Building Management Systems: Context, Collaboration and Organisational Security

posted on 09.01.2020 by Emma Boakes
Physical assets are increasingly connected to organisations’ networks, exposing organisations to the risk of cyber threats that could have a physical impact. There are several instances where this has already happened, and industry reports show that the number of groups interested in targeting such systems, and the number of cyber incidents on physical systems, is increasing.

A Building Management Systems (BMS) is one such connected system. A cyber-attack targeting a BMS could disrupt heating, ventilation or power, or could undermine physical security operations which increasingly rely on internet-enabled devices, such as CCTV cameras and access control. In addition, these systems could be used as a gateway into the organisation’s network if not properly secured.

It is increasingly important to consider a BMS within the context of an organisation’s overall protective security posture. Inclusion of a BMS on an organisation’s network not only increases the attack surface but also places a greater load on security staff, potentially leading to vulnerabilities. Additionally, a BMS spans the boundaries of cyber and physical security, so cyber, personnel and physical security teams need to work together to identify, understand and mitigate vulnerabilities.

This research argues that current guidance fails to address the challenges of integrating cyber, personnel and physical security to protect a BMS. Guidance focuses on securing the attack surface with technological solutions and a ‘defence in depth’ approach but overlooks the impact this will have on staff managing the system. Increased system complexity puts yet more load on staff, further reducing their capacity, which in itself could create further vulnerabilities.
Furthermore, guidance does not adequately address how separate security teams should collaborate to ensure effective solutions are implemented. The formal collaboration between security teams through a converged security approach has, however, been advocated by industry practitioners and the benefits of such an approach have been highlighted. Despite this, there is little evidence for the approach, and little detail about the type or level of convergence required to achieve the specified benefits. Moreover, there is no indication of how organisations might overcome the challenges of adopting such an approach.

This research seeks to explore the context in which a BMS is implemented to inform organisations of the broader system implications around converged security. Initial research explores how separate security teams within organisations collaborate or converge. This presentation will outline the preliminary findings and highlight areas where future research is needed.




Authoriser (e.g. PI/supervisor)