Increasingly, Smart Buildings are being touted as the future of urban construction. A Smart Building is any structure that uses automated processes to automatically control the building's operations including heating, ventilation, air conditioning, lighting, security, power management and other systems. Given that many of the control systems used in Smart Buildings embody risk in their design (a problem that exists in OT – Operational Technology devices in general) the risks to which we refer here are considerable.
BMS systems are computer systems that send and receive instructions across a network to control field devices (e.g. door locking controls). Due to the relatively open nature of this architecture, there are numerous cyber and physical risk vulnerabilities evident. Additionally, many companies rely heavily of third-party vendors to manage their BMS systems.
External access to your systems by vendors is a “black box” with introduces another set of risks that need to be managed (recall the Target example earlier). Similarly, disgruntled employees can gain control of BMS systems relatively easily. CIOs often own the risk of these IT systems but do not have the visibility to effectively manage and safeguard them. Effective cybersecurity starts with visibility of assets (which in the case of Smart Buildings and Cities, may be considerable). The next step is effective monitoring of devices for internal and external threats and anomalies coupled with appropriate processes and policies for the people that actually manage the systems bearing in mind that often these people, are external vendors.