Presentation is loading. Please wait.

Presentation is loading. Please wait.

Cyber Security for Building Management

Published byMorris Chapman Modified over 6 years ago

Similar presentations

Presentation on theme: "Cyber Security for Building Management"— Presentation transcript:

1 Cyber Security for Building Management
A CIOs view

2 Fortium Partners National consulting firm of senior CIOs and CISOs providing executive guidance to the middle and large business market ($50m-10b) F500 experience in IT strategy, operations, M&A and turnarounds Provide service in interim, fractional or project basis Brad Wheeler has been a F500 CIO in numerous international companies in financial services, internet services, defense and high tech, and has provided interim and fractional consulting to companies from $10m startups to $12b international conglomerates.

3 Cyber Crime Originally was focused on individual hackers, but now
High School hackers Formalized cyber ‘gangs’ Competitors Dark web market for PHI and PII Nation state Additionallywe have the cyber risk related to ongoing operations (power, fire, network outages, service provider and cloud outages, disaster recovery, etc.)

4 CIOs Cyber concerns Financial and Admin systems (SOX, HIPPA, PCI, etc)
Customer Facing (SAAS, Web, Cloud Shared Services) Operations Technology (BMS, EMS, FLS, PACS, HVAC) Risk Management (Planning, Assessment, Incident Mgmt, Cyber Insurance)

5 Cyber Incidents Majority are caused by employees falling for phishing incidents either giving away information (account names/passwords) loading malware without knowing (‘whale’ phishing, ransome ware, zero day) Target incident caused by 3rd party cyber hack of an HVAC vendor - using default passwords onsite Sony incident caused by system admins failing basic functions leaving default passwords (‘password’) in remote access certificates …..in other words, the vast majority of security incidents are due to a combination of back doors and weak controls over privileged accounts!

6 Building Management Systems (BMS) concerns
BMS are commercialized versions of Industrial Control Systems (ICS) Inherently weak protocols and controllers Vendor products are not standardized and cyber weak by themselves Vendor installation and service personnel have immature cyber processes & procedures SMART buildings only concentrate networks and services, thereby heightening risks and outcomes

7 5 Key Areas of Cyber Concern
Privileged Accounts - Password Management and Two Factor Authentication Network Management - websites, servers, apps User Management - limit access, MFA, age out accounts Software Management - patching, authorized software only Vulnerability Management - vendor security, assessment, scanning, testing, priority (bug bounty)

8 Current biggest area of concern
3rd party vendors, or which building managers are part of! CIOs/CISOs have control over their own teams, systems and tools But really zero control over 3rd party tools, services, appliances, etc This is changing as vendor contracts are now requiring some level of proactive cyber verification (SSAE 16 in data center speak) We don’t care about a vendor’s SOX status, but rather their customer face BOMA members are seen as 3rd party providers, with their own downstream providers that are just as critical to tenants and their CIOs!

9 3rd Party System VARs Typical building system VARs have limited expertise in network architecture, particularly with the middle layers Knee-jerk reaction is to seek VAR compliance with some security framework – but that is limited to questions asked A better approach is to have the VARs provide you with an affirmative statement of their cyber practices related to touching your building's systems Most VARs will need assistance in preparing this statement Nearly all VARs will be able to positively conform with the statement following a little training Fortium has an active practice in this very area because it is such a problematic and unmanaged area

10 Cyber Insurance Virtually all public firms have some level of cyber insurance as part of their risk mitigation strategy Early contracts focused on incident costs (~$256M in Targets case, and more for some banks) AON Risk Insurance is now seeing multi-levels on customer interface BOD risk assessment and appetite CIO/CISO/CSO on technical assessment, planning and remediation CFO and CRO on various Cyber lines, now including business interruption and client impact

11 Summary Human failings are the largest of all risks
3rd parties are currently the low hanging fruit for commercial hackers and need to be ‘managed’ Expect IT security budgets will jump from current 6-10% to 15-20% in next 3 years (up to 20% of operations security) Cyber risks are here to stay (because that’s where the MONEY is!)

Download ppt "Cyber Security for Building Management"

Similar presentations

Life Science Services and Solutions

Life Science Services and Solutions
BalaBit Shell Control Box

BalaBit Shell Control Box
DISASTER CENTER Study Case DEMIRBANK ROMANIA “Piata Financiara” ConferenceJanuary 29, 2002 C 2002.

DISASTER CENTER Study Case DEMIRBANK ROMANIA “Piata Financiara” ConferenceJanuary 29, 2002 C 2002.
Top Questions Executives and Board Members Should be Asking About IT and Cloud Risks.

Top Questions Executives and Board Members Should be Asking About IT and Cloud Risks.
David A. Brown Chief Information Security Officer State of Ohio

David A. Brown Chief Information Security Officer State of Ohio
© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.

© 2005, QEI Inc. all characteristics subject to change. For clarity purposes, some displays may be simulated. Any trademarks mentioned remain the exclusive.
Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch

Smart Grid - Cyber Security Small Rural Electric George Gamble Black & Veatch
Security Controls – What Works

Security Controls – What Works
Website Hardening HUIT IT Security | Sep 30 2011.

Website Hardening HUIT IT Security | Sep
Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.

Cybercrime Outlook on African banks Adwo Heintjes Global Head IT Audit & Ops Rabobank.
Banking Clouds V International Youth Banking Forum.

Banking Clouds V International Youth Banking Forum.
InformationWeek 2014 Strategic Security Survey Research Findings © 2014 Property of UBM Tech; All Rights Reserved.

InformationWeek 2014 Strategic Security Survey Research Findings © 2014 Property of UBM Tech; All Rights Reserved.
UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.

UNDERSTANDING THE RISKS & CHALLENGES OF Cyber Security DAVID NIMMO InDepth IT Solutions DAVID HIGGINS WatchGuard NEIL PARKER BridgePoint Group A BridgePoint.
Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.

Security Professional Services. Security Assessments Vulnerability Assessment IT Security Assessment Firewall Migration Custom Professional Security Services.
Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.

Data Security: Steps to Improved Information Security September 22, 2015 Presented by: Alex Henderson General Counsel and Chief Administrative Officer.
OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.

OCTAVE-S on TradeSolution Inc.. Introduction Phase 1: Critical Assets and threats Phase 2: Critical IT Components Phase 3: Changes Required in current.
Cloud Compliance Considerations March 24, 2015 | Jason Smith, CISSP.

Cloud Compliance Considerations March 24, 2015 | Jason Smith, CISSP.
Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.

Cyber Insecurity Under Attack Cyber Security Past, present and future Patricia Titus Chief Information Security Officer Unisys Corporation.
Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.

Converting Policy to Reality Designing an IT Security Program for Your Campus 2 nd Annual Conference on Technology and Standards May 3, 2005 Jacqueline.
Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

Rob Davidson, Partner Technology Specialist Microsoft Management Servers: Using management to stay secure.

Similar presentations

Ads by Google