This is the third in a series of posts on the topic of building management system (BMS) security. BMSs today are growing more intelligent all the time, with devices connected via the Internet shuttling valuable information back and forth. This very openness creates the potential for an unauthorized intruder to break in to the BMS, and potentially into the larger corporate network.
So, it’s imperative that facilities managers take steps to protect the BMS from such intrusions. In the first post on the topic, some of the best practices for securing the network connections, or points of entry to the BMS were discussed. In the second post, best practices around passwords, such as changing default passwords and using sufficiently complex passwords were covered.
This post will discuss what may be a somewhat more sensitive topic: protecting the BMS against threats from within the organization.
While we’d all like to think that no employee would ever do anything harmful to the organization they work for, the fact is an awful lot of security breaches come from within. In fact, the 2015 Data Breach Investigations Report from Verizon found that “insider misuse” accounted for 21% of all attacks, second only to “miscellaneous errors” (29%) and “crimeware” (25%).
Now, “misuse” doesn’t necessarily mean willful misconduct. Indeed, many breaches may be the result of honest mistakes on the part of employees, or perhaps users engaging in an “unapproved work-around to speed things up or make it easier for the end user,” as the Verizon Breach Report puts it.
But plenty of insider breaches are indeed willful. The top insider action, at 55%, involves privilege abuse, the report says, meaning users abusing the access rights the organization has given them.
In terms of best practices to combat such abuse, at the top of the list is to always follow the principle of least privilege. This key tenet of any sound cybersecurity strategy means only giving users rights to the resources they absolutely need to do their jobs.
In the case of BMSs, this shouldn’t be so difficult, as few employees likely require access to the system. The key is to ensure users who don’t routinely need to log in to the BMS aren’t somehow granted excessive access privileges, such as via “super user” privileges that allow access to pretty much everything. Following such a practice will dramatically limit the damage that the infamous “disgruntled employee” may be able to do.
The following password policy best practices are recommended:
- Auto-expire passwords: All non-administrator accounts should be configured so their passwords expire after a certain date or a certain number of days, forcing users to regularly reset their passwords (a best practice cited in a previous post). Accounts that are not accessed within a specified period of time should be disabled automatically, requiring the system administrator’s intervention to re-enable the account.
- Immediately disable accounts for employees who leave: An often overlooked but significant security risk is failing to disable accounts for employees who leave the company. This is especially important when employment is terminated, either temporarily or permanently. Best practices call for disabling such accounts before employees are notified of their termination. For employees who resign of their own accord, it’s important to evaluate the risk associated with allowing them continued device access until their departure date.
- Change accounts when employees change roles: Similarly, whenever an employee changes roles within the organization, it’s a best practice to review their authorizations and access rights to ensure they are appropriate to the new role, again following the principle of least privilege.
To learn more about how to protect your BMS against cyber threats, download the free Schneider Electric white paper, “Five Best Practices to Improve Building Management Systems (BMS) Cybersecurity.”
Gregory Strass, CISSP, CEH, is the Building Systems IT Cybersecurity Lead at Schneider Electric. He holds degrees in Electrical Engineering and Computer Science from the University of Illinois in Urbana. Additionally he holds CISSP and CEH certifications. He has worked in the embedded field for over 35 years.