Cyber Security & Smart Buildings: BMS Remote Access
Remote access to building infrastructure has become vital, but it comes with new risks. Learn how to do it securely
Following the release of DL Connect, our brand new secure remote access service, we would like to highlight security challenges which are all too often overlooked. We understand the challenges that property and facilities managers face and want to ensure that you reap the benefits of building analytics and BMS optimisation without compromising on security.
Buildings are getting ‘smarter’, but so are hackers. The risk of cybersecurity breaches via BMS or other IoT infrastructure has significantly increased, with the potential to cost companies millions. We’ve released DL Connect as a result of changes to how clients manage their buildings during Covid-19 and the shift to remote working.
Read on to make sure you do not fall foul of the risks associated with accessing building data remotely, and choose a BMS remote access service which keeps your systems and business secure.
Building management systems and working from home
The Covid-19 outbreak has forced businesses to move away from office based work and consider remote working practices, not only in terms of safety but of economic viability, staff productivity and retention. After initial lockdowns, people were gradually returning to their offices, although it seems that a form of blended working - at home and in the office - is the future. In light of these changes, can building managers afford not to have a remote building analytics interface as well as a secure BMS remote access service?
What are the advantages of a BMS remote access service?
Demand Logic’s building analytics platform has always provided passive/read-only access to the BMS. This has a number of advantages of which security is certainly one. Indeed, much can already be achieved with this level of access alone. From our experience, presenting building analytics as actionable insight, with clear recommendations for improvement, property and facilities managers can make cost-effective adjustments to their building operations. These game-changing alterations can result in cost savings as high as six figures.
However, where before on-site engineers or even regular maintenance visits could enact recommendations with relative agility, Covid-19 has meant that time ‘on site’ is now discouraged. This change is what led us to create DL Connect as identifying energy savings and indoor air quality improvements are only useful if they can be acted upon. However, mindful of the risks associated with BMS remote access, we made security the top priority.
What are the risks?
If a remote access facility to a building's BMS is not designed and implemented securely, the BMS could fall victim to a range of remote attacks, like Denial of Service (DOS) sabotage, or tampering with BMS plant. Worse, hackers might take control of parts of the BMS altogether, with the possibility to attack further business-critical systems in the smart building's network, e.g. lighting, doors, or servers.
These risks are not theoretical. Real-world adversaries are actively scanning for and exploiting insecure remote access service, e.g. in order to blackmail or ransom the victim. Indeed, the high profile attack on Target is evidence of this. Since the shift to remote working caused by the pandemic, 46% of businesses across the UK, US, France, and Germany experienced at least one ‘cybersecurity scare’.
We have witnessed first-hand some very poorly executed remote access solutions. E.g. ADSL routers with a public port-forwarding; or insecurely configured mobile routers. Put simply, this is an open invitation to cyber attacks.
How to keep your BMS remote access secure?
There are preventative measures that property and facilities managers can take and cybersecurity requirements that your BMS remote access service provider should be implementing.
Undertake due diligence when researching which service provider is right for you. Any provider will claim that their access system is secure, but if you are procuring one, make sure your provider has convincing answers to questions such as the following:
Does the remote access service use robust, state-of-the-art cryptographic methods for authentication and encryption? Does each user/site/target combination require individual permission? Are there full audit logs that cover all connections? A BMS remote access service is a significant asset, provided adequate security protocols are in place. To avoid your property or workplace becoming the next cybersecurity casualty, talk to us about the most appropriate precautions to take when using remote access BMS services and how DL Connect can help.