Four Common IT Errors
I’ve never met a building services or BMS firm that has intentionally set out to ruin a project.
However, whether through lack of IT knowledge, time or resources we’ve seen plenty of projects rapidly heading to ruin due to avoidable errors.
We specialise in helping BMS and building services businesses design and deploy IT networks for their projects. This typically means that projects can be delivered faster and easier.
Below is a list of the most common errors we’ve found whilst working on building services projects. If you’d like your networked projects to run smoother call us on 01858 438 500; download our latest BMS engineering guide.
DEFAULT USERNAME AND PASSWORD
Many BMS devices will be shipped with a default account to enable engineers to configure it. It sounds crazy, but it’s only recently that many device vendors have cottoned on to the fact that you shouldn’t publish the default username and password on the web!
If your devices have a default account make sure that you at least change the default password to a strong one. If possible, check with the manufacturer to see if you can delete that default account. Then don’t forget to store those account details somewhere safe and secure.
‘WE WANT A FLAT NETWORK’
This is a request we hear so many times from engineers. OK, it may be easier to commission your 1000s of field devices on a single IP subnet using the native VLAN, however this is a bad strategy for so many reasons.
First, many BMS field devices use protocols that send broadcast messages to the rest of the devices on the network. An increase in devices means an increase in broadcast messages which in turn means an increase in overhead for the network and devices to deal with, all of which means a slower network.
Second, if a device fails and starts creating a broadcast storm you’d lose the entire network. Where do you start looking to identify the problem device?
Third, you could have head ends and controllers on that same flat network. This means you’ve created a larger security vector for malicious actors to attack.
When planning your network consider segmenting the network at layer 2 (VLAN) and layer 3 (IP subnet) levels. A good way to do this is to divide the devices into logical categories, for example HVAC, CCTV, lighting control, door entry etc. Keeping these on separate logical networks will make it easier to add devices in the future, will improve network resilience and will make the network easier to monitor and manage.
ENABLING ALL PORTS ON A SWITCH
Switch ports are the point of entry to the network. For larger BMS projects, where you may have switches throughout a building, this means that you’ve got many network entry points to manage – security alert!
You may want building services engineers to be able to access all building devices from any switch, so how do you balance that security risk without making the engineer walk a marathon?
One way is to lock down all unused switch ports, allocating them to a black hole VLAN, and having one dedicated port per switch for the building services engineers. For additional security, you could enable port protection – locking the ports down to specific laptops or devices.
UNSECURED REMOTE ACCESS
Again, something we see a lot of is remote access connections to building services network without any security measures. Typically these are Internet broadband connections directly connected to the network.
Exposing your network to the web, without appropriate security measures, is a no-no. From our testing it takes about two weeks for a port scanned IP address to percolate around the darker edges of the web. In no time at all, like dipping a bleeding leg into a shark pool, the network will be attacked from all angles.
The best way to provide secure remote access is to avoid the Internet altogether. Private broadband connections, that don’t connect to the Internet, are often the same cost as Internet connections. Find out more about these in our latest guide: Remote Access Connections for Building Services Projects.