en
cz

Operation of BMS from a cybersecurity perspective

When operating a building management system, we are required to comply with a number of security rules. Since 2024, new principles have been added to these regarding cybersecurity. Even though the cybersecurity of a building management system must be addressed long before the start of operation, the entity that carries responsibility and bears the impact of all problems is ultimately the operator. The formal aspect is addressed by the NIS2 directive, or rather the Cybersecurity Act. However, the practical issues addressed in this text should always be understood in the context of the organization's overall security policy, i.e. internal guidelines, operating rules, etc.

The work of the operator or operator of the control system begins at the time of taking over the building or technology from the supplier or the previous owner or operating company. The operator must first find out the following information and process it so that it is available - i.e. store it in paper and (or) digital form and ensure its backup: 

Contacts for the BMS supplier

Name and address of the supplier company, names, telephone numbers, e-mails. Contact for the service department, as after-warranty care may be provided by a different department of the company than the one that had commissioned the system.

Documentation of the actual implementation 

If possible as soon as possible after handover and directly from the supplier. In the event that the documentation is supplied by the general contractor or the supplier of the superior unit, the actual implementation may not be complete or up-to-date. It is always recommended to verify the up-to-dateness of the documents with the company that put the control system into operation.

Physical accessibility of devices

Key management and protection of parts of the control system, such as switchboards (especially those with larger control elements), cable routes, but also some peripherals, especially those that have a user interface for configuration - display and buttons (frequency converters, PV inverters, etc.).

  • Servers should be installed in a suitable environment (server room, rack)
  • The same applies to other active and passive network elements - routers, switches, bridges, etc. Especially for wireless connections that are installed on the roof due to the visibility of the other party, it is necessary to ensure that unauthorized persons do not have access to them
  • If possible, block computer peripherals (CD drives, card readers, USB ports, etc.)
  • Use a UPS with sufficient capacity to bridge short-term power outages.

Working with SCADA - the computer 

Basically, these are common rules for safe work with a personal computer, established in cooperation with the local IT department.

  • Use the administrator account only for configuration and installation of programs, not for normal operation 
  • Uninstall unnecessary programs and do not use the computer for any other purpose 
  • Regularly update the system, if possible (there must be access to the Internet) 
  • If using IIS (Merbon SCADA), use a secure protocol (https://), which, among other things means creating and deploying an SSL certificate in cooperation with IT
  • Regularly review user accounts of both the operating system and the SCADA program and others (checking whether there are users defined who are no longer employed, etc.)
  • If this is in accordance with the customer's IT policy, enforce password changes over time
  • Enforce appropriate password complexity and length in Scada
  • Regularly (automatically) back up the project including historical data and logs and check the restoreability of backups
  • Store passwords and other login data only in programs designed for this purpose (keepass, etc.).

Accessibility of devices over the Internet

Extension of the previous point in case the system is available for operation or service via the Internet.

  • It is ideal to operate the control system in a separate network, separate from the rest of the IT infrastructure.
  • If the visualization is to be accessed from the Internet, ideally place the PC in a demilitarized zone (in cooperation with the IT department) 
  • Remote access should be handled primarily via VPN, do not just leave an open port for remote desktop (RDP) or similar services (VNC) 
  • Regularly review remote access options (open ports, VPN accounts) 
  • Allow access only from certain public IP addresses (for remote service) 
  • If web access to the PLC is used, do not use the default usernames and passwords (need to be specified during programming) and use https:// access (SSL certificates in cooperation with the owner of the domain through which access will be provided) 
  • Is a mobile phone application used for control? If so, establish internal company rules for its use.
  • Does the BMS supplier use remote access for service? If so, support this relationship with a written contract that specifies the technical standards and obligations of each party.
  • If VPN is used, back up the configuration, certificates, and access data.
  • Do not connect other devices with Internet access to the technological network conectivity – LTE routers, etc. – without the IT administrator’s knowledge!

Setting up PLCs and other components (converters, interfaces) 

Usually in cooperation with the technician who puts the device into operation, and regularly during periodic service inspections.

  • For standard network devices such as routers, wireless links, etc., change the password from the default to another one that is strong enough. Store the new password safely.
  • During commissioning, have the default passwords in the PLC or terminal changed and store them safely. This applies to passwords for SSCP, web access and user access to terminals.
  • Do not allow terminal access (SSH), FTP access, etc. unnecessarily. Block them after commissioning, if the device allows it (SW settings, switch, etc.)
  • Do not modify the firewall settings in Linux PLCs
  • Review user accounts for HMIs during service inspections
  • Ensure that the firmware on routers (MaR supplies) is up to date, preferably as a service - prophylactic service - MaR supplier
  • Do not interfere with the application software or firmware settings in the PLC. Unauthorized intervention leads to loss of warranty.
  • If SSL certificates are used, ensure their regular renewal and installation in the PLC.

Other and general points

It is mainly about obtaining sufficient resources to ensure cybersecurity - set aside the necessary time, determine the owners of assets and their responsibilities, secure money for HW and SW resources, services such as service, training and certification, etc.

More notes regarding design, programming and operation can be found, for example, here https://www.domat-int.com/en/faq-and-technical-support, section Safety in control systems.