Count your assets before they’re hacked

NIST cybersecurity framework for building automation and asset management

There was a simpler time, not so long ago, when no one really had to worry about securing their operational technology (OT) devices; a time when you could enjoy all the benefits of connectivity and remote access, without the ‘muss and fuss’ of secure passwords or firewalls.

Those days are gone. As Fred Gordy so powerfully writes for FacilitiesNet, “Devices are now in the hacker’s crosshairs.” If that isn’t on your radar, you’re already behind.

I recently wrote about understanding cybersecurity in the context of building automation systems. Cybersecurity can seem overwhelming, but the National Institute of Standards and Technology (NIST) framework is a fantastic way to break down key security elements.

NIST cybersecurity framework for building automation and asset management

Of course, each piece in this framework is significant. They all contribute to a safer cybersecurity environment.

But there’s one that I really want to highlight for you: it’s identifying and tracking your assets.

Why asset management?

Asset management is one of the biggest tasks for cybersecurity. At the end of the day, you can set up all the passwords and firewalls and virus scanners you want. But if you don’t know what’s on your network, you can’t protect it. It’s as simple as that.

Yet so many people I talk to are at a total loss of how to manage their assets. They have out-of-date spreadsheets that no one’s in charge of maintaining. They don’t know how many devices are on their network. And they don’t know where to begin with creating a system to keep track of it all.

How should you start?

You’ll almost certainly go through some trial and error to find a workflow that suits your organization. It won’t happen overnight. The right system is really dependent on the size of your network, criticality of services, how closely the IT and OT departments work together, and so many other factors.  

As one example, Princeton University manages devices through a process to assign IP addresses. Anyone who wants to install a new device has to fill out a form and submit it to the central IT organization. This form specifies what the device is, where it will be located, and other pertinent details. From there the central IT organization assigns the IP address, sets up VLANs, and does whatever else is necessary to get the device up and running. Learn more about how Princeton manages devices and IP addresses.

That’s an excellent way to empower everyone to take part in managing assets, that doesn’t become a scattered array of spreadsheets and out-of-date lists. For your organization, it might look different. Maybe you have asset management software that everyone collaborates on, or a spreadsheet that one person owns. The important thing is to start developing an asset management process.


I know, asset management is a behemoth of a project. (That’s why so many people don’t do it!) Even so, getting a handle on your assets is worth it. Of course, asset management will help make your team more efficient: you can manage maintenance schedules and budgets, or find and troubleshoot devices much faster. But cybersecurity should be your biggest motivator to dust off your device lists.

I urge you to ask yourself: do you know about every piece of hardware and software on your network? Do you have an up-to-date record of all those assets? And do you know who has access to them, physically or remotely? If you can’t answer those questions, today’s the day to start changing that.


Originally published on Automated Buildings

Share This Post

Don't want to wait?

Sign up now to get posts delivered right to your inbox the moment they go live.

An overhead photograph of a solar farm in an urban setting, possibly a parking lot.

How OT Networks Drive Decarbonization and Energy Efficiency

Energy efficiency is at the heart of many organizations’ policies to address their overall carbon footprints. For facilities operators, campus managers, and their vendors, the drive to decarbonize falls under their purview. Let’s look at what exactly decarbonization is, what impacts this policy has on OT networks, and some of the ways facilities and systems integrators have begun to tackle the problem.

Read More »
A photograph of a blue pad lock on top of an open laptop

Is BACnet/SC the Key to Securing OT Networks?

The success of BACnet/SC will depend on how widely it is adopted and how well it integrates with other security technologies. That said, with the right implementation strategies, and a focus on maintaining flexibility and interoperability, BACnet/SC has the potential to play a central role in securing OT networks against future threats.

Read More »

How OptigoVN Helps Hardware Sales

Selling hardware to your customers is a net positive for everyone. So how do you encourage customers to break into their budgets for upgrades and replacements? Leveraging OptigoVN is a great way to bring data-based proof to your customers when it comes time to make recommendations.

Read More »