Organizations may be just starting their journey, or further along. We offer these tips and suggestions for anyone starting on their journey.* 

• Smart Building Security should follow the same process patterns provided by US-CERT (Cyber Emergency Response Team), CIS (Center for Internet Security), NIST. The models all follow a Plan-Do-Check-Act process.

• Pick a national/international security standard and audit against it.
  (ISA/IEC 62443, ISO/IEC 27001, MITRE, ETSI EN 303 645, NIST CSF, FIPS 140, PCI DSS, UL 2900)
• • Refine your policy
  • Refine your standard operating procedures
  • Ensure you have a sustained annual budget
  • Define and communicate roles and responsibilities
• Have trained and competent security staff in-house, or on contract

• Define security metrics for continuous improvement

• Put cascading security expectations in Vendor contracts and audit against national/international recognized standards

• Harden field-based devices

• Ensure strong password management and that no default passwords are used

• Consider having passwords externally tested for security

• Identify a Cybersecurity Incident Response Team (CSIRT) and perform tabletop resilience exercises:

Identify – Protect – Detect – Respond – Recover

• Educate the workforce to be deputies in security. If they receive or see something unusual they should report it.  

• Rights and roles should use least privileges

• Keep systems current with security software updates

• Ensure a properly configured firewall protects the network

• Segregate corporate networks from BMS networks (IT vs OT separation)

• Restrict or deny the use of USB flash drives

• Encrypt data in transit and at rest within your systems

• Consider an "assumed breach" model – establish tiered access control, identify choke points, segment assets, and install detection capabilities

• Consider zero trust managed networks.

Click for: IT Security Best Practices for OT Systems

Building Operational Technology (OT), considered a subset of Internet of Things (IoT) technology, broadly refers to systems used to control and monitor critical physical processes within buildings. Unique aspects of OT systems and devices demand modified approaches to minimizing cyber security risk. This best practice list serves as a summarization of industry best practice by corporate, commercial, educational and governmental real estate professionals focused on the design, installation, commissioning, operations, and maintenance of next generation BuildingOperational Technology.

Click for: IT Security Assessment for OT Systems

This questionnaire views building Operational Technology through the lens of an IT security assessment. The modular nature of the questionnaire provides the ability to quickly identify questions for each a specific assessment phase.

Click for: Supply Chain Guidelines for OT Systems