In an ever-changing world of IT and the digitization of data and products, it is important to be diligent to guard against unauthorized access to computers and networks. The HVAC and Building Automation Systems (“BAS”) world is no different. In 2013 Target experienced a major hack compromising 40 million customers credit card information. Unfortunately, an unsecure connection opened up by their mechanical services company left their entire network vulnerable and ultimately hacked.
Although a company’s HVAC data is not normally thought of as highly sensitive data, an unsecure remote connection leaves your network vulnerable to attack. Some clients may use a dedicated network for the BAS connection, but without proper security, this remote connection could still be used in a distributed denial of service (DDoS) attack. A DDoS attack is the intentional paralyzing of a computer network by flooding it with data sent simultaneously from many individual computers or devices. A recent report written by Level 3 Threat Research Labs predict these attacks will become more and more common with the ever-increasing numbers of connected devices. “While compromised hosts and home routers continue to be targeted, bot herders will follow the path of least resistance. Before spending more energy on traditional bot hosts, they’ll take advantage of the abundance of insecure IoT devices.” The time is now to start taking these threats seriously.
In the past, BAS security has been handled by obscurity, allowing customers to put devices online and only giving access to key users. According to the 2015 Compass Intelligence’s Intelligent Building and Cybersecurity, Landmark Research Study, 70% of building owners said their building systems are connected to their vendors. Smart buildings are growing in popularity with 73% of building owners saying remote access to their buildings is critical. The lines between IT and operations are becoming very blurred with the converging of cybersecurity, connected equipment, and intelligent buildings.
Brady is the leader in mechanical services, as well as leading the way in securing our customers remote connections. We have created a recommended BAS security program that provides recommended steps to help our customers mitigate vulnerabilities, stay current and manage the security of your BAS going forward.