NIST Cyber Security Best Practices For Smart Buildings

Networks & Cyber Security
Written By Kyle Hagerty

Key Takeaways:

  • Mastering these basic concepts is the framework of basic cybersecurity that protects tenant and asset data.

  • Systems only do so much, the right operational mindset is the best form of protection.

The National Institute of Standards and Technology, part of the U.S. Chamber of Commerce, has been working to establish one of the highest cybersecurity standards in the world to promote the type of American innovation and competitiveness that fuels economic activity.

NIST has worked diligently to develop and disseminate technology standards that allow IT and OT operations to work seamlessly, allowing businesses to operate smoothly. Technology and tools change, but understanding the concepts behind NIST best practices will help smart buildings keep up with the accelerating pace of cybersecurity threats.

Identify

The first step and most important step in the cybersecurity framework is knowing what you’re protecting. Make a list of all equipment, smartphones, laptops, tablets, point-of-sale devices, servers, IoT devices, sensors, and connected mechanical equipment. Anything on a network must be accounted for. Building owners are often surprised by how many unknown devices can be uncovered in a full assessment.

Low-impact scans and ‘walking the network’ will help to prevent rogue devices and determine which nonessential devices should be removed from the network. Do not collect and store more data than is necessary for business functions. Collecting unnecessary data exposes the network to more risk and storing it creates a bigger target.

Protect

Work with OT and tenant IT teams to develop and assign roles for employees, vendors, and anyone with access to sensitive equipment or data. Segment your network by housing sensitive data in separate, secure places on the network. Unique user accounts give OT teams a clear understanding of access and privileges. Users should be given Least Privileges by default, preventing them from accessing administrative-level capabilities that can cause problems.

Limiting vendor access and auditing vendor access frequently is key to OT cybersecurity. A building’s cybersecurity framework should be documented, with agreed-upon policies that can be easily understood by tenant IT teams. The policy needs to outline best practices for disposing of electronic files and old devices. Cybersecurity training must be mandatory for any employee with network access. Data should be encrypted in transit and at rest.

Detect

Keep security software up to date and conduct regular backups of critical data. Monitoring OT is more difficult than IT because most systems have limited front-ends and applications. Network traffic can be monitored by various IT solutions, but context is key. Device-to-device usage patterns in buildings can seem strange, typical IT network monitoring software won’t understand traffic patterns.

OT devices are often not capable of installing agents, so monitoring version changes, open ports, and user activity are key to detection. Detection in OT cybersecurity is a more manual process because of the nature of the equipment and building-level context needed to understand usage.

Respond

No matter how well protected you are, threats will happen. Having a response plan in place before they do is critical. Develop and practice OT response plans, being sure to work with tenant IT departments to document processes. Keeping the building up and running is the highest priority. When a breach happens, notify tenants, employees, and any other group whose data might be at risk. The plan should account for varying local cybersecurity notification laws, and be sure to notify law enforcement when appropriate.

Recover

A good recovery plan is as important as a good response plan. Formal recovery plans must be developed and communicated. Because of the prevalence of ransomware attacks, backing up data is key. Make sure backups are on a different machine and updated frequently. Using a vendor to manage backups can cause delays while waiting for assistance.

NIST’s cybersecurity framework isn’t a tool or piece of technology to keep you safe, it’s an operational mindset that must be part of every administrative and executive decision. Shoring up OT cybersecurity will protect tenants and a smart building’s reputation. There’s no easy solution to cybersecurity, it takes time, dedication, and strict adherence to NIST’s evolving best practices.

 
Customer Guides
Everything You Need To Know About BREEAM
Everything You Need To Know About BREEAM
Everything You Need to Know About NYC's Local Law 97
Everything You Need to Know About NYC's Local Law 97
How to Calculate NYC Local Law 97 Building Emissions
How to Calculate NYC Local Law 97 Building Emissions
The Difference Between Energy Efficiency vs Conservation
The Difference Between Energy Efficiency vs Conservation
What is Peak Demand Management?
What is Peak Demand Management?
Kyle Hagerty
Previous

Cyber Security Questions To Ask All Your IoT Vendors
Next

Six Steps to a Fullstack Smart Building Cybersecurity Solution