Hardly a day goes by without news of cyberattackers breaching HVAC and other automation systems and causing major disruptions. Rather than rehashing the headlines, let’s zero in on the real issue: cybersecurity for OEMs who develop Internet of Things (IoT) devices for Building Management Systems (BMS).
First, let’s acknowledge the obvious: cyberthreats are and will continue to become more numerous and sophisticated. Second, it’s incumbent upon original equipment manufacturers (OEMS) to keep abreast of how these threats are evolving so they (and perhaps, you) can continue to evolve IoT device cybersecurity strategies to thwart potentially crippling attacks.
Keep reading to learn more about what you can do to help ensure robust internet and cloud security for BMS automation systems in large commercial buildings, industrial facilities, entertainment complexes, and industrial plants.
Key Takeaways:
- Connected systems can be especially vulnerable to cyberattacks with data theft being the most common impact.
- OEMs should consider holistically integrating cybersecurity measures into their product development and product update lifecycle.
- OEMs can help mitigate incidents by adopting cybersecurity best practices.
Cybersecurity by the Numbers
84%
of all critical incidents that could have been mitigated with cybersecurity best practices
71%
increase in cyberattacks using compromised credentials
32%
of all cybersecurity incidents are data theft-related
30%
increase in security misconfigurations
28%
of all cyberattacks are manufacturing related
Source: IBM® X-Force® Threat Intelligence Index 2024
Cybersecurity Challenges in Building Management
Modern building management systems (BMS) and the IoT equipment, sensors, and devices they control are high-tech and complex—and so are the cyberhackers that go after them. Hackers keep upping their game, continually looking for new ways into and around building equipment and systems and the cloud. Their goal? To steal and leak data, extort money, harvest credentials, ruin organizational reputations, and create general destruction.
Because IoT devices are essential in critical infrastructure in today’s connected world, and because these IoT devices collect, store, and share information with each other and the cloud, they’re highly vulnerable to cyberattack. As such, it’s imperative that IoT devices be designed with maximum security in mind as a means of helping prevent unauthorized access.
Here’s a high-level look at some of the most common ways hackers exploit IoT device vulnerabilities so they can infiltrate operational networks.
Improper Configuration
IoT devices that are not properly configured often feature default or weak usernames and passwords. In addition, improperly configured devices often have little to no data encryption. Yet, without strong authentication measures and encryption, attackers can more readily intercept communication, steal credentials, and mine sensitive data.
Outdated Software and Firmware
In systems that lack current software updates, firmware, and security patches, hackers can enter through open ports, execute code, and otherwise breach systems.
Weak Authentication and Controls
Insufficient access controls and authorization mechanisms essentially give hackers carte blanche to access connected devices and systems. As a result, hackers can spread malware, conduct malicious activity on a widespread scale, and launch DDoS (distributed denial-of-service) attacks.
Lack of Real-time Monitoring and Notifications
A slow response to monitoring and alerts can give hackers ample time to breach systems and inflict damage, including manipulating or extracting data, promoting false alarms, spreading malware, and establishing backdoor access for future attacks.
Download our free white paper to learn how to create your Cybersecurity for Connected Automation today.
Download the WhitepaperCybersecurity Best Practices
Because smart equipment continuously reports device status and self-diagnostics for predictive maintenance to the BMS and the cloud, it’s essential to extend maximum cybersecurity measures and strengthen security all the way down to the OEM IoT equipment level.
Here are the cybersecurity practices we suggest to our clients—and the same security practices that we use for our FieldServer gateway solutions and MSA Grid platform.
Multi-layered approach with redundant layers of security.
- Authentication:
- Unique password requirements/rules.
- Industry-standard password complexity.
- Encryption:
- Encrypted user credentials.
- Encrypted connections for data transit and storage (data at rest).
- Testing, Standards, and Certification:
- Compliance/certification with the most widely recognized information security standard, ISO 27001.
- Third-party penetration testing and independent review of security controls.
- Authorization:
- Varying levels of authorization, access, and user roles.
- Signed and user signed SSL certificates.
- Network Security:
- Hardening of IP interfaces on the gateway.
- Isolating internal components from other system parts to control dataflows.
- Backups:
- Frequent, consistent backup procedures.
- Encrypted backups.
- Backup restoration testing.
- Access and Infrastructure:
- Background checked employees.
- Monitoring access.
- Enabling and logging manual access.
- Physical Security:
- Leverage multiple data centers to distribute service.
- Ensure physical security through AWS, one of the most flexible and secure cloud computing environments.
Preventing BMS Security Breaches
Now that you’ve learned more about the challenges behind building management system security and some of the best practices for preventing attackers from disabling the automated systems that provide building security, fire safety, communications, lighting, HVAC, and equipment on the factory floor, you can empower yourself to better anticipate and thwart future threats. To learn more about how FieldServer can help, schedule a demo or talk to an MSA Sales Representative today.