Organizations may be just starting their journey, or further along. We offer these tips and suggestions for anyone starting on their journey.*
Smart Building Security should follow the same process patterns provided by US-CERT (Cyber Emergency Response Team), CIS (Center for Internet Security), NIST. The models all follow a Plan-Do-Check-Act process.
- Define security metrics for continuous improvement
- Put cascading security expectations in Vendor contracts and audit against national/international recognized standards
- Harden field-based devices
- Ensure strong password management and that no default passwords are used
- Consider having passwords externally tested for security
Identify – Protect – Detect – Respond – Recover
- Educate the workforce to be deputies in security. If they receive or see something unusual they should report it.
- Keep systems current with security software updates
- Ensure a properly configured firewall protects the network
- Segregate corporate networks from BMS networks (IT vs OT separation)
- Restrict or deny the use of USB flash drives
* RECC makes no warranties on these recommendations.
- Consider an "assumed breach" model – establish tiered access control, identify choke points, segment assets, and install detection capabilities