Within buildings, specialized computers monitor and control building operations such as air conditioning, electrical power, electronic card reading, elevators, fire alarms, fire suppression, heating, lighting, ventilation, and video surveillance. While well understood protocols exist for monitoring and protecting desktop and laptop computers and data centers, the cybersecurity of such Building Management Systems (BMS) is often ignored.
How much of a risk does a hands-off approach to BMS cybersecurity present to building owners and business tenants? Consider the following:
- From fiscal year 2011 to fiscal year 2014, the number of cyber incidents involving industrial control systems, including building and access control systems, rose from 140 incidents to 243 incidents, a 74% jump.
- The sources of threats are not only invisible hackers that are patrolling the internet in search of soft targets. The category of people threats can include both internal employees and outsiders.
- The weakest links in any BMS are the people who administer and use the systems. Their actions, either intentional or unintentional, can increase the security risk to systems.
- Cyberattacks already are costing companies worldwide an estimated $300-400 billion each year and that number is projected to increase sharply.
Approaches to dealing with these threats can vary. Listed below are some common strategies:
- Deployment of programs to train employees, contractors and business partners, about the variety of common threats (such as the various methods of social engineering) so that threats can be identified early on.
- Engagement of security teams to perform threat modeling in order to anticipate the various series of events that could lead to a security breach. In the case of BMS, threat modeling would include identification of accessible entry points, and a clear definition of contractor and user access rights.
- Establishment of a formal framework for managing cybersecurity threats through the assembly of standards, guidelines, and practices that have proven to work effectively.
To learn more about how BMS systems can be protected from cybersecurity threats, download the Schneider Electric white paper, Defending Against Cyber Threats to Building Management Systems