Last week the cyber security firm released a white paper highlighting building automation systems (BAS) vulnerability to cyber attacks.
On January 14th, 2015, Laconicly discovered a total of 64,003 IP addresses pointing to a device or system that supports a BAS deployment. Of the 64,003 IP addresses discovered, 41,308 IP addresses could be reached and were considered live on the Internet.
19,583 of the 41,308 (47%) devices that were accessible via the Internet offer one or more interfaces (excluding login pages and static content) that are accessible without any authentication. These exposures do not even require a username to be provided. 7,282 devices (25%) provided enough identifying information to associate the device with a specific industry or a specific organisation.
Attackers infiltrating such systems could, potentially, gain access to control systems for HVAC, lighting and even security systems. Such access, in the wrong hands, could lead to significant disruption and could potentially aid physical security breaches. Leading Laconicly and other firms to question if BAS security is being taken seriously enough in the Internet of Things (IoT) age. Our extensive research into The Internet of Things in Smart Buildings 2014 to 2020 clearly shows how the industry is redefining itself using IoT technology.
Traditionally building systems including BAS have been protected partially through obscurity, and largely through physical protection. Gaining access to a building control system and enabling or disabling systems, or even changing set points used to require access to the building and entry to mechanical and electrical rooms; which are typically secured.
However as we have moved toward control systems that are network enabled, it is now possible to access these systems through the building network or even remotely through the Internet. At the same time the systems have become increasingly less obscure.
Older, proprietary BAS systems could only be accessed through a desktop computer application. This was typically located in a secured area and was protected by user name and password. As we have moved to open systems including those that utilize BACnet, LonTalk, and Tridium Niagara, it becomes possible to access the systems using tools other then a workstation leading to more paths for potential breaches.
In fact one of the goals of an open protocol control system is to make communications easy, which in turn can make these systems potential targets for attacks. Cyber security experts, such as those at Laconicly, have long been aware of this potential vulnerability, but recent developments are leading to a broader awareness of this issue.
There is work going on within the industry to better protect systems including changes to the open protocol standards, as well as software patches and improvements from suppliers and new products coming on the market intended to provide added protection. However, greater attention must be paid by BAS integrators, and building owners, to ensure such security protocols are actually present and active.
“System integration is a critical component for deploying, operating, and maintaining a robust BAS deployment. Integrators play a critical role in selecting technologies, commissioning deployments, configuring devices, operating complex systems, troubleshooting issues, and maintaining automation systems. Given the enormous operational responsibilities placed on BAS integrators, many cyber security responsibilities will fall squarely on the integrators shoulders”, the report outlines.
Building Automation Systems are generally too complex for most end users to take a leading role in protecting their buildings from cyber attack, but greater attention on the potential threat would put pressure on integrators to provide such security.
Laconicly’s report suggested that “in most cases, the end user organization had no idea their facilities were online and Internet facing within a commercial ISP IP address space”.
As building automation evolves within an IoT environment more emphasis must be placed on educating end users on the vulnerability of their systems. In parallel, greater responsibility must be placed on the integrator for failing to secure systems, either through physical network connection or layers of virtual protection, or both.
Billy Rios and the Laconicly team provide detailed guidance for end users to address security concerns with their BAS integrators, suggesting that pressure from user to integrator will lead to vital security reform. “Given the critical nature of the work integrators are responsible for, it is important to verify that the integrator isn’t putting your business at unnecessary risk. In these circumstances, the age old advice applies: Trust, but verify”.