What Is OT Security for Facilities Teams

Facility management teams are learning about Operational Technology (OT) security now more than ever. If you're responsible for managing buildings, HVAC systems, access control systems, lighting systems, or energy systems, you're not only responsible for keeping these assets functioning; you're also responsible for protecting them from cyber threats. Due to the increased connectivity and intelligence of buildings, OT sits at the crossroads between physical operations and cybersecurity.

OT Security vs. IT Security: Understanding the Distinction

The focus of IT security is on protecting information assets, like email messages, financial records, cloud-based applications, and devices used by employees. Totally different, OT Security protects the SCADA systems, like those that control real-world processes. These may include HVAC systems, Building Management Systems (BMS), elevators, badge readers, and Industrial Control Systems (ICS).

 IT Security is usually turned off for maintenance. The opposite is true with OT Security; if OT systems are down, the building can be too warm, doors can be locked, and production can stop. OT security emphasizes safety, availability and security against breaches and misuse.

The networks between many OT environments and IT environments are converging thanks to the internet and smartphones. While some of this is beneficial from an efficiency perspective, the exposure risk is great. 

Cybercriminals have access to many building systems that use legacy protocols, have firmware that has not been patched, or are using default credentials.For facility management systems that include web-based interfaces, applying careful link settings like the rel noopener noreferrer attribute can help limit the exposure to attacks when users access external resources from within critical building control dashboards.

 A compromised HVAC controller can provide an avenue into the entire network for an attacker, creating havoc in very visible ways. For critical environments including hospitals, data centers and campuses, this risk of exposure is no longer theoretical: Segmentation of OT networks is considered one of the key principles of securing OT networks.

 HVAC systems, Lighting, access control systems, etc should not be in the same flat network with corporate laptops or guest Wi-Fi. Segmentation limits how much damage an attacker can do.

If an attacker can attack a smart thermostat or smart building controller, they will attack finance systems or sensitive data in the same environment. A facilities team will usually work closely with the IT team to define secure remote connections and zones with proper firewalling and maintenance capabilities, while limiting the potential exposure.

Continuous Monitoring: You Can’t Protect What You Can’t See

Ensuring you can provide adequate protection for OT environments depends on appropriate means of monitoring. The right tools provide information about normal building protocols, as well as how your staff operates within the parameters of acceptable performance.

By continuing to monitor your OT environment, your facility’s team will be able to identify any potential risks based on the traffic your OT devices are sending/receiving, unexpected changes to any electronics within the facility, or any type of command to a technology system that is not scheduled as an HVAC command.

 The importance here is not to create more alerts for technicians, but rather to gain visibility into what devices are connected, what is considered to be ‘normal’ for the devices, and how best to spot when any device has drifted away from its predetermined normal boundary or setting.

Frameworks That Guide OT Security in Buildings

You do not have to create a new set of OT security guidelines; you can follow the existing framework. The two most popular and widely referenced frameworks are:

•   IEC 62443- It provides general practice regarding industrial automation and control systems. It has clear guidelines, including roles, zones, conduit, and risk management.
•   NIST 800-82- This provides for practical guidance regarding the securing of industrial control systems, including building automation systems and energy control systems.

These frameworks do not serve as checklists; they form the basis of playbooks that should be referred to in order to coordinate operations, vendors, and security teams to work toward the same expectations.

OT Security As A Career Path

There is an increasing need for technicians and engineers who combine an understanding of building systems with an appreciation for data protection as buildings transition to a more digital society. Professionals in the management of facilities that have this knowledge base are becoming invaluable as they integrate the different components that make up a building's overall technical infrastructure.

 Training programs and resources at RSI will assist technicians prepare for this evolution in HVAC Work. Understanding OT Security will become just as important as tuning a system or troubleshooting a controller.

Endnote

The core of OT security is not to transform a facilities team into specialists in cybersecurity, but to understand that the building systems have become a segment of the larger cyber realm.

 Proper segmentation of systems, constant vigilance through ongoing monitoring, and consideration of individual privacy, will enable facilities’ teams to provide comfort, efficiency, and security for the buildings they maintain, while also being mindful of the needs of the people who occupy those buildings.