A cybersecurity framework for the world of BAS

How does NIST’s cybersecurity framework apply to Operational Technology?
NIST cybersecurity framework for BAS

It’s been five years since the National Institute of Standards and Technology (NIST) released its cybersecurity framework. A great deal has changed in technology over those years, but the framework remains absolutely critical in our world of growing connectivity.

And yet, I still hear confusion in the building automation world about what this framework means for us. Many buildings are slowly marching forward in that journey to “smart.” Do we really have to worry about cybersecurity?

Well, in a word: yes.

Everyone should be concerned with cybersecurity. And NIST’s framework lays out simple ways that anyone can make their buildings safer and more secure. Regardless of how technologically advanced your devices are, you should have processes and policies in place.

But it can be confusing, coming from a world of low (or no) security. Suddenly you’re going through a crash course on authentication and authorization, but that crash course doesn’t end. Even cybersecurity experts are — and should be — continuously learning about the latest dangers and best practices. It’s a never-ending journey.

So, let’s keep it simple. Let’s walk through the NIST framework and lay out a few ways you can start putting a cybersecurity plan in place today.

1) Identify

The first step in the cybersecurity framework is to identify your assets. That means your devices, data, software, any sensitive information — all of it. Know who has access to those assets, and how. How many connections from the outside world are there? Who has access to your building and the devices in it?

Think of it this way: if your house has three doors, but you only have locks on two of them, is your house secure? If you have 1,000 VAVs, and you know that the correct software is on 999 of them, could that last VAV’s software have a vulnerability? Could it contain malware?

A big first step would be to begin building a device list. It might be a long process, but figure out what devices are where in your building, and continue updating it as you add new devices.

2) Protect

Now, how do you protect those assets? The easiest way is to lock everything down with a username and password. Use passwords that aren’t easy to guess, and reset them every once in a while. A great additional step would be to set up firewalls and install anomaly detection software.

There’s also the element of physical security that not everyone thinks of. Locking cabinet doors, and fencing your power generation engine so no one can unplug the CAT 5 and plug in their laptop. We often talk about digital security, but physical security is also a huge issue.

So, what can you do today? Look at your passwords. When was the last time you reset them? How difficult are they to crack? (Hint: if it’s “1234” or “password,” it’s too easy.) And who has access through those passwords? What might happen if an ex-employee accessed your data with a password you hadn’t reset yet?

3) Detect

Say you know you have 1,000 devices, and you’ve set tough passwords on every single one of them. How would you know if someone cracked the password? How would you know if a rogue device came onto the system? How would you find out that one employee with malware on their laptop accidentally added it to your system?

This is the issue of detection. Virus-scanners are a great way to find out if malicious software has leached into your system. You can also look at log files every month, and see who’s had access. Do a scan every once in a while and make sure you still have 10 controllers. If your Internet usage averages 10MB a month and you see a spike of 30MB, then something’s not right. You need to familiarize yourself with your building’s baseline, so you can spot the anomalies.

Start by setting up virus scanners and checking your logs. Create a routine that you can follow on a regular basis, and get a feeling for what’s “normal” in your building.

4) Respond

The first three pieces of the framework are closely associated with technology. These final two are focused around processes and policies.

If you have suffered a cyberattack, how do you respond? What steps do you take if you find out that you were compromised? In many organizations, there’s a policy that if an employee gets hacked, they won’t be penalized. They just need to tell their superiors so the organization can deal with it.

So, figure out what your policies are, and make them clear to your employees. If they accidentally downloaded a virus, what should they do? Who should they tell? Should they reset? Should they immediately power down and keep their devices quarantined from the network?

5) Recover

Finally, how do you recover from a cyberattack? Well, one best practice is to keep critical data and information backed up, locally or on the cloud. In the worst-case scenario, you can always chuck the devices and start over. And if you’re fully backed up, you might suffer only minimal downtime.

Now, I know there is still some apprehension in the industry when the “cloud” comes up. But let me explain why I advise keeping records in the cloud: it’s likely more secure than whatever else you might operate. Unless your security operations are on the level of Google, the GSA, or some other organization with a robust digital security plan, you’re probably better off hosting your information on AWS, Google, or Microsoft. These companies are built for that.

By hosting in the cloud, you have access to all these security experts and best practices, and the infrastructure to protect your assets is much stronger. So ditch the Post-Its and locally saved spreadsheets. If your computer is compromised, those spreadsheets won’t do you any good. And if you think Post-Its are secure, consider famed hacker Kevin Mitnick’s history of dumpster diving to intercept information.

Figure out what critical information you need to continue operating with minimal to no downtime. How are your devices programmed? What are their schedules? Who needs to have access to them? Keep a record of anything you can, and back up the information.

NIST’s framework is a way for us to think through the different aspects of security. Every organization will be different, but the important thing is to not look at the framework linearly. This framework is continuous, and each “step” functions in parallel with the others.

Cybersecurity is often framed as this big, scary prospect, and it means a lot of people don’t even want to begin starting on the path. It is something that should be taken seriously, but it needn’t intimidate. If you want to get started, write down one idea for each of these items. Just find the one thing in this framework that you can do today, and do it.

Article originally published on Automated Buildings

Recent Blog Posts

ATS, an industry-leading systems integrator with offices across the United States, has a clear vision for supporting customers.

We all have those jobs that just won't go away. It feels like you've tried everything, but the problems are still there. 

Unfortunately, you're guilty until proven innocent. 

You’re in the design phase of a new building. Contractors and vendors are all coming at you with demands.

The consulting specifying engineer of today is venturing into totally new territory: Division 25.

If you’re tired of going on site to capture BACnet data, look no further than your JACE.

Recent Projects

ATS companies use Visual BACnet to provide superb customer value

ATS companies

ATS, an industry-leading systems integrator with offices across the United States, has a clear vision for supporting customers. They want to be their clients’ trusted partner, through installation and beyond. With Visual BACnet, they found a way to serve more clients faster and deliver exceptional value.

Coventry University


Chris Goodman, the Senior BMS Technician at Coventry University, had broadcast storms that were happening more and more frequently. 

Ongoing construction due to Coventry’s campus expansion meant lots of new activity, with technicians installing new devices and making network changes. Already juggling these constant additions and alterations, Goodman and his small team then had to deal with the subsequent broadcast storms. As the broadcast storms became more frequent, Goodman and his team needed a solution.

Find out how Visual BACnet helped Chris solve the broadcast storms and improve Network Health in our free case study!

Data center expansion with OTI and Optigo Connect


Stack Infrastructure is a portfolio of hyperscale computing data centers. OTI completed work on Phases I and II, and returned for the Phase III build-out of a 4-megawatt data hall and brand new central plant. The Optigo Connect network put in place in Phases I and II was expanded on this project. The team achieved quick roll-out of a large, multi-service redundant network using the Optigo OneView management interface. Going forward, the facility management team can use OneView to remotely monitor equipment, manage power usage, and meet up-time goals.

Optigo Connect MR Soluciones The Landmark


The Landmark is a sophisticated mixed-use high-rise in Mexico. The owners wanted to integrate all OT systems in the skyscraper, while maintaining separate networks for each application. The Landmark is the fourth joint project between Optigo Networks and MR Soluciones. Together, these companies provide robust services to meet any challenge.

Australian Bureau of Statistics at 45 Benjamin Way with Delta Building Automation


Delta Building Automation (Australia) had a big job renovating the Headquarters for the Australian Bureau of Statistics (ABS) at 45 Benjamin Way. The building owner wanted to improve the building’s energy use and increase their National Australian Built Environment Rating System (NABERS) score to more than 4.5 stars, out of a possible total of six. Securing the network both internally and externally was a big priority, as well.

Penn State University Optigo Networks Visual BACnet


When Tom Walker looked at Penn State University’s Navy Yard network, he saw huge issues. The system was busy and loud, to the point where the overrun network was bringing down the entire building. Because this was happening on the MS/TP network, pinpointing the problem would mean boots on the ground to segment and test the chain, piece by piece.

Penn State University Optigo Networks Visual BACnet


When Tom Walker first started working at Penn State University four years ago, there were a lot of network issues. Buildings were dropping offline. Broadcast traffic was pushing 90,000 packets per hour. Walker was on the phone almost every single night because devices were down or had to be reset.


Torre Manacar Mexico City Optigo Connect


When MR Soluciones began work on Torre Manacar, they knew they needed a flexible and scalable network infrastructure to support a wide array of integrated systems. Optigo Networks was a natural fit for the massive project, designing a robust network at a competitive cost.



Short Pump Town Center, an upscale retail center, underwent a complete renovation in 2014. The flexibility of Optigo Networks’ solution meant the retail center’s unknown final design was not a barrier to placing IP surveillance equipment in the field.



Optigo Networks connected New York-based Boulevard Mall’s security surveillance devices in December 2015, using a Passive Daisy Chain topology.