Product Security Glossary

BMS Security

What is BMS security?

BMS security is a set of practices and principles that can help prevent malicious actors from exploiting Building Management Systems.

What is a BMS? 

A BMS is a Building Management System.  A BMS can be either a monitoring system or a controlling system.  Either type will have sensors throughout a building to measure temperature, humidity, power and gas usage, and even lighting.  A monitoring BMS will simply monitor these parameters, and a controlling system will have controllers that will automatically adjust them.  BMS sensor readings can be stored either locally or in the cloud. 

Where would a BMS be used? 

A BMS system, with proper BMS security implemented, could be used in any number of places.  In a hotel, home, office building, or school, they can help keep rooms at a comfortable temperature and humidity level.  They can also control lighting, security, and fire alarm systems, and monitor gas, water, and electricity usage.  A BMS can be customized for different applications.  For example, in a school, it could control the Public Address system and automatically ring bells at the appropriate times.  In an industrial setting, it could monitor and control plant equipment to ensure that it’s running properly.  They can be customized for use in traffic control centers, military installations, hospitals, emergency management centers, and many more places besides. 

Why do we need BMS security? 

BMS security is important for a few different reasons.  If designed improperly, an attacker could possibly break in and then move laterally into servers that house sensitive information.  In an industrial setting, an attacker could gain control over the industrial equipment and cause damage or destruction to either property or personnel.  An attacker who can monitor data streams from a home BMS could build a profile of the homeowner’s life and might even affect the homeowner’s ability to control his or her own home. 

How can we improve BMS security? 

There are several ways in which we can improve BMS security.  To begin with, we need to ensure that our systems are properly hardened against attack. Such as insuring passwords are changed from default settings and strong, avoid unnecessary network exposure, and in line with best practices and standards (such as UL2900-2-2 and IEC 62443).  We need to ensure that permissions are properly set, and that no user has a higher level of permissions than he or she actually needs.  If our systems are running on Linux, we can take advantage of Mandatory Access Control systems, such as AppArmor or SELinux.  We also need to ensure that operating systems are up-to-date, and that security-related patches get applied as soon as possible. 

In commercial settings, or any other setting where we’re dealing with public buildings, we need to also ensure that the BMS system is properly isolated from the main network.  If it’s not properly isolated, we have much more than just building security at stake. 

BMS security is important and is something that we should take very seriously.  A malfunctioning or compromised BMS can have catastrophic consequences.