It’s over a decade since the Target data breach. It was an event that reinforced the need for supply chain security reviews. It seems that much has changed since then, or has it?
Has the security profile of the average connected building in the USA improved in that time period, be it retail, commercial or otherwise? I would argue not.
As a refresher, the Target store networks were compromised via a HVAC management supplier’s systems. Card data was stolen, acrimony ensued, stock prices dived.
So much was learned as a result, including for example:
- Segregation of IT & OT
- Validation of that segregation
- Reviews of supplier security, particularly those with trusted access
- Creation of ability to monitor internal networks for intrusion
- Growth and development of blue teams to detect and respond to intrusions
- Increased red teaming to truly simulate attacks
- Regulations developed too, including the widening of scope of PCI DSS
But, whilst much was learned and changed, conflicting pressures have done much to mitigate the effect of those improvements.
There are more connected buildings
There has been a significant increase of connectivity in building management systems, partly a result of competition and volume driving price per unit down, also more building operators seeing the direct commercial benefits of connected, smart systems. As prices for heat, light and power have increased significantly in the last couple of years, the cost/benefit argument for investing in smart building management is even easier to win
This has dramatically increased the number of buildings with connected management systems. There are simply more connected buildings for the hacker to have a go at now.
More vendors
Historically, there were a small number of building management system vendors. Big names you will have heard of e.g. Honeywell, Trend and the like. The big players have learned from their mistakes of the past and improved the security of their control systems. However, new entrants to the market, often from the far east, have made a play for cheaper systems with variable degrees of cyber security.
More remote management
Has the vendor punched a hole through your firewalls to allow them to remotely support your systems? It’s surprising how many times we have found RDP and similar poorly-secured connectivity used by a vendor to administrate your building management systems.
Vendor support
Larger, established vendors have more ability, more resources and more motivation to fix cyber security issues. New market entrants are more likely to struggle with resolving those issues as they rush to offer new features and wider technology integration.
Vendor installer support
It’s rare that a vendor does the product installation themselves. Far more likely that their accredited installers will do that job.
Whilst the vendor themselves may be relatively security-savvy, their installer network introduces a layer of complexity. An electrician familiar with installing building control systems is far less likely to understand the significance of cyber security in your environment. It’s so easy to make a system available on the internet to facilitate remote management down the line, without appreciating the risk of doing so
Yes, some vendors are actively training their installer networks to ‘do cyber’ but, based on bitter personal experience, I would put nothing to chance.
More ‘cloud’
In the early days of building connectivity, VPNs would have been used for a facilities administrator to connect to a remote building and, for example, warm it up or cool it down in advance of the workforce arriving for the day.
Connectivity now is far more likely to be based on a mobile app and an API delivered from a cloud-hosted platform, to allow easy management from anywhere. Our work in IoT showed how often that mistakes are made with API security, allowing trivial compromise of both yours and everyone else’s BMS that uses the same platform.
Engaging with facilities teams
Whilst larger organisations have found ways for the cyber teams to engage with their facilities and physical security teams, smaller organisations still struggle. Connectivity is an IT problem, right?
Smaller organisations want the benefit of building connectivity too, but often struggle to make those important connections. It’s critical that you reach out to them to ensure that the building systems they are responsible for a properly secured
Shodan grows up
10 years back, Shodan wasn’t particularly well known. It’s now the go-to search engine for finding internet-connected devices. I use it most days to look for devices that I’m interested in.
I might purchase a building controller, or a colleague might find one on a client building penetration test. We then use Shodan to see how many similar devices are exposed to the internet.
The barriers to finding connected buildings on the internet have thus reduced hugely.
More building control systems can be connected
A decade ago, we would typically find the HVAC connected and remotely managed. Those cost benefits can now be applied to a huge range of systems in a building, again presenting the hacker with a larger attack surface.
When testing a larger building, we often find a wide range of interesting systems to evaluate the security of. These can include:
- Elevators
- Room booking
- Presentation / screen casting
- Conferencing
- Lighting
- Access controls, including doors and gates
- Vehicle garages
- CCTV
- Power control
- …to name just a few
Cellular data costs have dropped
Third parties will work around your security controls. Maybe you carefully block untrusted devices from your network, or use network access control to achieve the same?
10 years ago, a cellular modem & airtime connection was an expensive thing. Not so much now. We have found so many unauthorised cell modems in buildings, giving a supplier remote access to ‘support’ their building control devices. The security of those devices in your building is now down to the diligence of that third party. Given they have already bypassed your security controls, I wouldn’t be hopeful that the connection was locked down…
What to do?
If you don’t already, having coffee and donuts with your facilities and physical security teams would be a good start. Understand their challenges and the systems they already have. Be there to help and advise them if they are looking to connect systems. If you don’t you run the risk your carefully constructed cyber security controls being sidestepped.
Talk to your procurement teams too. Help them include contractual wording for your building control systems suppliers that give you legal recourse if basic security standards aren’t met.
Go find your plant and control rooms. Are they physically secure? Are the cabinets containing the control systems secure? Go ask questions, you might be surprised with the answers!