COVID-19 crisis: cyber security advice for building owners and facilities managers

06 May 2020

The Institute of Workplace and Facilities Management (IWFM) and the Internet of Things Security Foundation (IoTSF) have produced guidance on managing potential security risks associated with building management systems and other IoT building systems in the current emergency.

The impact of the COVID-19 Pandemic has necessitated new ways of working and changes, including the following:

Homeworking, contractor shutdowns or furlough of staff may mean new, inexperienced or possibly unqualified staff being given access to systems, to login remotely to building management systems (BMS) for maintenance, updates or system changes.
Changes in staffing arrangements and routines may mean patching of software is delayed or not completed.
Reduction or changes in on-site physical security arrangements may allow unauthorised access to server rooms or ICT infrastructure.

These changes add risk and create opportunities for unauthorised exploitation or compromise of facilities and building management systems. Most buildings have a number of systems that are connected to the internet and are used to control a variety of functions. These range from IP-based CCTV and access control systems through to building management systems controlling heating, ventilation, lighting, etc. to fully-fledged “smart buildings” with sophisticated and fully-integrated systems.

Any system that is connected to the internet is potentially vulnerable to attack from criminals, hacktivists and in some cases foreign state-sponsored players. Attacks on building systems may allow the attacker to not only take control of building systems, but also to use these systems to breach corporate IT networks to which they may be connected.

The following guidance checklist is aimed at building owners and facilities managers and is intended to assist securing BMS/OT systems and IoT devices.

Assess the potential cyber security risks and agree with the building stakeholders (owners, facilities managers, IT/cyber security teams) a mitigation plan and process for continual review/action.
Check/scan for unknown IoT devices that may be connected to your network/systems.
Ensure that any IoT devices are secured behind a firewall/DMZ with appropriate network segmentation deployed.
Change any factory default credentials and ensure passwords are unique to each building/account/device.

Enforce password policies (password history, minimum characters and complexity). If you can use 2FA (like an authentication app or SMS code) then do so.
Rename default accounts and disable any unused accounts.
Check that the systems and devices software/firmware are at the latest version as specified by the system/device vendor. Any required updates should be conducted securely.
If possible, offer authorised staff remote access to your BMS via a corporate network VPN, rather than you directly connecting from the internet.
Ensure any staff or third party contractors with access to the BMS who are working from home follow suitable security guidance such as the UK’s National Cyber Security Centre (NCSC) issued ‘Home working: preparing your organisation and staff’.
Ask your IT/cyber security function to monitor attempts to access your BMS system (both unsuccessful and successful) and agree how they can alert you to suspicious activity.
Check that your systems/device suppliers have a Vulnerability Disclosure Policy and how security vulnerabilities will be reported to you if any are discovered.