Cybersecurity for Building Management (BMS)

Building Management Systems (BMS) and Smart-City technologies have become quite commonplace across the globe. These systems offer the ability to control buildings’ internal environments, access control and other security systems and structures, all at the touch of a button!

By integrating an array of different services such as electricity, water supply, HVAC, access control, and fire alarms, BMS systems offer a host of advantages, from cost-effective, single-pane control over all building systems to better handling of security and system failure events and much improved safety.

BMS and Smart City technologies, however, are not without its down side. Integrating previously-disparate (and often inadequately secured) building or city systems poses the risk of hackers accessing their target system through another one.

The Challenge: Protecting Complex, Diverse Building Management Systems

Modern manufacturing has become increasingly reliant on automation since the industrial revolution, helping drive down costs and speed up production. The process culminated with the advent of Industry 4.0 which introduced almost-fully network-based automation control.

As with other OT systems, the challenge presented by this change is due to the complexity of today’s automation systems, which typically host an array of devices from multiple vendors, including both new and legacy assets, as well as IT systems.

The widespread reliance on IIoT-based automation, and the subsequent need to grant network access to in-house as well as 3rd-party (vendors, system integrators) maintenance personnel, greatly increases manufacturers’ exposure to cyber-threats, through both malicious and erroneous human activity.

A Multi-Prong Approach to BMS Security

Adequate cyber-protection for networked devices (DCS, PLC and others) requires a multi-prong approach to OT security. Radiflow provides manufacturers with the tools to protect, visualize and safely maintain their systems:

1. Network modeling and visibility: The initial stage in securing industrial operations involves mapping the manufacturing OT network, including network topology, modern and legacy assets, devices, ports and all connections. The result is a virtual model (digital image) of the complete system that is presented to the operator in map form, down-drillable to each and every device’s full properties and connections.
2. Risk assessment: the next step includes running numerous breach & attack simulations (OT-BAS) to evaluate the probability of an attack on different business units, and the ability of various mitigation controls (installed and proposed) to protect the network. The resulting Key Indicators (for risk, threat and control levels) and reports provide the ICS operator with a clear picture of the network’s exposure to risk.
3. Implementation: based on the simulation results, an ROI-optimized OT security plan is generated, accounting for the user’s security preferences and budget constraints. The user is presented with a prioritized list of mitigation measures toward strengthening and optimizing OT security, in accordance with IEC62443.
4. Long-term security management: protecting the OT network and assessing its exposure to risk is an ongoing process. New devices may be added, old ones removed, and systems regularly updated. The threat landscape also shifts rapidly. The key to long-term security is ICS network monitoring, which provides constant identification and mitigation of intrusion attempts as well as changes in the risk posture due to new threats.

Download the BMS use case