By Fred Gordy
Building automation systems have historically been installed with convenience in mind. Isn’t that why facility managers started using a browser instead of having to install a specific application on all the PCs that needed to access the BAS? Lower cost, greater portability, and ease of access.
Web access remotely was the next logical step for both the facility manager and the supporting vendors. Facility managers could check their systems through a web browser, and vendor cost could be reduced because they could access the system remotely through a browser and pre-diagnose or fix the issue before rolling trucks.
In the early days, IT really didn’t have or want to have anything to do with these systems, so BAS vendors took on the responsibility of running cable, installing unmanaged switches, and setting up remote access. Remote access was often accomplished either by using a public IP (a public IP is a globally unique address that can be accessed over the Internet) or forwarding a public IP to a private IP through a standard, internet service provider (ISP) router.
Public IPs were used in personal computers that ran the web service/application that enabled facility managers to view and interact with the BAS remotely. The vendor could also view, control, and reprogram the application through the public IP. Because the vendor could also program remotely, public IPs were extended to devices to facilitate programming. As a result the system was totally exposed.
At the time, being exposed was okay to both the end user and the vendor because no one was actively seeking out these systems. That’s all changed. Devices are now in the hacker’s crosshairs.
Why has this changed? The simple answer is that devices offer the path of least resistance. Hackers may or may not be looking to compromise or destroy equipment. They may be looking for another way into the company network, and they know that control networks have little or no security and that these networks are not typically monitored for threats or intrusions.
How do hackers find your BAS?
Up until 2009, search engines were not specifically looking for Internet-connected devices. In 2009, Shodan was launched. It was the first search engine dedicated to searching for Internet-connected devices, also known as the IoT (Internet of Things). The intent was to catalog the number of devices (not websites) active on the Internet. Users could search free of charge for specific devices from specific manufacturers.
A byproduct of indexing Internet-connected devices was that now the bad guys could use this tool to find devices and probe for vulnerabilities.
In 2015, Censys was created at the University of Michigan and made available to the public for free. Censys, like Shodan, crawls the Web in search of Internet-connected devices. And like Shodan, both security researchers and hackers can use it.
Censys and Shodan both index and add tags to the devices. Why tags? It makes searching easier. You don’t have to know a query language, just know the tags. If you wanted to find all the building control system devices in the world that Censys has indexed, you would enter “building control” in the search box and in less than a second you would have a list. You could do the same for any of the tags shown. The large list of tags makes searching for devices easy to do and easy to refine.
Censys provides a lot of useful information for both good guys and bad guys, including the system version, the host ID/license, the host name, and the name of the building where the device resides. It also lists the geographic location of the device, manufacturer, OS version, ISP, etc.
After a device has been found, several software applications make compromising a device relatively easy. For example, if a hacker can find a BBMD (BACnet broadcast management device), they can have full command and control without having to crack the username and password. And the tool to do this is free. Anyone can download it from SourceForge.net.
What could happen?
When the first concerns about cyber security for control systems were raised, some in the field would ask, “So what if someone turns off the lights?” Today, there is widespread understanding that hackers can cause life safety issues, financial loss, and brand damage to companies.
Let’s unpack of few of these incidents. Most of them could have been prevented.
When the subject of cyber security for control systems comes up, the obvious thing that people think of first is loss or damage to equipment. If a generator were to be attacked and destroyed there is a cost of replacing the generator. (Here’s a Department of Homeland video of a staged generator attack.) But who would think that a printer connected to a parking system could cost a company six figures? One organization had an exposed printer and someone printed, “There is a bomb in building.” Nothing was damaged, right? Wrong. The high-rise building had to be evacuated, causing work to stop, yet salaries were still being paid. Emergency personnel were dispatched. And brand damage was inevitable and as of yet not quantified.
Another common situation involves the loss of front-end access. In one case, the front-end application was crippled, causing business cessation for 48 hours. Ransomware can also block front-end access. In 2017, there were numerous ransomware attacks on control systems. These caused stoppages in some cases and investigation in others, but for both the financial impact has not been fully realized due to ongoing review. In all the cases just noted, these attacks could have easily been prevented.