By Fred Gordy
In addition to being easily found now with IoT/device search engines, common best practices that IT has used for years are not utilized in the OT (operating technology) world. Audits of systems in the United States and Canada — including commercial real estate, healthcare facilities, government buildings, retail facilities, public venues, and military bases — show in almost every case that the organizations have virtually the same vulnerabilities and bad practices. Here are some examples:
The vendor controls user administration.
The vendor has 24/7 access to the system.
The vendor controls remote access and administers it.
The vendor maintains the backups, and the facility manager has limited access.
The front-end uses a public IP (some of the devices also have a public IP)
Shared or common user name for both the facility manager and vendors.
Incomplete or unknown inventory of connected devices.
No change management.
No disaster recovery plan.
Backups stored locally on the front end.
The front-end is exposed where anyone can use it.
The front-end is used to surf the Web, check email, and visit social media sites.
The front-end operating system and some devices are past end of life.
Patching is not up to date.
No antivirus software is used.
There is no access management policy.
No cyber awareness training is utilized.
In more cases than not, audits find all those problems with building control systems, and more.
Fred Gordy (firstname.lastname@example.org) is director of cyber security, building and facility control systems for Intelligent Buildings LLC. His portfolio includes projects on military bases, Internet data centers, national retail chains, an international media company, REITs, and research labs.