Those days are gone. As Fred Gordy writes for FacilitiesNet, “Devices are now in the hacker’s crosshairs.” If that isn’t on your radar, you’re already behind.
There are several high-profile examples of cyberattacks on OT networks:
- Target (2013): Hackers accessed Target’s network via a compromised HVAC vendor’s OT system, stealing millions of customer credit card details.
- Colonial Pipeline (2021): A ransomware attack disrupted fuel supplies in the U.S., highlighting vulnerabilities in critical OT systems.
- Norsk Hydro (2019): A ransomware attack designed to spread from the IT to the OT network forced the aluminum producer to switch to manual operations, costing millions.
OT Networks are Ripe for Exploit
OT networks were never designed to be part of larger IT networks. While many modern devices are becoming more robust and resilient to the larger interconnected environment, OT networks remain the weakest link in a company’s network for several reasons:
- Legacy Systems: Many OT systems were designed before prioritizing cybersecurity, lacking robust security measures.
- Limited Updates: OT devices often run outdated software, making them susceptible to known exploits.
- Increased Connectivity: Integration with IT networks and IoT devices expands the attack surface.
- Lack of Monitoring: Inadequate visibility into network activity can delay the detection of threats.
- Human Error: Because most BACnet systems require manual commissioning, misconfigurations create vulnerabilities.
We recently wrote about understanding cybersecurity in the context of building automation systems. Cybersecurity can seem overwhelming, but the National Institute of Standards and Technology (NIST) framework is a fantastic way to break down key security elements.
Of course, each piece in this framework is significant. They all contribute to a safer cybersecurity environment.
But there’s one that I really want to highlight for you: it’s identifying and tracking your assets.
Why Asset Management?
Asset management is one of the biggest tasks for cybersecurity. At the end of the day, you can set up all the passwords and firewalls and virus scanners you want. But if you don’t know what’s on your network, you can’t protect it. It’s as simple as that.
Yet so many people I talk to are at a total loss of how to manage their assets. They have out-of-date spreadsheets that no one’s in charge of maintaining. They don’t know how many devices are on their network. And they don’t know where to begin with creating a system to keep track of it all.
How Should You Start?
You’ll almost certainly go through some trial and error to find a workflow that suits your organization. It won’t happen overnight. The right system is really dependent on the size of your network, criticality of services, how closely the IT and OT departments work together, and so many other factors.
As one example, Princeton University manages devices through a process to assign IP addresses. Anyone who wants to install a new device has to fill out a form and submit it to the central IT organization. This form specifies what the device is, where it will be located, and other pertinent details. From there the central IT organization assigns the IP address, sets up VLANs, and does whatever else is necessary to get the device up and running. Learn more about how Princeton manages devices and IP addresses.
That’s an excellent way to empower everyone to take part in managing assets, that doesn’t become a scattered array of spreadsheets and out-of-date lists. For your organization, it might look different. Maybe you have asset management software that everyone collaborates on, or a spreadsheet that one person owns. The important thing is to start developing an asset management process.
I know, asset management is a behemoth of a project. (That’s why so many people don’t do it!) Even so, getting a handle on your assets is worth it. Of course, asset management will help make your team more efficient: you can manage maintenance schedules and budgets, or find and troubleshoot devices much faster. But cybersecurity should be your biggest motivator to dust off your device lists.
I urge you to ask yourself: do you know about every piece of hardware and software on your network? Do you have an up-to-date record of all those assets? And do you know who has access to them, physically or remotely? If you can’t answer those questions, today’s the day to start changing that.
Originally published on Automated Buildings.
