Real Estate Cyber Consortium Best Practices

RECC Tips for Getting Started with Building Cybersecurity

Sat, 07 Jan 2023 01:00:00 GMT

Organizations may be just starting their journey, or further along. We offer these tips and suggestions for anyone starting on their journey.*

Smart Building Security should follow the same process patterns provided by US-CERT (Cyber Emergency Response Team), CIS (Center for Internet Security), NIST. The models all follow a Plan-Do-Check-Act process.

Pick a national/international security standard and audit against it.
(ISA/IEC 62443, ISO/IEC 27001, MITRE, ETSI EN 303 645, NIST CSF, FIPS 140, PCI DSS, UL 2900)
- Refine your policy
- Refine your standard operating procedures
- Ensure you have a sustained annual budget
- Define and communicate roles and responsibilities
Have trained and competent security staff in-house, or on contract

Define security metrics for continuous improvement

Put cascading security expectations in Vendor contracts and audit against national/international recognized standards

Harden field-based devices

Ensure strong password management and that no default passwords are used

Consider having passwords externally tested for security

Identify a Cybersecurity Incident Response Team (CSIRT) and perform tabletop resilience exercises:

Identify – Protect – Detect – Respond – Recover

Educate the workforce to be deputies in security. If they receive or see something unusual they should report it.

Rights and roles should use least privileges

Keep systems current with security software updates

Ensure a properly configured firewall protects the network

Segregate corporate networks from BMS networks (IT vs OT separation)

Restrict or deny the use of USB flash drives

Encrypt data in transit and at rest within your systems

Consider an "assumed breach" model – establish tiered access control, identify choke points, segment assets, and install detection capabilities

Consider zero trust managed networks.

* RECC makes no warranties on these recommendations.

IT Security for OT Systems

Fri, 06 Jan 2023 20:30:00 GMT

Click for: IT Security Best Practices for OT Systems

Building Operational Technology (OT), considered a subset of Internet of Things (IoT) technology, broadly refers to systems used to control and monitor critical physical processes within buildings. Unique aspects of OT systems and devices demand modified approaches to minimizing cyber security risk. This best practice list serves as a summarization of industry best practice by corporate, commercial, educational and governmental real estate professionals focused on the design, installation, commissioning, operations, and maintenance of next generation BuildingOperational Technology.

IT Security Assessment for OT Systems

Fri, 06 Jan 2023 20:00:00 GMT

Click for: IT Security Assessment for OT Systems

This questionnaire views building Operational Technology through the lens of an IT security assessment. The modular nature of the questionnaire provides the ability to quickly identify questions for each a specific assessment phase.

Supply Chain Security for OT Systems

Fri, 06 Jan 2023 19:30:00 GMT

Click for: Supply Chain Guidelines for OT Systems

Guiding Principles to Improve Vendor Cyber Security Contract Requirements are sourcing and contract guidelines to help improve cyber security protections in all aspects of the building technology supply chain.