We’ve gotta hand it to cybercriminals. They’re masterful at finding operational vulnerabilities. They’re genius at exploiting network weaknesses. And they’ve proved that even a seemingly innocuous building automation system (BAS) device, such as a meter or thermostat, can provide an ideal entry point for chaos and destruction.

Here at MSA, we’ve been diligently tending to the other side of the security equation. We’ve been rigorously assessing and penetration testing our FieldServer and cloud products. And we’ve been relentless in strengthening the security of our Industrial Internet of Things (IIoT) solutions for autonomous systems for a wide range of sectors, including industrial automation, energy metering, and life and safety.

How real of a threat are hackers to IIoT-enabled autonomous systems?

Very. Billions of dollars are lost each year as a direct result of ransomware, malware, and other attacks that compromise weak routers and internet interfaces. Further, the increase of IIoT has led to a dramatic rise in cyberattacks on industrial organizations and their networks. According to global IT firm, Accenture, targeted cyberattacks across all industries doubled in a single year.¹ Worse, almost half of industrial equipment executives admitted to needing to improve their network security.¹

Is that why MSA FieldServer upped its IIoT security game?

Thousands of system integrators around the world rely on FieldServer to ensure the safety and comfort of their occupants. Our suite of automation gateway products is continuously at work both on site and in the cloud at 100,000+ global locations. In addition to enabling operational automation, we’re literally helping building owners and facility managers protect millions of people. The only way to ensure such a high level of asset protection (including infrastructure and people) every day of every year is to be both progressive and proactive about security. And so we are.

What have you done to ensure that FieldServer is as secure as you say it is?

We regularly commission third-party penetration testing on FieldServer solutions. Third-party penetration testing involves a series of automated and manual vulnerability assessments and analysis. The goal of this testing is to uncover technical or procedural weaknesses and identify vulnerabilities and issues that might affect FieldServer security. If a vulnerability is found, we work to mitigate it. Then we have the device, product, or solution retested to ensure proper remediation. We’re proud to say that we require annual third-party vulnerability testing on all our applications, infrastructure, and APIs – and we have third-party attestation letters confirming that our devices, associated firmware, and cloud solution are secure.

Why don’t you subscribe to a particular standard?

Actually, we don’t subscribe to any single standard. Because cybersecurity is so fast-growing and fast-moving, we believe it’s an imperative to keep up with, and implement, ever-changing best practice standards and frameworks. Also, we ensure that FieldServer solutions meet the ISO/IEC 27001 standard.² ISO/IEC 207001 is a widely known and internationally accepted standard and is used by us and others to help keep information assets, including device data, secure.

What’s the single most important thing we as system integrators and facilities’ managers need to know about security?

Make no mistake about it: If you’re connecting to a corporate network, especially an ethernet network or the internet, you’re inherently at risk. So, the most important thing is to find out if your automation systems, including gateways and devices, are, indeed secure. Because we encourage our customers to look at all the security-related elements of their system we put together a DIY security checkup that you can use, too.

Next Steps

We encourage you to thoroughly examine your security and risk mitigation practices, policies, and products. Then, talk to us about how FieldServer can help preserve the integrity, confidentiality, and availability of your systems and device data.