BMS Security: 3 Tips for OEMs to Better Protect Their Devices for Local and Remote Connections
Connected Building Management Systems (BMS) definitely make a difference in terms of increasing operational performance, reducing energy and maintenance costs, and improving building health and safety. None of this could happen if it weren’t for Original Equipment Manufacturers (OEMs) like you who supply building owners and facilities managers with IIoT and Cloud-enabled devices that, together with IIoT gateways and/or the Cloud, help the BMS run more cost effectively and efficiently.
But do you ever feel like it’s nearly impossible to stay on top of emerging technology trends while also trying to introduce device updates and new products? Do you find yourself unable to keep up with device-related security concerns?
As an OEM that works hard at creating value-added products and services for your customers, no doubt it can be frustrating to have new, more sophisticated cybersecurity challenges continually thrown at you. So, it’s important to know what the current industry standards and best practices are—and to adhere to them.
The truth is that the onus is on OEMs to keep up with device security concerns. Spoiler alert: If you only focus on optimizing equipment without also focusing on the cybersecurity of your devices, you’re putting your customers at risk for cyberattacks through their BMS and SCADA.
The good news is that you can do something about it. Here are 3 tips to help you ensure that your smart, connected, and Cloud-enabled OEM devices and products are more secure against cyberattacks.
1. Prioritize Security
Connected and Cloud-enabled commercial and industrial equipment has become essential to seamless and automated operations. Couple that with the fact that cyber threats are growing in frequency and sophistication, and you have a recipe for a security disaster. OEM devices are not immune to attack. Quite the opposite, in fact.
Just do an online search of “BMS cyberattacks” and you’ll find headline after headline detailing the disastrous tales of cyberattacks that have happened to some of the most well-known organizations around the world; and all because hackers got in through an HVAC or other building management system.
The best time to think about the security stature of everything from boilers to elevators to fire alarm panels is at the start of a new product design or update so security can be baked into the device from the very beginning and to continue it all the way to the end-user application, employing the latest industry standards and best practices. Remember, you cannot adequately protect against hackers if you’re merely adding a one-off security layer on top of a product or solution after it’s been developed and released. It’s simply not enough.
2. Team-up With Security-Minded Partners
Chances are, if you are a small- to medium-sized OEM, you likely do not have a team of IT professionals to help make your devices smarter, connected, and Cloud-enabled. In fact, with rising costs and pandemic-fueled supply chain shortages, it seems that OEMs of every size are operating with lean budgets and reduced staffing.
But that doesn’t negate the need for security expertise, including keeping up with IIoT cybersecurity standards and best practices. Of course, that doesn’t have to mean hiring an in-house team. On the contrary, that’s where the right security-focused technology solution providers and industry partners can help. The key is to pick a partner that is doing the heavy lifting by building their solutions from the ground up using best-practice security measures, including adhering to standards, and engaging in robust penetration testing.
3. Verify Your Partner’s Security Measures, Too.
Like it or not, as the OEM you are responsible for making sure that any provider or partner solution you integrate into your devices (including Cloud and building automation gateways) are designed to be secure. You can’t tell by looking and you certainly shouldn’t believe the sales hype. Instead, do your due diligence. How? By asking for proof of industry certifications and third-party security testing. If your provider or partner is taking security seriously, you can bet they’ve submitted their products and solutions to third-party companies for rigorous security testing.
Here at MSA we are adamant about putting our FieldServer™ gateway and Cloud-based solutions to the test. MSA routinely conducts penetration testing on our IIoT gateways and Cloud solutions.
We challenge our third-party testers to relentlessly hack, crack, and compromise our devices in an attempt to invalidate them as being secure against cyberattack. If they find a vulnerability—and sometimes, they do—you can be sure that we take appropriate measures to secure our solutions.
Not only does our third-party partner test annually, but they also do monthly security runs based on the latest trends in hacking and security. Whether you’re using a FieldServer solution or something else, be sure that your partner has a partner that tirelessly tests and retests for cyberattack vulnerability.
Can Security Breaches Still Happen?
There is no such thing as a 100% fail-safe product. Regardless of how much security is built into a product or how much it is rigorously tested for vulnerabilities, hacks still happen. That’s because malicious attackers are continually finding new ways to penetrate organizations.
