Know-How

How Can We Help?

Cybersecurity Policy for BEMS Installations


This cybersecurity policy establishes best practices and standards for securing Building Energy Management Systems (BEMS) installations. The policy aims to protect the integrity, confidentiality, and availability of BEMS data and systems while ensuring operational reliability and compliance with UK cybersecurity standards, such as Cyber Essentials and NCSC Guidance.

 

1. Objectives

  • Safeguard BEMS from unauthorized access, data breaches, and operational disruptions.
  • Prioritise network isolation to minimize risk to client networks.
  • Provide secure remote access capabilities for monitoring and troubleshooting.
  • Ensure compliance with UK cybersecurity standards and industry best practices.

 

2. Controller Security Standards

 

To protect BEMS controllers and prevent unauthorized access, the following security measures must be implemented:

 

2.1 Credential Management

  • Unique Login Credentials: Each controller must have unique administrator credentials. Default usernames and passwords must be changed during installation.
  • Strong Password Policy: Passwords must meet industry best practices: Minimum 12 characters. Use of uppercase letters, lowercase letters, numbers, and special characters. No reuse of previous passwords.
  • Role-Based Access Control (RBAC): Assign user roles based on responsibilities (e.g., administrator, technician, viewer) to limit access to sensitive settings and features.

 

2.2 Firmware Updates

  • Controllers must operate on the latest firmware version to mitigate known vulnerabilities.
  • Regularly check for security patches and updates from manufacturers and apply them promptly.

 

2.3 Security Logs

  • Enable security logging on controllers to record access attempts, configuration changes, and system events. Logs should be reviewed periodically for anomalies.

 

3. Network Architecture and Isolation

 

To reduce cybersecurity risks, BEMS networks should be siloed from client networks wherever possible.

 

3.1 Siloed BEMS Networks

  • Dedicated IP Network: BEMS installations should be deployed on a dedicated IP network isolated from the client’s internal IT infrastructure.
  • Independent Connectivity: Use standalone connectivity options (e.g., cellular or WiFi) for remote access to further isolate the BEMS from external risks.
  • Hardware Firewalls: Install hardware firewalls at the BEMS network boundary to protect against unauthorized access and potential attacks.

 

3.2 Integrated Networks (When Necessary)

 

If the BEMS must connect to the client’s internal network, additional precautions are required:


1. Network Partitioning:

  • Deploy the BEMS on a dedicated VLAN (Virtual Local Area Network) to separate traffic from critical IT systems.
  • Use Access Control Lists (ACLs) to restrict communication between the BEMS and the broader client network.


2. Firewall Rules:

  • Define strict firewall rules to limit inbound and outbound traffic to only what is necessary for BEMS functionality.
  • Allowlist IP addresses and ports required for BEMS operation.


3. Collaboration with IT Teams:

  • Work closely with the client’s IT team to align network configuration with the organization’s cybersecurity policies.
  • Ensure the BEMS does not expose vulnerabilities to the client’s critical systems.

 

4. Remote Access Security

 

For remote monitoring and troubleshooting, BEMS remote access must adhere to strict cybersecurity protocols.

 

4.1 Secure Remote Access Standards

  • VPN Connectivity: All remote access must use a Virtual Private Network (VPN) to ensure encrypted communication between the remote user and the BEMS.
  • Two-Factor Authentication (2FA): Remote access must require 2FA, combining a secure password with an additional verification method (e.g., mobile app or email code).

 

4.2 Connectivity Options

  • Cellular (4G): Provides a fully independent connection, reducing exposure to client network vulnerabilities. Recommended for most installations where cellular coverage is available.
  • WiFi: Utilizes a local wireless network to connect the BEMS to the internet. Clients must ensure their WiFi network is secured (e.g., WPA3 encryption).
  • Ethernet: Directly connects the BEMS to the client’s network infrastructure. Requires strict adherence to the integrated network policies outlined in Section 3.

 

4.3 Remote Access Monitoring

  • Maintain logs of all remote access attempts, including timestamps, user details, and actions performed.
  • Use monitoring tools to detect and alert unusual access patterns or unauthorized attempts.

 

5. Cybersecurity Incident Response

 

If a cybersecurity issue arises, follow this response protocol:

 

5.1 Immediate Actions

  • Disable remote access to the BEMS network temporarily to isolate the system.
  • Notify the client and any relevant stakeholders, including IT teams and facilities managers.

 

5.2 Root Cause Analysis

  • Review security logs and network traffic to identify the source and scope of the breach.
  • Investigate potential vulnerabilities in controllers, remote access configurations, or client networks.

 

5.3 Recovery and Mitigation

  • Restore system integrity using recent backups of configurations and settings.
  • Patch identified vulnerabilities, including updating firmware or reconfiguring remote access protocols.
  • Re-enable access only after all issues are resolved and tested for security.

 

6. Training and Awareness

 

Educate all relevant parties, including facilities managers and technicians, about cybersecurity risks and mitigation strategies.

 

6.1 Staff Training

  • Train users on recognizing phishing attempts, unauthorized access, and unusual system behavior.
  • Provide clear instructions for securely accessing the BEMS and reporting potential issues.

 

6.2 Documentation

Include a cybersecurity section in the BEMS Operation and Maintenance (O&M) manual with:

  • Credential management practices.
  • Remote access instructions.
  • Network security configurations.

 

7. Compliance with UK Standards

 

This policy aligns with UK cybersecurity standards, including:

  • Cyber Essentials: Ensuring systems are protected against common cybersecurity threats.
  • National Cyber Security Centre (NCSC) Guidance: Adhering to recommended practices for securing industrial and building management systems.

 

8. Policy Review and Updates

 

This policy must be reviewed and updated annually or following significant changes to the BEMS infrastructure or cybersecurity landscape.

 

Conclusion

 

By implementing this cybersecurity policy, BEMS installations are protected from potential threats while maintaining operational reliability.
 

Prioritising network isolation, secure remote access, and collaboration with client IT teams ensures robust cybersecurity practices that align with good industry standards.

BACK TO FAQS
Accreditations