In this article I am responding to a great question from a fellow LinkedIn group member.
She asked, and I paraphrase, "Do you have any articles about why someone should even care about IT Security for their BAS?"
Now don't get me wrong, I have dealt with plenty of reluctant IT and Operational folks in my time. However, I simply felt that the answers were self-evident, I mean everyone knows that having an unsecured BAS system is bad, Right?
When I got to thinking about it I realized, that while it is common sense about why one would want BAS security, for the doubtful in the industry there really aren't any really big stories about BAS security flaws. When I got to thinking about it the only story I can recall in the news, on security is a story about Google's Tridium system being hacked (Authors Note: Tridium has since fixed the issue and has released a hot patch for older systems).
This series will take a broad look at the reasons why BAS owners and operators are not enacting effective security practices. This series will be broken up into three articles:
- Case Studies
- "Our IT group is hard to work with"
- "We only access our BAS system from Inside the Hospital"
- "Our machine is on a standalone computer"
- "That's the responsibility of the engineer and if its not in the spec then we don't need it"
- "My guys just don't get IT"
"My guys just don't get IT"
All of these are some fairly common objections that I hear a lot. I often times do not get people actually questioning the security of the system but rather the need for security itself. Often time's a provocative question will spur some interest but sometimes your not even at the right level to have the conversation.
"Would you leave your computer logged into your bank account in the middle of the mall?" Well seriously would you? Well then why would you put your BAS system on a public IP address with the manufacturers default passwords? I know you like your paycheck so how long will you be employed when a student decides to shut down all the CRAC units cooling your data center just for fun? Oh, and by the way, how are you going to know who did it since everyone on your staff uses the same password for everything they do? Yes BAS systems have audit trails to log usage but those are useless when the same login is used all the time.
"That's the responsibility of the engineer and if its not in the spec then we don't need it"
Your right! It is the responsibility of the engineer to write a spec that takes IT security into consideration, but it's your job to keep the building running and operational and trust me you will not have that job very long when the boss finds out that anyone on the internet can log into your system any time of the day.
"Our machine is on a standalone computer"
Well, besides for the inherently bad practice of having everything dependent on one computer that you may or may not be able to replace when it fails where's' the problem? Well there are several problems actually, first with a local PC and no backup system your disaster recovery capabilities are near to non-existent. Next, your system is still vulnerable, actually more vulnerable. What happens if Bob overrides the boiler on for a whole year? Who's gonna catch it? What does that cost you? Who's going to explain to the CFO why the gas bill was so high this year?
"We only access our BAS system from Inside the Hospital"
That's awesome, kudos for you. Seriously do you think that makes you safe? What if someone hacks the hospital network. Imagine the publicity if a major hospital's entire HVAC system was shutdown by a hacker forcing the hospital to relocate hundreds of patients? Imagine the law suits, the bad press, and the damage to credibility...
"Our IT group is hard to work with"
Maybe they are, maybe your CIO is Genghis Khan reincarnated. Does that excuse not enacting basic security policies that ensure the safety of your system? There are dozens of things you can do to secure your system that in no way shape or form require your IT department to be involved, why aren't you doing them? If it is a skill-set issue you can have your consultant build your spec right and I guarantee the contractor who installs or services your system will do them for you. It's amazing how proactive contractors and/or installers can be when their retainage is contingent on a properly installed system.
In the next article for this series I will discuss how you can create alignment around BAS security with the different stakeholders within an organization.
What is the most interesting objection you've heard in regards to security?
Tell me in the comments below