The IoT Security Foundation (IoTSF) and Institute of Workplace and Facilities Management (IWFM) have issued guidance on securing Building Management Systems and Internet of Things systems during the Coronavirus crisis.
The impact of the Covid-19 Pandemic is being felt right across society; with the primary focus being that of saving lives and maintaining public health. The current emergency has necessitated new ways of working and changes such as:
- Homeworking, contractor shutdowns or furlough of staff may mean new, inexperienced or possibly unqualified staff being given access to systems, to login remotely to Building Management Systems (BMS) for maintenance, updates or systems changes.
- Changes in staffing arrangements and routines may mean patching of software is delayed or not completed.
- Reduction or changes in on-site physical security arrangements may allow unauthorised access to server rooms or ICT infrastructure.
These new ways of working and changes add risk and creates opportunities for unauthorised exploitation or compromise of facilities and building management systems. Most buildings have a number of systems, which are connected to the internet and are used to control a variety of functions. These range from IP based CCTV and access control systems through Building Management Systems controlling heating, ventilation, lighting etc. to fully fledged “Smart Buildings” with sophisticated and fully integrated systems.
Any system, which is connected to the internet, is potentially vulnerable to attack from criminals, hacktivists and in some cases foreign state sponsored actors. Attacks on building systems may allow the attacker to not only take control of building systems, but also to use these systems to breach corporate IT networks to which they may be connected. The IWFM has been working with the IoTSF to produce guidance on managing potential security risks associated with building management systems and other IoT building systems in the current emergency.
The following guidance checklist is aimed at building owners and facilities managers and is intended to assist securing BMS/OT Systems and IoT Devices.
For BMS with remote or Corporate network access for operations or maintenance
- Assess the potential cyber security risks and agree, with the building stakeholders (owners, facilities managers, IT /cyber security teams), a mitigation plan and process for continual review/action.
- Check/scan for unknown IoT devices that may be connected to your network/systems.
- Ensure that any IoT devices are secured behind a firewall/DMZ with appropriate network segmentation deployed.
- Change any factory default credentials and ensure passwords are unique per building/account/devices. Enforce password policies (password history, minimum characters & complexity). If you can use 2FA (like an authentication app or SMS code) then do so.
- Rename default accounts and disable any unused accounts.
- Check that the systems and devices software/firmware are at the latest version as specified by the system/device vendor. Any required updates should be conducted securely.
- If possible, offer authorised staff remote access to your BMS via a corporate network VPN, rather than you directly connecting from the Internet.
- Ensure any staff or third-party contractors with access to the BMS who are working from home follow suitable security guidance such as the UK’s National Cyber Security Centre (NCSC) issued ‘Home working: preparing your organisation and staff’.
- Ask your IT/Cyber Security function to monitor attempts to access your BMS system (both unsuccessful and successful) and agree how they can alert you to suspicious activity.
- Check that your systems/device suppliers have a Vulnerability Disclosure Policy and how security vulnerabilities will be reported to you if any are discovered.
Join 12,000+ of your FM peers from across the world at ExCeL London on 08-10 September. Bring the team and boost your CPD, your skills and your career with seminars and workshops at the only IWFM- supported exhibition. Test, trial and source smart solutions across technology, cleaning, FM services, waste and energy management; and meet a host of suppliers for new business collaborations. Your ticket also gives you free access to co-located shows to boost your specialisms across wellbeing, smart buildings, fire, security and health & safety.