published on December 11, 2018
Working Towards a More Secure Future for Building Automation Systems (BAS)
by Elisa Costante
Having worked in the cybersecurity industry for more than 8 years, two of which have been dedicated to analyzing building automation security, I am always intrigued to learn about new tactics and threat vectors that hackers use to gain access, particularly as physical systems are increasingly coming online.
A few days ago, we heard about a security incident in the news where a hacker in the Netherlands shut down the cooling system used to store pharmaceutical drugs in a supermarket. This hacker was a disgruntled former employee, who had been logging in remotely from Norway directly into the building automation system with an old set of credentials. He succeeded in accessing and shutting down the cooling system, but timely response from the store management contained the damages and mitigated the risk. A key takeaway from this incident should be that insider threats are a valid risk for any organization, and a BAS can be hacked by someone with a little know-how and motive.
The number of identified vulnerabilities in building automation systems has been increasing over the past two years, illustrating the urgency for BAS owners to harden their systems against internal or external cyber threats.
To move this cause forward, our team has established a dedicated research arm for the discovery of BAS-specific vulnerabilities. During just a few weeks of activity, the team discovered several vulnerabilities ranging from minor to critical severity and reported them to the involved vendors (see link).
One of the vulnerabilities discovered was on a universal software infrastructure that allows building controls integrators, HVAC (Heating Ventilation and Air Conditioning) and mechanical contractors to build custom, web-enabled applications for accessing, automating and controlling smart devices real-time via local network or over the Internet. We discovered vulnerabilities that, if exploited, might grant a malicious user access to critical systems such as HVAC or perimeter access control, putting a business at risk both operationally and physically. Additionally, in flat networks that are inappropriately segmented, access to the HVAC might only be the tip of the iceberg. From there, attackers can then jump to even more critical systems like POS or a database containing personal information like credit card numbers. This is similar to what caused the Target breach, where attackers managed to exfiltrate millions of customers’ credit card data by leveraging the compromised credentials of an HVAC contractor with access to Target’s network.
How can building automation system owners prevent an attack like this one?
Complete visibility into BAS networks is key to identifying this type of attack. Adding enhanced security with network monitoring can give organizations a thorough understanding of the BAS environment and its connections. This makes it easier to design effective security architectures, identify attack vectors, and locate blind spots, among other things. Improved BAS visibility also enables security managers to resolve unknown and unchecked operational security issues, including vulnerabilities, misconfigurations, access policy violations, faulty design in the form of weak security controls, and any unplanned or unauthorized changes.
In the case of the incident described above, visibility into the network would have identified the employee logging into the system and performing dangerous operations within the network. Baselining the network traffic would have helped to identify systems issuing commands that were out of the realm of normal operations.
One way to increase BAS visibility is to adopt an advanced network monitoring and situational awareness platform, such as SilentDefense for building automation. These types of tools provide much-needed visibility into the BAS and raise an immediate alert if a new node appears on the network or a communication pattern becomes abnormal or dangerous. It also empowers users to enforce compliance with internal network and maintenance policies, alerting when an unusual set of credentials is used or a user logs in outside of authorized hours.
Network monitoring platforms, such as SilentDefense, offer detailed threat detection and rapid remediation capabilities, from critical alarms to I/O and IP device networks. Facility managers can also detect operational anomalies and threats before they lead to potentially dangerous incidents and help prevent them in the future.
The benefits of this approach extend far beyond conventional cybersecurity to offer asset owners in the BAS and smart building industry the power of complete OT visibility and system integration with legacy and new control systems.