Talk to any cybersecurity expert, and you’ll hear the same thing: almost all building automation systems have vulnerabilities a hacker could exploit to gain access to the system. The good news is that facility managers themselves can address many of those vulnerabilities. Part of the solution is adopting good practices, like changing passwords regularly. But before you can do the right thing, you have to know what the right thing is. So another cybersecurity step is getting past dangerous myths about the BAS.
A good example of a harmful myth is the idea that you should ignore patches issued by BAS manufacturers. True, those patches can sometimes cause problems. But patches are the way that system manufacturers address cybersecurity risks as they are discovered. An unpatched system is a more vulnerable system.
Another myth is that IT should be kept in the dark about the BAS. Admittedly, some facility managers have legitimate gripes about IT. The reverse is also true. A key step to building a good relationship is understanding that, when it comes to cybersecurity, both parties want the same thing. To achieve that goal, facility managers need IT expertise.
A third myth is the flip side of the second: Cybersecurity is someone else’s job. BAS manufacturers, integrators, and technicians all have responsibilities of course. But the buck stops with the facility manager, who has to hold other parties accountable, while implementing best practices in the facility department.
I’ve skipped over the biggest myth of all — that hackers don’t pose a threat to the BAS. I doubt anyone who believes that myth has read this far. But if you think the concern about BAS cybersecurity is overblown, click here to read articles on BAS cybersecurity on our website, Facilitiesnet.com.
None of this is to suggest that facility managers are in this alone. At the AHR show last month, manufacturers and other controls industry experts came together in a cybersecurity summit sponsored by A New Deal for Buildings, an initiative sponsored by Cimetrics. One item on the agenda was BACnet CS (for cybersecurity), which is now under development. That’s an important step forward. But even with the best technology, facility management practices remain critical to protecting the BAS.