EMAIL INTERVIEW – Marc Petock and Ken Sinclair

Marc Petock, Vice President, Marketing, Lynxspring

Sinclair:  We are seeing an increase in coverage about BAS cyber security. Is it good or bad for our industry?

Petock:  I believe it is good for a number of reasons. It is calling attention to an issue that is part of the new reality we are faced with. It is enabling us to gain a greater understanding of the challenges associated with cyber threats as it relates to building automation systems and networks and it is causing us as an industry to address it. I also believe it has woken up many end users and providers to the need for better cyber security protection for building automation systems and networks.

Sinclair:  What are the misconceptions about cyber security and threats on building automation systems?

Petock:  That cyber threats against building automation systems are not just about being able to turn the lights on or off or raising or lowering the temperature a degree or two. It is way more than that. Characterizing possible disruptions to lighting or HVAC controls as a little harmless mischief dramatically underestimates the value of these systems to productivity, safety and the business. Threats and breaches to building systems can also be entry points into the company’s network and become a pivot point that can bypass many existing network defenses. A hacker can use a BAS device as a jumping off point to get onto other devices and systems, introduce malware, viruses and worms or engage in other detrimental activities.

The Building Automation Network and IT network should NOT be treated differently when it comes to cyber security and threat protection. One needs to ask themselves more than just ‘Are we secure?’ You need to be asking…. ‘How do we know we’re not compromised today? How would we know? What would we do about it if we were?’” Are we prepared to face the threat?

Sinclair: What about the business implications, can you elaborate a little more on this?

Petock:  Absolutely.  There is occupant comfort, safety and productivity to operational disruption including interruption of key services and shutdown of operations. On the physical side, there is the potential damage to equipment and the building structure and accessibility to the facility. On the business side, there is the potential exposure of sensitive information, financial loss caused by interruptions and equipment replacement and repair, negative publicity, tenant loss, loss of customer confidence and potential lawsuits. And there is the risk of physical harm to occupants.

Sinclair:  What are the key risk areas?

[an error occurred while processing this directive]Sinclair:  So at the end of the day, who is responsible for BAS cyber security?

Petock:  Cyber security is a shared responsibility---shared between technology providers, system integrators and end users.  Technology providers should take every step to increase the security quality and reduce the attack surface as much as possible. When an incident is discovered, they need to inform their customers, address the issue quickly and comprehensively. Also, incorporate cyber security practices related to their technology into their training and deployment practices. For system integrators discuss the importance of cyber security with the end user; be proactive about it; automatically include as part of the solution you design and deploy and ensure that the security capabilities of all system components are used and configured properly.  And end users demand and insist on cyber threat protection. Make sure your overall system security levels are adequate.

Sinclair:  Any final thoughts?