Building Automation Systems Are a Breeding Ground for Seigeware
With access to the BAS, attackers become digital overlords of the building. The consequences range from discomfort to potentially life-threatening situations.
September 30, 2019
Sponsored by AT&T Cybersecurity
As technological solutions to cyber crime become increasingly advanced, able to preempt attacks and weed out vulnerabilities before they’re widely known, attackers also become more adept at cloaking their presence and concealing their intent.
The targets of attacks also change with the times. Hacking websites and bank accounts is old hat; some of the most threatening dangers to the most modernized companies and even citizens are those that target technology that doesn’t yet have the robust security systems, or even standards, in place.
It’s sad but well known that average consumers don’t spend a lot of time worrying about whether the firmware on their IoT devices is up-to-date, leaving millions of devices around the world critically vulnerable to attack. However, you would be forgiven for assuming that companies implementing centralized control of a building’s life support functions–such as HVAC, fire security, doors and windows, etc.–along with more convenience-focused building automation systems would prioritize cyber security. This is not always the case, which can lead to a potentially disastrous situation for the homes and organizations that implement building automation systems (BAS) and the companies that manufacture, install and maintain them.
Siegeware and BAS Attacks
When attackers combine ransomware with BAS vulnerabilities, we get siegeware. The attacker takes control of a building and shuts down critical operations such as heating, cooling, alarm systems and even physical access, and will only rescind control once a ransom has been paid.
Gaining access to the BAS means attackers become the digital overlords of the building. By controlling the automated system that governs the functionality of the building, the attackers control the building itself. They can turn off ventilation, heating and fire suppression systems, and can potentially extend influence to other digital functionality of the building.
Hackers can access seven systems remotely once they hijack the BAS:
Lighting control systems
Fire detection and alarm systems
Automated fire suppression systems
Integrated security and access control systems
Heating, ventilation and air conditioning
Power management and assurance systems
Command and control systems
The consequences of losing control of these systems ranges from discomfort to potentially life-threatening situations.
An Emerging Threat
Siegeware is quickly becoming one of the most dangerous and effective methods of cyber attack. Many companies have already fallen victim to these attacks, and those that haven’t given in to the ransom demands have faced highly disrupted operations as a result.
BAS allows a single command center to control and automate all connected systems in a building so that a high level of comfort can be achieved efficiently. But vulnerabilities exist in any connected system, and when the network is compromised, the prospect of physical danger becomes very real.
With increasing numbers of organizations adopting BAS infrastructures, the number of potential targets rises, along with the time spent by attackers searching for as-yet unknown vulnerabilities. To make things worse, many of these buildings are connected to the internet, where anyone with the correct username and password can get access. As of February 2019, there were 35,000 BAS systems connected to the public internet globally, and it’s highly likely that many of these are using default user names and passwords.
Even if the majority of organizations implement adequate security, those that do not face severe consequences. Countless schools, hospitals, universities and banks have all fallen prey to ransomware attacks in the past few years, and this is likely to mutate into large-scale siegeware attacks in coming months to many BAS-equipped buildings that do not have effectively secured networks.
Preventing BAS Hijacking
Any smart home or other BAS-controlled building is a potential target for siegeware attacks. If you live in a smart home, or are the building manager or security officer at an organization that utilizes BAS to control functions of the building, then it’s critical to provide that the security systems are up to the task of controlling access to the BAS.
Many contractors will simply set up the automated control system on a web-based login interface. It makes it easier for them to make any changes later on or solve any issues that might appear. However, such remote access is vulnerable to unauthorized access.
If there is remote access to your BAS it needs to be considered a critical IT system. See to it that you have the following, at the very minimum:
Up-to-date firmware
Firewall
Encrypted connection
Preferably, VPN-only access from the building’s IP
Strong passwords
Multi-factor authentication
Lockout on failed password attempts
Notification of login attempts
If remote access to a BAS is vulnerable in even one of these areas, it’s susceptible to being hijacked. By implementing at least three authentication types–password, possession IP–unauthorized access can be discouraged, but not necessarily stopped entirely for a determined attacker.
In the case of smart homes and IoT devices, one has to make sure that all connected devices utilize security that prevents any unauthorized access. The security of the controlling BAS box, in this case, extends to each and every physical device controlled through the network.
The concept of a smart home, of top-tier technology that aspires to increase convenience and comfort, becomes one of the most powerful enablers of cyber terrorism. Here’s hoping that those companies and individuals implementing BAS into buildings will be working closely with IT departments and security researchers to protect our buildings’ critical support systems.
Joe Robinson is a data privacy and cyber security writer who loves to analyze and debate anything related to tech and ethics. See more of Joe’s work at VPNTeacher, a site dedicated to keeping you safe online and your data secure.
This guest blog is part of a Channel Futures sponsorship.
Read more about:
MSPsAbout the Author
You May Also Like