Is your BMS protected from within? Why it should be (and 3 best practices that will help)

Fri, 2015-10-23 06:00 -- SCC Staff

As building management systems get smarter, in some respects they also become more vulnerable. And while much of the discussion around cybersecurity today is about threats from the outside world, experts at Council Lead Partner Schneider Electric say the reality is that many threats to an organization – be it a city, a utility or a corporation – may come from within.

In fact, in a post on Schneider's blog, Jon Williamson points to the 2015 Data Breach Investigations Report from Council Lead Partner Verizon that found “insider misuse” accounted for 21% of all attacks, second only to “miscellaneous errors” (29%) and “crimeware” (25%).

Honest mistake or willful attack
Williamson points out that insider misuse doesn't always mean willful behavior. It may result from an honest mistake an employee makes. But there are still plenty of internal breaches that are willful. According to the Verizon report 55% of them stem from privilege abuse –- employees abusing access rights their organization has given them.

Williamson says to combat that abuse, following the principle of least privilege is always smart. And he suggests that with building management systems, that shouldn't be difficult since few employees likely need access. The key is to be vigilant so "super user" privileges aren't accidentally assigned to the wrong people.

His post highlights three password policy best practices that can help protect your systems:

  • Auto-expire passwords
  • Immediately disable accounts for employees who leave
  • Change accounts when employees change roles

You can read more about these password best practices here. You can also read more about protecting your BMS from security threats in a free Schneider white paper. Ant the Council's recently updated Smart Cities Readiness Guide also offers a comprehensive look at cybersecurity best practices relevant to cities. Download the Guide (free one-time registration required).

More on this subject...
Cities at risk: 5 that were victims of cyber attacks
Resource intelligence on campus: San Mateo district intends to ace energy efficiency
The future of buildings is now: Is automation technology on your city's radar?