that your systems/device suppliers have a Vulnerability Disclosure Policy and how security vulnerabilities will be reported to you if any are discovered.
As we emerge from this crisis, we will find ourselves in a different world. The habits we develop now will provide a secure foundation for the digital world of the future.
It does not have to be expensive to improve IoT security, the IoTSF has free guides and checklists, which are easy to use and include:
- Whitepaper: Can You Trust Your Smart Building?
- Secure Design Best Practice Guides
- IoT Security Compliance Framework
- Vulnerability Disclosure Best Practice Guide
- Regulation Ready Reports
The Institute of Workplace and Facilities Management (IWFM) is pleased to have worked with the IoTSF to produce this guidance which will assist the FM community in tackling some of the security challenges associated with the current COVID-19 emergency. Additional resources are available on the IWFM COVID-19 Hub here: Coronavirus (COVID-19) Resources