Organizations may be just starting their journey, or further along. We offer these tips and suggestions for anyone starting on their journey.* 

• Smart Building Security should follow the same process patterns provided by US-CERT (Cyber Emergency Response Team), CIS (Center for Internet Security), NIST. The models all follow a Plan-Do-Check-Act process.

• Pick a national/international security standard and audit against it.
  (ISA/IEC 62443, ISO/IEC 27001, MITRE, ETSI EN 303 645, NIST CSF, FIPS 140, PCI DSS, UL 2900)
• • Refine your policy
  • Refine your standard operating procedures
  • Ensure you have a sustained annual budget
  • Define and communicate roles and responsibilities
• Have trained and competent security staff in-house, or on contract

• Define security metrics for continuous improvement

• Put cascading security expectations in Vendor contracts and audit against national/international recognized standards

• Harden field-based devices

• Ensure strong password management and that no default passwords are used

• Consider having passwords externally tested for security

• Identify a Cybersecurity Incident Response Team (CSIRT) and perform tabletop resilience exercises:

Identify – Protect – Detect – Respond – Recover

• Educate the workforce to be deputies in security. If they receive or see something unusual they should report it.  

• Rights and roles should use least privileges

• Keep systems current with security software updates

• Ensure a properly configured firewall protects the network

• Segregate corporate networks from BMS networks (IT vs OT separation)

• Restrict or deny the use of USB flash drives

• Encrypt data in transit and at rest within your systems

• Consider an "assumed breach" model – establish tiered access control, identify choke points, segment assets, and install detection capabilities

• Consider zero trust managed networks.