Going beyond IT: Cybersecurity for Buildings - HVAC, Video, Access Control

The importance of cybersecurity for building systems cannot be overstated.

While traditional IT environments occasionally manage unsupported technology with outdated software, the problem is exponentially more difficult in Building Automation Systems, Access Control, and Video Surveillance systems:

  • These devices not only ensure reliability for occupancy concerns, such as water, power, HVAC, physical security, and occupant access, but they also tend to be in use for decades, rather than years.
  • With the emphasis on remote access for employees, many systems which were once not IoT-enabled are now IoT-connected, thereby potentially providing access to entire information systems within buildings.
  • Because they are not traditionally thought of as potential cybersecurity risks, HVAC, access control, video surveillance and other building systems can often be overlooked for critical software updates and patches.

Without careful consideration and proper planning, allowing a product to be utilized past its end-of-life can pose various risks. Before most products are sold on the market, they often require the completion of a validation process. However once a system is obsolete, it can no longer be considered validated for use in a production environment. If a product is used beyond end-of-life, it can contribute to disruption in an organization’s operation and the degradation of the organization’s information security posture.

The Risks

The risks associated with end-of-life hardware, software, and operating systems include:

  • Increased security vulnerabilities
  • Regulatory and legal non-compliance issues
  • Software incompatibility
  • Increased maintenance costs
  • Problems with scalability
  • Poor performance and reliability

The Responsibilities

As a systems integrator of building technologies, CM3 Building Solutions follows industry-standard and manufacturer-recommended best practices regarding the installation of these systems. However, once the system is installed, IT and Operations Managers at the facility site must continue to monitor the systems and follow industry-standard best practices regarding keeping their systems updated.

The Recommendations

We strongly recommend that all customers leverage the resources and recommendations provided by the Cybersecurity and Infrastructure Security Agency (CISA), which is continually updating information around how best to secure facility systems. These recommendations address vulnerability points around:

  • Passwords
  • Port Forwarding
  • Firewalls
  • Network Topology and Segmentation
  • Operating Systems
  • Patching
  • Encryption
  • Remote Access
  • Physical Access and Security

There are also specific recommendations for:

  • Implementation of an Information Security Framework
  • Implementation and Maintenance of a Information Security Program
  • Policies and Procedures for Change Management, Commissioning, Patching, Updating and Decommissioning of Information Systems.
  • Dissemination of applicable Information Security Framework, Plans, Policies and Procedures to CM3 Building Solutions, Inc.
  • Vulnerability Assessment and Penetration Testing.
  • Information Security Vulnerability Mitigation.

If you need assistance bringing your systems up to date and / or assessing cyber vulnerabilities of those systems, please reach out to us.