The Need for Holistic BAS Cybersecurity

by James Lee April 04, 2019

The Need for Holistic BAS Cybersecurity

As the building controls industry works to install more and more sophisticated smart building technologies, many of which involve working with IT systems, the subject of cybersecurity continually looms large and persistent. There are many questions about how we are going to deal with this challenge; I have some thoughts on a few such questions.

The first and most important aspect for all players in the industry is that cybersecurity is everyone’s business, not just the experts. Yes, cybersecurity is a complex subject but we are not all going to nerd out on the intricacies of ciphers, zero-day threats, certificates and so on. What every single professional must demand is that our devices, systems, and buildings are secure from cyber threats. Every proposal, project meeting and company planning session going forward must discuss how cybersecurity is being addressed in that instance.

This leads to my second point: Our collective success is based on our weakest link. Our industry is inherently collaborative. We seldom work alone on a project, and partnering is our modus operandi. This means not only does each player need to deal with cybersecurity in their work, but it is the task of everyone to ensure others in the value chain deliver solutions that are secure.

NIST Cybersecurity Framework

The two points mentioned above are broad and complex, but our industry is not unique in this respect. A useful tool many other industries use to chart their process of bringing cybersecurity to the forefront is the National Institute of Standards and Technology (NIST) Cybersecurity Framework, a comprehensive set of standards, guidelines and best practices created through a collaborative process by the U.S. government agency responsible for cybersecurity matters. At Cimetrics, we use the NIST Framework to map out the products and solutions we develop and market to the industry. We see this as a holistic way to look at cybersecurity.

At AHR Expo in Atlanta this January, my company Cimetrics launched Secured by Cimetrics, a platform to provide a wide range of cybersecurity-focused technologies, products, best practices, and professional services that address these challenges. As a technology vendor in the industry since 1989, we feel we have a responsibility to help our industry be much more secure in this new phase of building controls and automation.

The areas Secured by Cimetrics will help include the following areas:

Devices

Devices are the core of building automation, and these days they are typically BACnet. We are honored that over 60% of global BAS vendors have selected to use our BACnet stack in their devices. While the upcoming BACnet/SC (Secure Connect) is a very important development regarding securing BACnet devices (see this link for more on BACnet/SC), it does not tick all the boxes to make devices fully secure. Devices branded as Secured by Cimetrics build upon BACnet/SC by implementing additional features and technologies to make them as secure as possible while abiding by the guidance of the NIST Framework.

Networks

Building automation systems are made up of networks of devices which by today’s standards means they are mostly IP-based and thus the most vulnerable attack surfaces for cyber breaches. Having been a vendor of network routers and gateways for more than two decades, it makes sense for us to incorporate Secured by Cimetrics technologies and best practices into such devices. Going forward, the industry should look to network routers and gateways branded as Secured by Cimetrics to reduce the risk of attacks on their networks.

Keys and Credentials

A critical component of secured systems is the array of security keys and credentials used to identify legitimate devices and people, these are more often referred to as security certificates. These certificates are a core component of the upcoming BACnet/SC standard. In complex building systems, the management of these certificates produces specific challenges that we aim to address as part of the Secured by Cimetrics platform.

Buildings and Facilities

At the end of the day, building automation systems enable buildings and facilities to deliver on the needs of their owners and occupiers. As such, there is no challenge as important than ensuring facilities do not suffer any negative consequences of a cybersecurity breach. Addressing this challenge involves best-practices, business processes related to monitoring, responding, and recovering systems prior to and following attacks. This is an area where Secured by Cimetrics will add significant value to new or existing cybersecurity strategies by further reducing the risk of attack.

People and Organizations

A holistic approach to cybersecurity is not complete unless we consider the potentially weakest link in the chain, the people and organizations who design, engineer, operate and maintain building systems. The Secured by Cimetrics platform addresses this by providing training, certification and professional services to aid industry professionals and companies to do all that is possible to secure the systems in which they are involved.

Securing Buildings

Since our founding in 1989, Cimetrics has focused on developing key technologies to enable the BAS industry to grow. We were one of the first to work on BACnet, and our BACnet stack is used by over 60% of BAS companies globally. For 30 years, we have garnered broad industry recognition, support, and trust for producing robust and innovative technologies.

Cybersecurity is not an easy problem to solve. We feel strongly that our approach to cover all the bases is the only way to go forward. We further feel strongly that this is not a fight we can do alone; it takes a village to position the BAS industry as one that takes security seriously and has the posture necessary in today’s hyper-connected world.

We invite you to work with us to create an active cybersecurity community, one that can drive the BAS industry forward to attain a responsible security posture demanded by building owners, enterprises, IT organizations, and occupants.

Secured by Cimetrics

Join us today at SecuredByCimetrics.com




James Lee
James Lee

Author



Leave a comment

Comments will be approved before showing up.


Also in Cimetrics News

New BACnet Explorer with File Transfer and more writable properties.
New BACnet Explorer with File Transfer and more writable properties.

by Svetlana Lyons June 25, 2019

New BACnet Explorer with File Transfer and more writable properties.

Read More

Bi-Weekly CyberSecurity Recap end of June 2019
Bi-Weekly CyberSecurity Recap end of June 2019

by Svetlana Lyons June 21, 2019

Read More

Bi-Weekly CyberSecurity Recap June 2019
Bi-Weekly CyberSecurity Recap June 2019

by Svetlana Lyons June 07, 2019

Read More

cimetrics.com Legal Terms and Conditions

June 29, 2016

cimetrics.com (the "Site") is owned by Cimetrics Inc. ("Cimetrics").

PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THIS SITE.  YOU MAY NOT USE THIS SITE IF YOU DO NOT ACCEPT THE TERMS AND CONDITIONS.

Terms of Use

The information herein provided is for general informative purposes only, and no warranties or representations are made with respect thereto. The information may contain inaccuracies or typographical errors.  The information provided is subject to change at any time, and without notice. Changed information may include, but is not limited to, technical specifications and pricing. Binding declarations are only given after detailed enquiries.

BECAUSE THE INFORMATION IS NOT WARRANTED, ALL LIABILITY FOR THE ACCURACY OF THE INFORMATION IS EXPRESSLY EXCLUDED.

IN NO EVENT SHALL CIMETRICS, ITS OFFICERS, DIRECTORS, EMPLOYEES, PARENTS, AFFILIATES, SUCCESSORS OR ASSIGNS, BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OR PERFORMANCE OF THE CIMETRICS SITE, WITH THE DELAY OR INABILITY TO USE THE CIMETRICS SITE OR RELATED SERVICES, THE PROVISION OF OR FAILURE TO PROVIDE SERVICES, OR FOR ANY INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND RELATED GRAPHICS OBTAINED THROUGH THE CIMETRICS SITE, OR OTHERWISE ARISING OUT OF THE USE OF THE CIMETRICS SITE, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF CIMETRICS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES. BECAUSE SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. IF YOU ARE DISSATISFIED WITH ANY PORTION OF THE CIMETRICS SITE, OR WITH ANY OF THESE TERMS OF USE, YOUR SOLE AND EXCLUSIVE REMEDY IS TO DISCONTINUE USING THE CIMETRICS SITE.

Passwords

If you have been given a Password in order to gain access to certain information on this Site, or any other affiliates’ website, then you agree, as a condition of receiving said Password, that you shall keep the Password confidential. You shall only disclose the Password to your employees or agents who have a need to know. You are solely responsible for all activities that occur using your Password.

If you become aware of any unauthorized use of your Password, you agree to notify Cimetrics immediately.  Cimetrics reserves the right to revoke your Password access at any time for any reason whatsoever.

Copyrights and Trademarks

All information provided on the web pages of Cimetrics.com is protected by copyright. It is prohibited to copy, process, modify or commercially distribute this information without the express written permission of Cimetrics.

Analytika, Infometrics, Metermetrics, BACstac, BACstac/DN, Secured by Cimetrics™ and BAS-o-matic are trademarks or registered trademarks of Cimetrics.  The Analytika, Cimetrics, Infometrics and Metermetrics logos are trademarks or registered trademarks of Cimetrics.  All other trademarks are owned by their respective companies.

Links to Other Websites

This Site may from time to time contain links to other websites ("Linked Site") or other Internet information sources ("Third Party Source"). These links are provided solely as a convenience to users of this Site and do not constitute an endorsement, sponsorship or recommendation by Cimetrics.  Each Third Party Source or Linked Site may have its own terms of use and privacy policy. Cimetrics is not responsible for the content, availability, or policies of any Linked Site or Third Party Source, or any additional links contained therein.

Privacy

Please read the privacy policy for this Site, which is incorporated into these Terms and Conditions by reference.