How To Better Secure IoT and BAS

The Internet of Things (IoT) and IoT technology have helped make significant strides in business operations for more than a decade. These benefits are widely understood and welcomed—higher employee comfort levels and productivity, more efficient energy consumption, better building pressure, time and monetary savings, and so on. But with every technological advancement also comes drawbacks… some that pose noteworthy threats to security and data networks worth taking into consideration.

Building automation systems (BAS) integrated with IoT technology opens the door for cybersecurity challenges for companies across the world. IoT powerfully connects devices globally through the cloud—both personal and corporate information. As worded by Network World, “One weak link in the security chain could provide rogue elements with a vulnerability to exploit and enjoy unlimited access to data.”

While these security threats are alive and well, there are practical steps that your IT and/or business leaders can take to protect your company, employees and clients. First, let’s explore a few of these potential threats more in-depth.

The Growing Prevalence of IoT

According to a forecast by Gartner, 20.4 billion connected devices will be in use worldwide by 2020, as compared to 8.4 billion reported in 2016. These devices go beyond the obvious of smartphones, laptops and BAS. As reported by BizTech, we’re also talking about potential threats including connected vehicles in fleets or delivery services, locking and encrypting IoT devices via ransomware, using connected devices to carry out attacks and more.

As quoted in this article from Biz Tech, Security Technologist Bruce Schneier described just how much IoT has computers incorporated into our lives:

“Through the sensors, we’re giving the Internet eyes and ears. Through the actuators, we’re giving the Internet hands and feet. Through the processing—mostly in the cloud—we’re giving the Internet a brain. Together, we’re creating an Internet that senses, thinks, and acts. This is the classic definition of a robot, and I contend that we're building a world-sized robot without even realizing it.”

And this “world-sized robot” can be manipulated in several different ways, which is where the threats to security and data networks come into play.

Be Aware of These IoT Vulnerabilities

Physical Building Security

Businesses that use IoT sensors to lock doors and windows or secure access to sensitive materials should make sure that their physical security remains as tight as it was before IoT was incorporated.

Connected Vehicles

If your business uses connected vehicles with sensors that link to cellular or Wi-Fi networks to monitor and control engine functions and entertainment systems, those vehicles may be vulnerable to attacks that take control of the vehicle or cause it to crash. Autonomous vehicles are likely to be at greater risk for this.

Connected Devices Inside Businesses

Connected devices inside businesses may also be locked as thieves encrypt data and hold it for ransom. If devices such as these have weak or default passwords, they can easily be hacked and used to form botnets that direct massive amounts of traffic against unsuspecting targets and cause their services to shut down.


Ransomware is a type of malicious software, or malware, designed to deny access to a computer system or data until a ransom is paid. In June 2017, Alerton made its dealers aware of a large-scale malicious ransomware campaign called “Petya” that was actively spreading and impacting organizations on a global level. This particular ransomware had the ability to attack fully patched systems even if just one computer on the network wasn’t patched.

This ransomware was encrypting data on compromised systems, rendering the systems unusable, attempted to spread laterally to other assets, and demanded a ransom be paid to restore operations. While the Petya ransomware has since been destroyed, similar cases can come about at any time for BAS of any provider, such as Alerton, Tridium, or Honeywell.

How to Protect Data Networks

Just because these security threats exist doesn’t mean you can’t protect your BAS and data networks from breaches in security. There are a few best practices for IT and business leaders to follow to ensure IoT security from all access points.

Device Security

Some of your devices or pieces of equipment probably operate continuously unattended, and therefore not subject to the security implied by frequent, direct observation. According to Network World, it’s best practice to secure your devices by deploying a layered approach that requires attackers to circumvent multiple obstacles designed to protect the device and its data from unauthorized access and use. Some known vulnerabilities that companies should protect include TCP/UDP ports, open serial ports, open password prompts, places to inject code such as web servers, unencrypted communications, and radio connections.

Network Security

Network World also implores the importance of securing the networks that they use for IoT and IIoT, including the use of strong user authentication and access control mechanisms to make sure only authorized users can gain access to networks and data. Best practices for network security include ensuring strong, sophisticated passwords, requiring two-factor authentication, strong encryption, and context-aware authentication that involved the use of strong user authentication and access control mechanisms to make sure only authorized users can gain access to networks and data.

Data Protection

Beyond securing your devices and networks, your IT team should ensure the security of your IoT and IIoT data itself. Application and user data should be encrypted both in-flight and at-rest, and strong security operations policies should be in place as well as comprehensive training programs for anyone who will have a hand in the IoT or IIoT data.

Other Security Tips

Beyond these best practices, Network World also provides a list of ten tips to minimize IoT security vulnerabilities, including carefully researching any devices before they are implemented into your network, having separate networks for IoT devices whenever possible, and making sure you update your equipment as frequently as possible. Click here to read the full list of tips on their website.

Control Solutions Can Help Protect Your Data!

IoT and BAS security threats are scary possibilities that no company wants to face. Having a partner like Control Solutions on your side to regularly monitor, service and update your BAS equipment and networks. Contact us today to learn more about how we can help keep your data protected from security threats!


BizTech Magazine
Network World
Network World
Network World