Dispelling the Myths of Building Automation Systems (BAS) and Internet Security

A Cloud-Based BAS is Inherently Secure. Here’s What You Can Do to Protect Your System from Cyber Attacks

Your building automation system (BAS) is a cost-effective investment tool that integrates your building’s critical systems with information technology to reduce energy usage, increase comfort, and, ultimately, operate the building more efficiently. But with more advanced technology come more challenges, particularly when it comes to cybersecurity.

Generally, a cloud-based BAS is designed and engineered with encryption and security features that can prevent breaches and security leaks. The trick is managing the system properly to avoid those very breaches and risks from happening. Security is almost always more closely related to internal checks and implementation than it is to the actual software. Said another way: A reliable system that’s hacked won’t do much good.

When it comes to locking down your building’s controls, there are plenty of myths associated with BAS security. At the end of the day, the safety of your system all comes down to the people using it.

Integration and Set-Up

The parallels between the evolutions of BAS technologies and the internet open up a lot of doors for improvements. Unfortunately, if your BAS is poorly integrated, you could leave yourself open to hackers, brute force attacks, and more.

Setting up the system correctly the first time (and working with a vendor that is well aware of best practices) is a must. By setting up appropriate credentials for key staff members, or putting the system behind a secure VPN with firewall rules, you mitigate the opportunities for those hackers. Using cutting-edge encrypted devices safeguards all of the traffic on your BAS network from prying eyes. 

Systems are Secure, People Aren’t

If there’s a recurring theme here, it’s this: Most cloud services are inherently encrypted and secure. The system doesn’t keep itself secure. You do. 

Once the service provider has installed the system, and even if they’re managing the technology properly, you still need internal protocols to control access to your various systems. From set-up onward, protect the system by monitoring the very people who use it and how they use it. 

Not every user should be granted broad access to every interface or every single section of the building. Implement common-sense protocols, like two-factor authentication. Establish a review process to ensure that old accounts are deleted from the system as soon as employees leave. That means setting permission levels and specific security protocols when you onboard or offboard new staff. Lock down IP addresses so external mobile devices can’t get past the firewall, etc. 

An experienced BAS vendor with a strong track record of working on both public and private infrastructure will further ensure that your staff—and not just IT—fully understands how they can impact your building’s security. 

Practice Good Password “Hygiene”  

One of the most important (but often overlooked) ways to keep your system secure is to change the default passwords to something more secure. Any IT professional should know that default passwords are (A) accessible to hackers and (B) the first path any hacker will take to breach your system’s internal security. 

When you’re setting up all of your cloud-based controls (including your BAS):

  • Go the extra mile to change default passwords
  • Provide credentials only for key staff
  • Never leave passwords exposed on the system
  • Never share credentials with anyone outside the company 
  • Don’t reuse old passwords
  • Use different passwords for different systems 
Keep Your Systems Up-To-Date

Cloud-based technology is increasingly popular because licensees are outsourcing two of the most costly and time-consuming elements: Hardware and updates. On-prem servers and the BAS that sits on them still require an internal specialist to do the updates. Eventually that server has to be replaced. Additionally, requiring internal users to complete an update (rather than logging into a cloud-based system that’s always current) is putting an outsized amount of control in the hands of those users. 

Cloud agreements work on a “pay as you go” model and can include support agreements so your system is always up-to-date and secure.

Use a System Designed for Security

When you deploy a system that’s designed to be secure from initiation onward, you’re lessening the likelihood that IT will receive panicked calls in the middle of the night about the building’s security alarm. 

Automatic Controls has been a licensed dealer of Automated Logic (ALC) software for over 30 years. By consistently communicating with users around the world, ALC is known for adopting new technology and responding to the latest cybersecurity threats. Collectively, our top priority is ensuring customers can learn and implement best-practice installation and maintenance in order to protect their BAS.

Automatic Controls puts safety first. With complete device visibility, our system passively and automatically establishes asset inventory with full-device fingerprinting, documents the network baseline of normal communications, and automatically assesses common vulnerabilities for BAS devices. We can work with your team to alert you of changes in behavior and automatically look for device behavior against threat indicators and protocol compliance standards, all while providing alerts in real time with interactive visualizations of threats and risks.

Automatic Controls can set up automatic monitoring of both IT and OT networks from a single screen, providing cross-functional, infrastructure-agnostic automation capabilities.

Ready to learn more? Need us to sit down and consult with your IT team about a support-level agreement, ongoing training, and system integration? Contact us today for a system demo.

Leave a Comment