building
cyber
security

Buildings and their Operational Technology (OT) are a cyber security risk and should not be ignored when it comes to cyber security risk assessments.

We follow basic IT practices and principles to audit Building Control Systems and make recommendations to reduce the vulnerability of building control system servers, operating systems and applications

 

Audits

Initial audit to understand potential security vulnerabilities within the building services ecosystem. The intent is to understand the current risks with the hardware, software and network that is deployed for Operational Technology. Audits include:

  • Operating Systems

  • Applications

  • Password Policies

  • Remote Access

Systems Hardening

Systems hardening is an IT term which essentially is a risk management based approach to cyber security and describes the actions necessary to meet the challenges associated with the risk of cyber security caused by vulnerabilities in any IT system, including OT in a building.

Systems Hardening in a Building

The first step to 'hardening' a system is to complete an audit. Whilst a comprehensive audit is advisable, a basic audit may uncover vulnerabilities that can be addressed immediately particularly when it comes to patch management. A basic audit may include (but not limited to) the assessment of the following elements:

  • Operating Systems - The Operating System is system software that manages computer hardware, software resources, and provides common services for computer programs. In the majority of cases in a building, this will be Microsoft Windows.

  • Applications - Applications typically will refer to the engineering software that is installed to monitor and control the systems in a building such as Air-Conditioning, Lighting, Vertical Transport, Energy Management, Hydraulics etc.

  • Authentication - refers to passwords for both the Operating System and Application Software.

Patch Management

Firstly what is a 'patch'? As the name suggests, a patch can be applied to 'fix' a known 'hole' or vulnerability in a software system. To put this in context, some reports suggest that there is more than 350,000 new malicious programs created every day. Patches are developed in direct response to protect against new strains and methods of attack. This applies to both Operating Software as well as Applications.

What to look for during a basic audit:

  • Operating System - Ensure that the operating system is currently supported by Windows, for example support for Windows XP ended in 2014. Although this was 7 years ago, it is not uncommon to find engineering services in a building running on an XP environment. In addition, Windows 7 support ended January 14, 2020, Microsoft no longer provides security updates or support for PCs running Windows 7. The next sunset is Windows 10 which ends 2025. For all these systems, now is the time to plan your upgrade to Windows 10.

  • With relation to Windows Server - the mainstream end date for Windows Server 2016 was January 2022 and the mainstream end date for Windows Server 2019 is 2024. For all these systems, now is the time to plan your upgrade to Windows Server 2022.

  • It is also important to ensure that windows updates are performed regularly and patches applied.

  • Applications - similar to the Windows OS, it is important that the software is also patched and kept up to date. Operational Technology such as BMS systems/software also have an end of life and it is important that software is kept as up to date as possible. At the very least it is important to be running a version of the software that is still supported. An audit of a BMS System recently uncovered that the version of software installed at the site had been subjected to 5 complete version updates as well as over 1000 patches released. Essentially there had not been any updates to the system for 7 years placing this system at high risk of attack. Also ensuring that default passwords are changed that may be present in field controllers and platforms.

  • Authentication - or Password Policy - It is important that strict password policies are enforced. Password policies are sets of rules which ensure strong passwords are used and that they are updated/changed regularly. Good password policies include the minimum length and formation (using upper case, lower case, one or more number, one or more special characters etc) and the duration that a password is in place before it requires a forced update. Hopefully this goes without saying but ensuring that the user names and passwords are not kept anywhere onsite (such as under the keyboard).

Check for Windows Updates Now!

There is one simple thing you can do right now to reduce any vulnerabilities relating to your Operating System - check for Windows Updates. Whilst this feature can be set to run automatically, it is not uncommon to find automatic updates switched off. Whilst this is by no means a silver bullet as far as system hardening goes, getting the latest updates and patches for Microsoft Windows is one simple task that we can all complete to better protect our systems against attack.

Note - commonly automatic Windows updates may be disabled by application/OT vendors as there have been cases of compatibility issues between new versions/updates of Windows and existing applications. Ideally, both the OS and the applications should be checked for compatibility, tested and updated both to the latest versions. If in doubt, speak to the parties responsible for maintenance of the systems and/or the manufacturers/OEM.

 

contact us