LOS ANGELES UNIFIED SCHOOL DISTRICT

Policy Bulletin

TITLE: Description of Security Standards for Installation of ROUTING

Building Automation Systems (BAS) on the LAUSD ITD
Network Facilities

NUMBER: REF-4686

ISSUER: Anthony D. Tortorice

Chief Information Officer
DATE: May 5, 2009

BACKGROUND: This document describes security standards for the installation of building
automation systems on the LAUSD network. Refer to Bulletin 4600 for a full
description of the Information Technology Division’s policy concerning building
automation systems.

MAJOR This is a new reference guide.

CHANGES:

STANDARDS: Because BAS control building systems manage the critical systems of a building,
care must be taken in connecting them to a shared network. Ensuring the
availability and integrity of building services is of utmost importance. The
security standards described in this bulletin are based on best practices for securely
connecting devices to a network:
1. Account Management
a. Default, guest or anonymous accounts must be disabled, especially
those allowing remote access.
b. Accounts that provide the vendor alternative access to the BAS
(“backdoors”) must be documented and disabled.
c. The BAS must support complex passwords to match LAUSD
policy as described in Reference Guide 1551.
d. Along with local accounts, the BAS should support use of external
authentication services like RADIUS or LDAP.
2. Removal of Unnecessary Services and Programs
a. The BAS must support the capability to disable or remove
unnecessary or unneeded services and programs. For example, if a
device supports both Telnet and SSH for remote administration, the
Telnet service can be disabled by a technician.
3. User Interface/Encryption
a. If the BAS provides a web browser based interface:
i. Web server must support HTTPS/SSL.
ii. Web server must protect against common exploits (XSS,
SQL injection).
REF-4686
Office of the Chief Information Officer Page 1 of 3 May 5, 2009
 LOS ANGELES UNIFIED SCHOOL DISTRICT
Policy Bulletin

b. If the BAS provides a terminal or command line interface:

i. BAS should support Secure Shell (SSH).
ii. BAS should support Secure Copy (SCP) in place of FTP or
TFTP.
4. Network Configuration
a. The BAS must allow configuration of network settings (IP address,
net mask, etc.) to match LAUSD network topology.
5. Logging/Monitoring
a. Simple Network Management Protocol (SNMP) should be built
into the BAS, with the ability to have separate read-only and read-
write community strings.
b. The BAS should log configuration changes that modify the
operating characteristics of a device, with a date/time stamp and the
identity of the party making the change.
c. Support of Syslog, or other remote logging systems, is highly
desirable.
6. Power/Network Outages
a. After power loss, the BAS must boot back into the last saved
configuration, not the default configuration.
b. The components of the BAS (card readers, temperature sensors,
etc.) must continue to function in stand alone mode in the case of a
network outage.
7. Patching/software updates
a. The BAS must support a mechanism for on the field upgrades of
firmware and software, whether by the vendor or District staff.
8. Installation
a. The BAS should be installed in the VLAN designated for network
equipment (commonly called the “equipment” VLAN.)
b. BAS components must not be installed on the administrative or
instructional VLANs.

ITD Security will conduct a security vulnerability scan of the building automation
system to confirm it meets the standards described in this bulletin.

If a candidate BAS does not meet one or more of the standards enumerated above,
additional mitigating security controls may be required before the deployment of
the system on the LAUSD network. Please contact the ITD Security Office for
guidance in this situation.

REFERENCES: Bulletin 4600: ITD Building Automation Systems Policy

REF-4686
Office of the Chief Information Officer Page 2 of 3 May 5, 2009
 LOS ANGELES UNIFIED SCHOOL DISTRICT
Policy Bulletin

Reference Guide 1551: Description of Security Standards for Networked

Computer Systems Housing Confidential Information

ASSISTANCE: For further information please call Gashaw Teshome, Coordinator of ITD
Security, at (213) 241-0627.

REF-4686
Office of the Chief Information Officer Page 3 of 3 May 5, 2009