Our buildings are getting smarter, but will that let hackers in?
The internet of things means that more devices than ever before are hooking up to the internet. Internet connectivity has branched out from laptops, desktop PCs and servers and is encompassing sensors and even things like cars and fridges.
But could these devices also allow hackers to infiltrate your organisation’s systems? It certainly appears so. Just recently, IBM’s security research group, known as X-Force, conducted an ethical hacking exercise to show just how easy it is to hack a smart building.
Smart buildings increasingly use technology to control aspects such as heating, lighting and physical access control – all of which are potential vectors for attackers to target.
The X-Force team carried out penetration testing on a Building Automation System (BAS) that controlled several buildings. For client confidentiality, X-Force has not revealed which BAS this was or whose buildings they tested.
Looking at the whole picture
The team said it hacked a BAS because testing individual devices gives an incomplete picture of what could be hacked in a smart building.
The BAS controls sensors and thermostats in a commercial office. Working with the system operator and building management it found several areas of concern in the BAS architecture that could allow hackers to take control, not only of the individual building system, but also a central server, which could then be a springboard to attack other buildings.
To carry out the attack, the team had access to three public IP addresses associated with the target buildings. From there, these ‘ethical hackers’ managed to find a number of security issues such as exposed administration ports on routers. Further investigation of these devices allowed the team to bypass security on the routers and take them over.
Further examination found that the password used to protect the router was the same as the one used in the building controller device. This meant that as the team was inside the network it could log into building controller and control it remotely.
The controllers also had multiple vulnerabilities that the team could exploit to access other control systems, serving as a conduit to accessing sensors and thermostats for several other buildings across the company.
Not paying attention
IBM X-Force Ethical Hacking Team Lead Paul Ionescu said that the exercise proved that very little attention was being paid to IoT in smart buildings as these devices fell outside the scope of traditional IT.
He pointed to a recent survey of building automation system (BAS) operators that found that only 29% had taken action or were in the process of taking action to improve the cyber security of their internet-connected systems.
Writing on SecurityIntelligence.com he said: “If compromised, smart-building devices could have a profound impact on our physical surroundings and could allow a malicious actor to cause damage without any physical access to the building.
“For example, cybercriminals could gain control of the devices that regulate data centre temperatures, causing fans to shut down and servers to overheat. Not only do these connected devices impact our physical surroundings, but if they share connections with enterprise IT networks, they could also open a backdoor to company data.”
Comprehending smart building security risks
Normally, after a security vulnerability, affected code is investigated and devices updated with patches to protect against similar incidents from happening again. This has the added benefit of protecting other users with the same equipment from falling victim to a similar attack – a little like how a vaccination teaches the immune system to repel future bugs.
While this system of updates works well for PCs and servers, it is much more difficult for embedded or IoT devices in a smart building. Sensors and thermostats aren’t typically things that you reboot for a software update.
Replacing a sensor could be one way of applying a fix, but if you have to do that with thousands of devices, it is not cheap or indeed practical.
There was a time when such devices were on isolated networks disconnected from the internet. Cyber security was an afterthought, if it was ever a thought at all.
Where cyber security hasn’t been tightened to reflect today’s more complex needs, the system to control who has authorised access is therefore often lax to non-existent. Web interfaces designed for use in these systems aren’t generally built to withstand sustained attacks from hackers.
Not only that, as technicians need to share access to control systems, passwords are shared and easily guessable. The passwords may never get changed and all stations on the network may share the same one.
Mitigating risk
As noted above, the biggest problem for smart buildings is that there is no easy way to patch the sensors and controls in such buildings. But there are a number of ways that building automation companies and manufacturers can improve security.
First, there needs to be better controls on who has access to software, preventing leakage of information about passwords and better password encryption.
Application security scanning can be used to find vulnerabilities in software and code before it is implemented.
IP address restrictions should be implemented to protect building automation systems from being accessed by just about anyone using the internet. In the same vein, remote administration features on wireless routers, as well as closing ports on these that are left open without good reason, should be disabled.
Security incident and event management (SIEM) systems should also be used to monitor network activity between routers, building automation systems and embedded devices to flag suspicious activity.
Tough network security rules should be deployed on all devices alongside better password practices. Passwords should not be reused or shared between devices and never, ever store passwords in clear text.
If you have devices that can be updated, make sure you do so. Anything you can do to decrease the attack surface area can only help.
Creating a secure smart building means changing policies, technologies and attitudes – and this takes time. However, organisations need to start addressing the cyber security issues associated with smart buildings without delay.
Failure to act now could have disastrous consequences down the line for the business or businesses that occupy the building.
Subscribe to the IFSEC Insider weekly newsletters
Enjoy the latest fire and security news, updates and expert opinions sent straight to your inbox with IFSEC Insider's essential weekly newsletters. Subscribe today to make sure you're never left behind by the fast-evolving industry landscape.
Sign up now!