The Need for Holistic BAS Cybersecurity Our collective success is based on our weakest link. Our industry is inherently collaborative. We seldom work alone on a project, and partnering is our modus operandi.

James Lee, CEO, Cimetrics, Inc. Article also on LinkedIn

As the building controls industry works to install more and more sophisticated smart building technologies, many of which involve working with IT systems, the subject of cybersecurity continually looms large and persistent. There are many questions about how we are going to deal with this challenge; I have some thoughts on a few such questions.

The first and most important aspect for all players in the industry is that cybersecurity is everyone’s business, not just the experts. Yes, cybersecurity is a complex subject, but we are not all going to nerd out on the intricacies of ciphers, zero-day threats, certificates and so on. What every single professional must demand is that our devices, systems, and buildings are secure from cyber threats. Every proposal, project meeting and company planning session going forward must discuss how cybersecurity is being addressed in that instance.

This leads to my second point: Our collective success is based on our weakest link. Our industry is inherently collaborative. We seldom work alone on a project, and partnering is our modus operandi. This means not only does each player need to deal with cybersecurity in their work, but it is the task of everyone to ensure others in the value chain deliver solutions that are secure.

The two points mentioned above are broad and complex, but our industry is not unique in this respect. A useful tool many other industries use to chart their process of bringing cybersecurity to the forefront is the National Institute of Standards and Technology (NIST) Cybersecurity Framework, a comprehensive set of standards, guidelines and best practices created through a collaborative process by the U.S. government agency responsible for cybersecurity matters. At Cimetrics, we use the NIST Framework to map out the products and solutions we develop and market to the industry. We see this as a holistic way to look at cybersecurity.

At AHR Expo in Atlanta this January, my company Cimetrics launched Secured by Cimetrics, a platform to provide a wide range of cybersecurity-focused technologies, products, best practices, and professional services that address these challenges. As a technology vendor in the industry since 1989, we feel we have a responsibility to help our industry be much more secure in this new phase of building controls and automation.

The areas Secured by Cimetrics will help include the following areas:

Devices

Devices are the core of building automation, and these days they are typically BACnet. We are honored that over 60% of global BAS vendors have selected to use our BACnet stack in their devices. While the upcoming BACnet/SC (Secure Connect) is a very important development regarding securing BACnet devices (see this link for more on BACnet/SC), it does not tick all the boxes to make devices fully secure. Devices branded as Secured by Cimetrics build upon BACnet/SC by implementing additional features and technologies to make them as secure as possible while abiding by the guidance of the NIST Framework.

Networks

Building automation systems are made up of networks of devices which by today’s standards means they are mostly IP-based and thus the most vulnerable attack surfaces for cyber breaches. Having been a vendor of network routers and gateways for more than two decades, it makes sense for us to incorporate Secured by Cimetrics technologies and best practices into such devices. Going forward, the industry should look to network routers and gateways branded as Secured by Cimetrics to reduce the risk of attacks on their networks.

Keys and Credentials

A critical component of secured systems is the array of security keys and credentials used to identify legitimate devices and people; these are more often referred to as security certificates. These certificates are a core component of the upcoming BACnet/SC standard. In complex building systems, the management of these certificates produces specific challenges that we aim to address as part of the Secured by Cimetrics platform.

[an error occurred while processing this directive]Buildings and Facilities

At the end of the day, building automation systems enable buildings and facilities to deliver on the needs of their owners and occupiers. As such, there is no challenge as important than ensuring facilities do not suffer any negative consequences of a cybersecurity breach. Addressing this challenge involves best-practices, business processes related to monitoring, responding, and recovering systems prior to and following attacks. This is an area where Secured by Cimetrics will add significant value to new or existing cybersecurity strategies by further reducing the risk of attack.

People and Organizations

A holistic approach to cybersecurity is not complete unless we consider the potentially weakest link in the chain, the people and organizations who design, engineer, operate and maintain building systems. The Secured by Cimetrics platform addresses this by providing training, certification and professional services to aid industry professionals and companies to do all that is possible to secure the systems in which they are involved.

Securing Buildings

Since our founding in 1989, Cimetrics has focused on developing key technologies to enable the BAS industry to grow. We were one of the first to work on BACnet, and our BACnet stack is used by over 60% of BAS companies globally. For 30 years, we have garnered broad industry recognition, support, and trust for producing robust and innovative technologies. 

Cybersecurity is not an easy problem to solve. We feel strongly that our approach to cover all the bases is the only way to go forward. We further feel strongly that this is not a fight we can do alone; it takes a village to position the BAS industry as one that takes security seriously and has the posture necessary in today’s hyper-connected world.

We invite you to work with us to create an active cybersecurity community, one that can drive the BAS industry forward to attain a responsible security posture demanded by building owners, enterprises, IT organizations, and occupants.