May 2013

BTL Mark: Resolve interoperability issues & increase buyer confidence
BACnet Testing Laboratories

(Click Message to Learn More)


Marc Petock

EMAIL INTERVIEW Marc Petock and Ken Sinclair

Marc Petock, Vice President, Marketing, Lynxspring

Cyber Threat Protection

Cyber security is a shared responsibility---shared between technology providers, system integrators and end users.

New Products
Site Search
Secured by Cimetrics
Past Issues
Control Solutions, Inc
Securing Buildings News

SinclairWe are seeing an increase in coverage about BAS cyber security. Is it good or bad for our industry?

Petock:  I believe it is good for a number of reasons. It is calling attention to an issue that is part of the new reality we are faced with. It is enabling us to gain a greater understanding of the challenges associated with cyber threats as it relates to building automation systems and networks and it is causing us as an industry to address it. I also believe it has woken up many end users and providers to the need for better cyber security protection for building automation systems and networks.

SinclairWhat are the misconceptions about cyber security and threats on building automation systems?

Petock:  That cyber threats against building automation systems are not just about being able to turn the lights on or off or raising or lowering the temperature a degree or two. It is way more than that. Characterizing possible disruptions to lighting or HVAC controls as a little harmless mischief dramatically underestimates the value of these systems to productivity, safety and the business. Threats and breaches to building systems can also be entry points into the company’s network and become a pivot point that can bypass many existing network defenses. A hacker can use a BAS device as a jumping off point to get onto other devices and systems, introduce malware, viruses and worms or engage in other detrimental activities.

The Building Automation Network and IT network should NOT be treated differently when it comes to cyber security and threat protection. One needs to ask themselves more than just ‘Are we secure?’ You need to be asking…. ‘How do we know we’re not compromised today? How would we know? What would we do about it if we were?’” Are we prepared to face the threat?

Sinclair: What about the business implications, can you elaborate a little more on this?

Petock:  Absolutely.  There is occupant comfort, safety and productivity to operational disruption including interruption of key services and shutdown of operations. On the physical side, there is the potential damage to equipment and the building structure and accessibility to the facility. On the business side, there is the potential exposure of sensitive information, financial loss caused by interruptions and equipment replacement and repair, negative publicity, tenant loss, loss of customer confidence and potential lawsuits. And there is the risk of physical harm to occupants.

SinclairWhat are the key risk areas?

Petock:  I categorize risk areas into three types; PEOPLE (Owners, Operations, Users, Occupants), SYSTEMS (Technology)—Comfort, Safety, Security (Access and Intrusion) and OPERATIONS (Technical & Business). Buildings are mission critical environments. As such the risks associated with people, systems and operations need to be understood and appropriately managed and mitigated.

Control Solutions, Inc SinclairSo at the end of the day, who is responsible for BAS cyber security?

Petock:  Cyber security is a shared responsibility---shared between technology providers, system integrators and end users.  Technology providers should take every step to increase the security quality and reduce the attack surface as much as possible. When an incident is discovered, they need to inform their customers, address the issue quickly and comprehensively. Also, incorporate cyber security practices related to their technology into their training and deployment practices. For system integrators discuss the importance of cyber security with the end user; be proactive about it; automatically include as part of the solution you design and deploy and ensure that the security capabilities of all system components are used and configured properly.  And end users demand and insist on cyber threat protection. Make sure your overall system security levels are adequate.

SinclairAny final thoughts?

Petock:  Cyber security is a complex issue. It is one that must not be ignored or done through obscurity any longer. Building automation networks should have policies and procedures just as an IT network does. Security must continuously be addressed throughout the whole system lifecycle using multiple layers of defense and protection. Cyber security and threat protection should be an integral part of the design of intelligent buildings and today’s building automation system and not an afterthought; it has gone from a nice-to-have to a must-have.


[Click Banner To Learn More]

[Home Page]  [The Automator]  [About]  [Subscribe ]  [Contact Us]


Want Ads

Our Sponsors