« go back

10 tips on how to secure your building management system

Connected systems for building automation create new opportunities. Everything from basic monitoring and configuration to new services made possible by the functionality and the large amount of data that is usually found in these systems. In recent years, attacks on connected systems have both become more common and more sophisticated.

Perpetrators use both automated and manual tools tailored for the task to find and attack connected devices. The motives for the attack are many, from plain curiosity or bragging rights to so-called extortion attacks or sabotage.

Some of the most common underlying causes to a successful attack include the use of standard or weak passwords, that devices are susceptible to direct access via the Internet or that devices aren’t updated.

Irrespective of the motives and causes to an attack, the potential consequences are the same, the functionality of devices can be impacted or they stop working completely, data can be lost or fall into the wrong hands, or a less important device can be used as a way in to other devices or as a springboard for other attacks.

Hence, IT security should be a natural part of every installation of a property automation system. However, don’t forget the systems that have already been installed. It’s important to assess these to increase security here too.

 

shutterstock_sweg

 

A number of security measures that your organisation can introduce are briefly discussed below. These can increase security in terms of installation and use of the building’s property automation system, such as Swegon’s system for control of the indoor climate and ventilation.

1. Change standard passwords and use hard-to-guess password phrases

In instances standard users are used to log in to the connected device, it’s recommended that the passwords for these are changed to hard-to-guess passwords at the time of commissioning. The strength of a password isn’t solely determined by its complexity (i.e. the occurrence of many different special characters). Two other significant factors are how difficult it is to guess and, not least, its length. A starting point to create long, strong passwords is to think ‘password phrase’ instead of ‘password’ – preferably 10 characters or more. For example, a phrase or a sentence consisting of several words such as ’fingerscrewtraineryoga’ is much stronger than a traditional password such as ‘bn^T65#_’ and, besides, is probably easier to remember.

2. Create unique and personal user accounts

Swegon advises against permitting shared accounts. Each user should be assigned a unique and personal user account instead, and be prompted to change the password when logging in for the first time. This reduces not only the risk of a password falling into the wrong hands, but also makes it possible, in selected products, to trace which individuals have made changes and when.

3. Follow the principle of least privilege for users

Each user’s access rights should follow the principle of least privilege. That is to say, a user is not granted higher privileges than necessary in order to carry out their work. Usually the lowest access level is sufficient for monitoring or reading data in Swegon’s devices.

4. Make sure software updates are installed

Swegon recommends that the latest version of the system software for the device in question is used. Through updating a device may get additional functions, improved usability and better security.

Some devices can be updated automatically or manually via features in the administrative interface while others need to be updated with the help of a memory card. Contact Swegon’s service office or helpdesk if you require help.

5. Physical security

Swegon recommends that devices are positioned so that unauthorised access is minimised, for example, through placement in lockable fan rooms, computer or server cabinets. Data and power cables should also be protected and kept separate to reduce the risk of interference.

6. Enable and use encryption

Many of Swegon’s devices support encryption with the encryption method SSL/TLS for web and e-mail communications. In order to protect network communications from unauthorised access, Swegon recommends that these functions are enabled and that all users are requested to connect via HTTPS instead of the non-encrypted HTTP equivalent.

7. Disable services that are not used and limit access with firewall rules

Swegon’s devices have several communication channels, services and protocols with different application areas. Swegon recommends that unused services are disabled and that access to enabled services is restricted with the help of firewall rules. For maximum protection, Swegon’s devices should be placed inside the organisation’s own firewall

8. Create a separate network for control equipment

Control equipment should communicate on a separate network isolated from the office network, guest network or the like in order to reduce the risk of operational disturbances or inappropriate exposure of information. This can be achieved, for example, by creating a unique network for control equipment, through the firewall configuration or by creating a separate physical or wireless network.

9. Avoid exposing control equipment to the Internet

Making a device publicly accessible via the Internet means that anyone with an Internet connection can reach the device’s functions, which entails an increased risk of attack and intrusion attempts. Swegon therefore advises against control equipment being exposed publicly to the Internet. If access via the Internet is necessary, this should occur via a VPN, or access should be restricted to an explicitly specified list of source addresses in the firewall’s configuration.

10. Create a backup after commissioning

Swegon recommends that a backup of information and configuration settings is made once a device has been put into service to reduce the risk of data loss and to increase operating reliability. This makes it quicker to restore functionality should a device need to be replaced or reinstalled.

Do you want to read more about Swegon’s security recommendations for connected control equipment? See the Security recommendations for COMPACT, GOLD, SuperWISE I and II.