Skip to main content
Facilitate Magazine: Informing Workplace and Facilities Management Professionals - return to the homepage Facilitate magazine logo
  • Search
  • Visit Facilitate Magazine on Facebook
  • Visit Facilitate Magazine on LinkedIn
  • Visit @Facilitate_Mag on Twitter
Visit the website of the Institute of Workplace and Facilities Management Logo of the Institute of Workplace and Facilities Management

Main navigation

  • Home
  • News
    • Comment
    • People
    • Reports
    • Research
  • Features
    • Analysis
    • Features
    • Round Tables
    • Webinars
  • Outsourcing
    • Contract Finder
    • Contracts
    • FM Business Models
    • Interviews
    • Mergers & Acquisitions
    • Opinion
    • Procurement
    • Trends
  • Know-How
    • Explainers
    • Legal Updates
    • White Papers
  • Jobs
  • Topics
    • Workplace Services
      • Hospitality
      • Catering
      • Cleaning
      • Front of House
      • Grounds Maintenance
      • Helpdesk
      • Mailroom
      • Manned Guarding / Security
      • Pest Control
      • Washroom Services
      • Disaster Recovery
      • Specialist Services
    • Professional Performance
      • Behavioural Change
      • Continual Professional Development
      • Education
      • Management
      • Recruitment
      • Training
    • Workplace Performance
      • Benchmarking
      • Health & Wellbeing
      • Operational Readiness
      • Procurement
      • Security
      • Workplace User Experience
      • Workplace Culture
    • Compliance
      • Health & Safety
      • Risk & Business Continuity
      • Standards
      • Statutory Compliance
    • Building Services
      • Architecture & Construction
      • Asset Management
      • Building Controls
      • Building Fabric
      • Drinking Water
      • Fire Protection
      • HVAC
      • Landscaping
      • Mechanical & Electrical
      • Building Security
      • Water, Drainage & Plumbing
    • Technology
      • Building Information Modelling
      • CAFM
      • Data & Networks
      • Document Management
      • Information Management
      • Internet of Things (IoT)
      • Software & Systems
    • Energy management
      • Energy Management Systems
      • Electricity
      • Gas
      • Solar
      • Wind
    • Sustainability
      • Environmental Quality
      • Social Value
      • Waste Management
      • Recycling
    • Workspace Design
      • Agile Working
      • Fit-Out & Refurbishment
      • Inclusive Access
      • Lighting
      • Office Interiors
      • Signage
      • Space Planning
      • Storage
      • Vehicle Management / Parking
      • Washroom
    • Sectors
      • Corporate Office
      • Education
      • Healthcare
      • Manufacturing
      • International
      • Retail
      • Sports & Leisure
      • Regions
  • Buyers' Guide
Quick links:
  • Home
  • Topics
Know How
Explainers
Workplace services
Pest control

Defending the BMS

Open-access content Monday 3rd September 2018 — updated 2.38pm, Tuesday 5th May 2020
Businessman_blurred_Cyber

The connectivity that enables integrated, automated and centralised building management could be also used as a conduit for a cyberattack on buildings, but Maritz Cloete explains how to keep your BMS and data safe.

04 September 2018 | Maritz Cloete


IP networks enable a BMS to monitor and control key building systems such as HVAC, lighting, access controls, fire and safety systems, and energy monitors. They also provide internet connectivity so buildings can be managed remotely or from central locations.


The downside is that cybercriminals can also access these networks to hijack a vulnerable BMS, disrupting operations and stealing data.


There may be multiple actors behind such attacks: 


  • Activist groups wanting to break up organisations with which they take issue.
  • Terrorists who want to disrupt national functions or government operations.
  • Nation states wanting to harm organisations they consider a competitive risk or a threat to their security.
  • Companies who wish to sabotage competitors.
  • Aggrieved former employees.
  • 'Bored teenagers' testing their hacking skills.

 


In 2017, attackers took control of an Austrian hotel's electronic key system and locked it out of its own computer system, leaving guests stranded in the lobby, causing panic. A ransom email demanding a large sum in Bitcoin followed and, against expert advice, the hotel paid up.


Attacks are not necessarily targeted, as 2017 's WannaCry ransomware strike showed by indiscriminately attacking any vulnerable system in its path, including BMSes, many of which are still running on unsupported operating systems such as Microsoft Windows XP.


A vulnerable BMS could also be used as a conduit for an attacker to access the corporate network where data theft and operational disruption may be the much more lucrative goal.


In 2013, US retailer Target fell victim to large-scale theft of credit card details. Attackers stole corporate network credentials from one of Target's HVAC suppliers, and used these to gain access to Target's servers.


Cybersecurity is high on BMS vendors' priorities and, while not perfect, modern systems provide capabilities to guard against attacks. Most vulnerabilities are a result of installers who do not follow the manufacturer's guidelines.


Here are five steps to protect your BMS:


Follow the manufacturer's security guidelines

Use only authorised BMS installers and review your BMS configuration regularly to ensure that the secure baseline is maintained. Train your FM staff in the secure configuration of the BMS and in cybersecurity awareness.


Keep your BMS patched

Monitor vulnerability and security patch notifications from the BMS vendor and apply updates promptly. If the BMS is installed on a computer with a standard operating system, such as Microsoft Windows or Linux, ensure it is still supported by the vendor.


Restrict access to the BMS

Issue unique accounts with strong passwords to users. If a user does not perform administrative duties, don't issue them administrator privileges. Monitor user activities to identify behaviour which might indicate that user credentials have been hijacked.


Avoid connecting your BMS directly to the internet

If there is a business need for remote access to the BMS, consider either using dedicated private network links, Virtual Private Network technology or a firewall with rules to secure the external connection and prevent unwanted access to the BMS from the general internet.  


Isolate your BMS network from corporate networks

Do this either by not connecting the networks, or through a network firewall that restricts general access to and from the BMS network.


Maritz Cloete is director at CS Risk Management.

Also filed in:
Topics
Know How
Content
Explainers
Workplace services
Pest control

You might also like...

Share
  • Twitter
  • Facebook
  • Linked in
  • Mail
  • Print

Today's top reads

 

Latest Jobs

Project Leader (Maternity Cover One Year Contract)

Cambridge
Circa £50,000 Pro Rata + Benefits & Opportunities
Reference
56378

Maintenance Supervisor

Surrey
Up to £43,000 + Excellent Package & Opportunities
Reference
56376

Regional Facilities Manager

South West England
Circa £40,000 + Benefits & Opportunities
Reference
56375
See all jobs »

 

 

Sign up to our newsletter

News, jobs and updates

Sign up

Subscribe to print

Sign up to receive our bi-monthly magazine

Subscribe
Facilitate magazine cover, June 2020
​
FOLLOW US
@Facilitate_Mag
Facilitate Magazine
Facilitate Magazine
CONTACT US
Contact us
Tel: 020 7880 6200
​

IWFM

About IWFM
Become a member
Qualifications
Events

Information

Privacy Policy
Terms & Conditions
Cookie Policy
Think Green

Get in touch

Contact us
Advertise with us
Subscribe to Facilitate Magazine
Write for Facilitate Magazine

General

IWFM Jobs
Help

© 2022 • www.facilitatemagazine.com and Facilitate Magazine are published by Redactive Media Group. All rights reserved. Reproduction of any part is not allowed without written permission.

Redactive Media Group Ltd, 71-75 Shelton Street, London WC2H 9JQ