After two years of industry collaboration with BAS cybersecurity experts, Cimetrics is pleased to announce the completion and release of the Secured by Cimetrics Manufacturers’ Guide to BAS Cybersecurity. The guide provides a roadmap for OEM vendors to build upon the success of BACnet/SC towards creating an interoperable management framework to design, install, and maintain multi-vendor BACnet systems securely to meet the highest cybersecurity standards now demanded by IT departments.
This document was developed by participants in a Cimetrics-led BAS industry consensus-building activity on interoperable cybersecurity and network management functionality for Building Automation Systems, focusing on those systems that use BACnet as their primary communication protocol.
Cimetrics convened a group of like-minded individuals and companies to accelerate the adoption of cybersecurity technology to engage in the Secured by Cimetrics Consensus-Building Process that began early in 2020 and concluded in early 2022. The charter was to develop guidelines and marketing collateral to help standardize BACnet cybersecurity implementations in products and systems through an open, consensus-based process. Two years of work from some of the top cybersecurity experts in the BAS industry resulted in creating several documents, including this one.
This guide is primarily written for people creating products designed to communicate using the BACnet protocol on TCP/IP networks. The guide makes numerous recommendations that are intended to improve interoperable cybersecurity and compliance with relevant IT industry standards and practices.
Why is this guide needed? Although the BACnet standard and commercial product compliance testing have enabled BACnet-based interoperability between different vendors’ products, cybersecurity is a topic whose scope is much broader than BACnet, and advances in cybersecurity primarily come from the IT community. Furthermore, ASHRAE’s standards development process is intentionally deliberate, whereas information technology is continuing to evolve at a rapid pace. This guide is intended to provide information about some good practices that, when implemented, are intended to make products more secure and easier to manage.
Although this guide is primarily about product and system functionality, it should be emphasized that system cybersecurity is achieved through the successful application of an effective, ongoing process by the organization that is managing the system. The NIST Cybersecurity Framework can help organizations develop an appropriate process to manage their cybersecurity risk. Well-designed products and systems make it easier for the people in the managing organization to do their job well, but applying a risk mitigation process is ultimately the responsibility of the managing organization and its service providers.