A survey of facility managers suggests that many haven’t taken basic cybersecurity measures to protects their BAS, leaving many BAS vulnerable to hackers. Survey is based on responses from 224 Building Operating Management subscribers who indicated that at least one of the buildings they are responsible for has a building automation system (BAS).
Are any of the building automation systems in your buildings connected to the internet? R=224 |
||||
| Yes | 84% | |||
| No | 16% | |||
What is the primary type of space you are responsible for? R=186 |
||||
| Commercial Office | 32% | Hospitality | 3% | |
| Data Centers | 4% | Industrial | 4% | |
| Educational (K-12 Schools) | 18% | Medical/Healthcare | 16% | |
| Government | 10% | Retail | 1% | |
| Higher Education (Colleges/Universities) | 8% | Other* (*Auto finance center, CCRC, Museum (2), real estate offices, retirement) |
4% | |
How many square feet of space are you responsible for? R=181 |
||||
| Less than 250,000 square feet | 19% | |||
| 250,000 to 499,999 square feet | 23% | |||
| 500,000 to 999,999 square feet | 24% | |||
| 1 million to 4,999,999 square feet | 27% | |||
| 5 million square feet or more | 7% | |||
Are your building automation system(s) on any of the following types of networks? R=162 |
||||
| Dedicated building automation network (i.e., isolated, closed loop network) |
65% | |||
| Enterprise IT network | 43% | |||
| Attached to an independent DSL or cable network | 31% | |||
If the building automation system(s) is (are) on a dedicated building automation network, is it bridged to the corporate/enterprise network? R=173 |
||||
| Yes | 35% | |||
| No | 29% | |||
| Not sure | 27% | |||
| Not applicable | 9% | |||
Has a budget been established for security countermeasures for building automation systems? R=172 |
||||
| Yes | 41% | |||
| No | 59% | |||
Is your organization’s IT staff primarily in-house or contracted? R=173 |
||||
| In-house | 79% | |||
| Contracted | 21% | |||
Is your in-house or contracted IT staff generally involved in planning for building automation systems? R=171 |
||||
| Yes | 52% | |||
| No | 48% | |||
How would you describe your awareness of cybersecurity issues for building automation systems? R=173 |
||||
| Not at all knowledgeable about the issue | 20% | |||
| Somewhat knowledgeable about the issue | 58% | |||
| Knowledgeable about the issue | 15% | |||
| Very knowledgeable about the issue | 7% | |||
Based on what you know, how much harm do you think a cyberattack on a building automation system could do to an organization? R=167 |
||||
| 1 – Not much harm | 17% | |||
| 2 | 14% | |||
| 3 | 18% | |||
| 4 | 27% | |||
| 5 – Very significant harm | 31% | |||
| Not sure | 3% | |||
Which of the following best describes the actions you are currently taking with regard to cybersecurity of building automation systems? R=164 |
||||
| Not currently taking any action | 35% | |||
| Gathering information about cybersecurity | 15% | |||
| Evaluating building automation system(s) for cybersecurity | 14% | |||
| Planning actions to improve cybersecurity for building automation systems | 7% | |||
| Currently implementing or have completed actions to improve cybersecurity for building automation systems |
29% | |||
Has your FM department had any discussions with your in-house or contracted IT department about cybersecurity measures? R=164 |
||||
| Yes | 55% | |||
| No | 45% | |||
Has your FM department had any discussions with outside parties about cybersecurity measures? R=161 |
||||
| Yes | 31% | |||
| No | 69% | |||
Are most or all of your building automation systems protected by firewalls? R=162 |
||||
| Yes, all systems | 77% | |||
| Yes, most systems | 12% | |||
| No | 2% | |||
| Not sure | 9% | |||
Have you changed the default passwords on most or all of your building automation systems? R=164 |
||||
| Yes, on all systems | 52% | |||
| Yes, on most systems | 15% | |||
| No | 14% | |||
| Not sure | 19% | |||
Do you regularly change the passwords on most or all of your building automation systems? R=157 |
||||
| Yes, on all systems | 37% | |||
| Yes, on most systems | 15% | |||
| No | 36% | |||
| Not sure | 12% | |||
Do any of your supervisory servers reside on a public IP address? R=157 |
||||
| Yes | 12% | |||
| No | 61% | |||
| Not sure | 27% | |||
Do you commonly use consumer grade, configurable IP routers for your building automation system network infrastructure? R=157 |
||||
| Yes | 28% | |||
| No | 30% | |||
| Not sure | 42% | |||
Have you conducted a threat assessment of your network and physical security measures for cyberattacks on your building automation systems? R=157 |
||||
| Yes | 42% | |||
| No | 58% | |||
Has your building automation system monitored for cyberattacks? R=155 |
||||
| Yes | 54% | |||
| No | 46% | |||
Have you developed a plan for responding in the event of a cyberattack on your building automation system? R=156 |
||||
| Yes | 37% | |||
| No | 63% | |||
Hackers Pose Threat To Building Automation Systems
Why Building Management Systems Are At Risk Of Cyberattack
Cybersecurity Measures To Protect The BAS/BMS
BAS Cybersecurity Steps: Firewalls, Isolation, Patches
Survey Suggests Many BAS Could Be Vulnerable To Hackers
