Traditionally, building management systems have not been considered IT systems. They are not selected by the CIO and have long been considered operational technology under the purview of building and facilities management teams.
That attitude will have to change. Building management and IT organizations will need to work together to identify and mitigate potential risks, said Robert Stroud, the incoming international president of ISACA.
But any response will need to be based on a thorough understanding of the risks, Stroud said. Companies will likely have to pay more attention to practices like network segmentation, strong authentication and network monitoring.
Vendor management processes will need special attention, Stroud noted.
Many of the devices integrated in smart buildings have little security built into them and come from vendors that are unfamiliar to most IT organizations. Suppliers in the building automation world don't have the same kind of processes in place that IT vendors do for responding to vulnerabilities in their products. Few have any notification process to let customers know about security threats to their products.
IT organizations will need to work with building management teams to update vendor lists, build a register of contacts and know who to reach out to in case a response needs to be escalated, Stroud said.
Sign up for CIO Asia eNewsletters.