Our Security Practices: Firmly Established. Always Evolving.
Our digital world puts every building at risk — even if your systems aren’t connected. That’s why cybersecurity is for every environment, whether a small business with just one building or a major corporation with high-rise towers and suburban campuses.
Johnson Controls provides industry-leading cyber resilience at any scale — always with the same proven approach that applies our standards-based policies and global knowledge to:
- Assess your buildings and create a protection plan
- Create secure connections between devices and the cloud
- Monitor for ongoing threats and respond to incident
Our programs protect your systems and data from cyberattack by working together across three dedicated disciplines:
Information Security
We protect the integrity of your information — as well as that of your customers and employees — from unauthorized disclosure, alteration, access, and unlawful destruction with capabilities that include:
- Cybersecurity awareness and training for employees
- Operations to protect and monitor information
- Security risk management and compliance
Product Security
We provide secure products — software, hardware, and hosted solutions — that we design, source, develop, deploy, support, and refresh throughout their lifecycles with capabilities that include:
- Governance and risk management
- Assurance through assessment and testing
- Integration of security tools
- Operations for vulnerability management and incident response
- Communications and relationship with customers
Privacy
We guard our customer’s privacy with a Privacy by Design program that is involved through all process, product and service development stages.
We follow the most stringent global privacy and data protection laws in mind including:
- General Data Protection Regulation (GDPR) of the European Union (EU),
- Brazil’s Lei Geral de Proteção de Dados (LGPD)
- Singapore’s Personal Data Protection Act (PDPA)
- California’s Consumer Privacy Act (CCPA)
To learn more please visit our privacy page.
Our Structured Methodology
Related Items
How can we help you?
For everything from asking a question to raising an alarm, please use this form for a quick response from our Johnson Controls cybersecurity organization.
Report a potential vulnerability or cybersecurity concern | Ask about products and services | Learn about protecting your smart building
Cybersecurity testing may be conducted on Johnson Controls solutions. We recommend that tests are conducted in a non-production test environment to protect against disruption to operations.
A security test may produce field correctable findings if the steps outlined in the associated product Hardening Guide (Resources) are not followed.
Before conducting security tests, fully execute steps in the Hardening Guide (Resources). The following hardening steps, if not conducted, are known to result in addressable security findings:
- Update components to the most current supported release/version, and patch level that you are licensed to use, including:
- All Johnson Controls Applications
- All supporting software, not installed by Johnson Controls Applications, such as Windows, SQL Server, .NET and others
- Disable unused features, services, ports and software
- Install PKI certificates for applicable interfaces that are either:
- Provided by the local IT PKI administrator
- Acquired from a public Certificate Authority (CA)
- Before removing components not required by the Johnson Controls applications (e.g. old versions of Microsoft .NET, SQL and others):
- Ensure the software is not needed for any other function
- Ensure all data was properly migrated to the new Server instance
If a test tool detects potential issues with a Johnson Controls component, you may share the results with Johnson Controls or report other cybersecurity concerns at this link - https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories#ReportAVulnerability, you may also contact us at productsecurity@jci.com.
Please use our downloadable PGP key to secure communications.