March 29, 2016

Get the IFSEC Global newsletter

The latest security and fire news, reports and resources

Download

The video surveillance report 2017

How Vulnerable are Smart Buildings to Cyber Hacks?

Our buildings are getting smarter, but will that let hackers in?

The internet of things means that more devices than ever before are hooking up to the internet. Internet connectivity has branched out from laptops, desktop PCs and servers and is encompassing sensors and even things like cars and fridges.

But could these devices also allow hackers to infiltrate your organisation’s systems? It certainly appears so. Just recently, IBM’s security research group, known as X-Force, conducted an ethical hacking exercise to show just how easy it is to hack a smart building.

Smart buildings increasingly use technology to control aspects such as heating, lighting and physical access control – all of which are potential vectors for attackers to target.

The X-Force team carried out penetration testing on a Building Automation System (BAS) that controlled several buildings. For client confidentiality, X-Force has not revealed which BAS this was or whose buildings they tested.

Looking at the whole picture

The team said it hacked a BAS because testing individual devices gives an incomplete picture of what could be hacked in a smart building.

The BAS controls sensors and thermostats in a commercial office. Working with the system operator and building management it found several areas of concern in the BAS architecture that could allow hackers to take control, not only of the individual building system, but also a central server, which could then be a springboard to attack other buildings.

To carry out the attack, the team had access to three public IP addresses associated with the target buildings. From there, these ‘ethical hackers’ managed to find a number of security issues such as exposed administration ports on routers. Further investigation of these devices allowed the team to bypass security on the routers and take them over.

Further examination found that the password used to protect the router was the same as the one used in the building controller device. This meant that as the team was inside the network it could log into building controller and control it remotely.

The controllers also had multiple vulnerabilities that the team could exploit to access other control systems, serving as a conduit to accessing sensors and thermostats for several other buildings across the company.

Not paying attention

IBM X-Force Ethical Hacking Team Lead Paul Ionescu said that the exercise proved that very little attention was being paid to IoT in smart buildings as these devices fell outside the scope of traditional IT.

He pointed to a recent survey of building automation system (BAS) operators that found that only 29% had taken action or were in the process of taking action to improve the cyber security of their internet-connected systems.

Writing on SecurityIntelligence.com he said: “If compromised, smart-building devices could have a profound impact on our physical surroundings and could allow a malicious actor to cause damage without any physical access to the building.

“For example, cybercriminals could gain control of the devices that regulate data centre temperatures, causing fans to shut down and servers to overheat. Not only do these connected devices impact our physical surroundings, but if they share connections with enterprise IT networks, they could also open a backdoor to company data.”

Comprehending smart building security risks

Normally, after a security vulnerability, affected code is investigated and devices updated with patches to protect against similar incidents from happening again. This has the added benefit of protecting other users with the same equipment from falling victim to a similar attack – a little like how a vaccination teaches the immune system to repel future bugs.

While this system of updates works well for PCs and servers, it is much more difficult for embedded or IoT devices in a smart building. Sensors and thermostats aren’t typically things that you reboot for a software update.

Replacing a sensor could be one way of applying a fix, but if you have to do that with thousands of devices, it is not cheap or indeed practical.

There was a time when such devices were on isolated networks disconnected from the internet. Cyber security was an afterthought, if it was ever a thought at all.

Where cyber security hasn’t been tightened to reflect today’s more complex needs, the system to control who has authorised access is therefore often lax to non-existent. Web interfaces designed for use in these systems aren’t generally built to withstand sustained attacks from hackers.

Not only that, as technicians need to share access to control systems, passwords are shared and easily guessable. The passwords may never get changed and all stations on the network may share the same one.

Mitigating risk

As noted above, the biggest problem for smart buildings is that there is no easy way to patch the sensors and controls in such buildings. But there are a number of ways that building automation companies and manufacturers can improve security.

First, there needs to be better controls on who has access to software, preventing leakage of information about passwords and better password encryption.

Application security scanning can be used to find vulnerabilities in software and code before it is implemented.

IP address restrictions should be implemented to protect building automation systems from being accessed by just about anyone using the internet. In the same vein, remote administration features on wireless routers, as well as closing ports on these that are left open without good reason, should be disabled.

Security incident and event management (SIEM) systems should also be used to monitor network activity between routers, building automation systems and embedded devices to flag suspicious activity.

Tough network security rules should be deployed on all devices alongside better password practices. Passwords should not be reused or shared between devices and never, ever store passwords in clear text.

If you have devices that can be updated, make sure you do so. Anything you can do to decrease the attack surface area can only help.

Creating a secure smart building means changing policies, technologies and attitudes – and this takes time. However, organisations need to start addressing the cyber security issues associated with smart buildings without delay.

Failure to act now could have disastrous consequences down the line for the business or businesses that occupy the building.

 

 

 

Free download: The video surveillance report 2017

Sponsored by IDIS ‘The Video Surveillance Report 2017’ covers all things video surveillance based on a poll of hundreds of security professionals. Specifically looking at topics such as open platforms, 4K, low-light cameras, video analytics, warranties and this year due to the growing threat posed, the cybersecurity landscape.

Further topics covered include:

The network cameras hijack during the 2017 presidential inauguration, updates on the forthcoming EU data protection law (the GDPR), ultra-low light cameras versus thermal cameras and much more.

Click here to Download now  

Leave a Reply

Be the First to Comment!

Notify of
avatar
wpDiscuz