Let’s Talk BAS Cybersecurity ..for the vast majority of BAS players: vendors, the channel, and even operation staff, cybersecurity could be described as “out of mind,” in other words, ranked #∞.

Anto Budiardjo Editor, New Deal for Buildings As published on New Deal blog Contributing Editor

For IT Departments, cybersecurity is a top-of-mind issue, consistently ranking #1 on their list of concerns. Interestingly, some identify this concern as IoT security, while others as security skill shortage as well as concerns from “Shadow IT,” people installing their own IT solutions. On the other hand, for the vast majority of BAS players: vendors, the channel, and even operation staff, cybersecurity could be described as “out of mind,” in other words, ranked #∞.

Let me put this another way. For BAS companies working to extract the value of BAS data with analytics, cloud SaaS, enterprise integration and other applications, working with IT systems isn’t optional, it is the only effective way to deliver their value to enterprise customers. Conversely, for IT departments, who have enough on their plates dealing with daily threats from hackers, requests to connect their carefully secured infrastructure to a network of questionable secured devices, often for questionable business value (in their eyes), is likely to get the silent treatment.

While I am exaggerating to make a point, it is the chasm between these positions that should awaken any BAS professionals interested in extracting the business opportunities from IoT.

Many see the issue of BAS cybersecurity as about securing BAS systems, so they are not hacked and manipulated, of course, this is true but not the critical problem we face today.

Others see IoT as the solution of how IP-based devices will be secured, again this is true for future systems but not a solution to today’s buildings, many with decades-old systems.

Many in the industry are pinning their hopes on BACnet/SC, yes this is an important and much-needed addendum to the BACnet standard, but this in itself, isn’t going to solve all our problems.

A growing number of companies are developing great security features in their products; again this is a welcomed trend but not something that will help the chasm in the short term.

[an error occurred while processing this directive]The million-dollar problem hampering progress is that of a perception problem of the industry. In my December article, I laid out how we got here. BAS has never had much motivation to secure their networks because it never had to. This has made the default behavior that of apathy about security. If this wasn’t bad enough, we have “effectively marketed” that position, and now everybody believes it!

For the BAS industry to advance and tap into the promise, and value of IoT, it is imperative that we urgently fix this perception problem and work diligently, and collectively to put BAS into a posture that is in line with the expectations of security-centric IT industry, and the rest of the business community.

Some will view this as only relevant to companies offering the types of IT-centric products and services I mentioned above; this is shortsighted. The promise of IoT will lift the value of all the products and services in the BAS space, from sensors, actuators, installation, maintenance and so on. As they say, a rising tide lifts all boats.

This is not an easy task by any means. The first step is to acknowledge this position and start an open, industry-wide dialog to address this issue. It is with this in mind, I invite leaders of the industry to attend the Cybersecurity Summit to be held at the upcoming AHR Expo 2019 in Atlanta. Attendance is free to AHR Expo ticket holders.

More info on the summit is available at http://summit.newdeal.blog