Influence of Covid-19 Pandemic is intensely felt around the World; Homeoffice working concept has increased even more in this term. Since a lot of people #Stayhome, cyber security attacks against to home tech and IOT devices has increased exponentially.
If we consider what should we do about it.
Working from home might mean that giving system access to inexperienced or possibly unqualified personnel, remotely accessing to the Building Management Systems (BMS) for maintenance, updates or system changes.
Routine changes on personnel arrangements, can mean that software updates delayed or uncompleted.
Decreases or changes on proper physical security updates, can allow unauthorized access to server rooms or BIT structure.
This new working ways and changes add risk and create opportunities for unauthorized usage or endangering the building management systems. Most buildings have series of systems for controlling the functions connected to the internet. These go up from IP based CCTV to “Smart Buildings” which are sophisticated and have well-equipped integration systems for controlling heating, air cycling, lighting etc thorough Building Management Systems.
Any system connected to the internet, is defenseless against potential criminals, pc pirates and in some cases foreign state-supported actors. Attacks against to building management systems not just let the attacker take control for the usage of violating the building management, also these systems and corporate IT nets they may be connected.
To protect these devices against cyber attacks, we can apply below items:
1- Evaluate the potential security risks and agree with building stakeholders(Owners, Facilitate Managers, IT/Cyber Security teams) on a mitigation plan for the continuous observation process.
2- Check/scan unknown Iot devices that may be connected to your net/systems.
3- Make sure that all Iot devices are safe behind a distributed security wall.
4- Change all factory default ID infos and make sure that all passwords are unique for each building/account/device. Comply password policies (Password past, minimum characters and complicity). Try to use 2FA (ID validation app or SMS code like).
5- Rename the default accounts and disable the unused accounts.
6- Try to keep the systems, software and devices always updated.
7- If possible, instead of connecting the internet straightforward, authorized personnel is able to access these devices with a VPN with special permission.