Whether you work or live in a professionally managed building, you normally don’t give much thought to how secure the building is, aside from good locks, security guards and fire alarms/sprinklers. However, our residences and workplaces should address cybersecurity issues as well, as the IT systems managing environmental and electrical systems are susceptible to attack.
Building Management Systems (BMS) or Building Automation Systems (BAS) have been around for years, but recently these solutions have been connected to the Internet for easier management and remote support of these systems. Unfortunately, most of these systems normally aren’t designed with robust security controls, and those that do have some authentication and authorization may be installed with default user-ids and passwords, or weak and guessable passwords are used.
To complicate the situation, many system manufacturers rely on sensors and other components which may be difficult to update and patch, yet still rely on Internet connectivity to perform their functions.
Some systems may have direct Internet connections while others may be connected to the corporate network. Many companies are entirely unaware that their BMS is connected to the internet, and if they do, may not understand the implications. As more and more devices and appliances are connected to the Internet for management and support, the Internet of Things (IoT) universe expands, along with the opportunity for abuse and exploits.
What are the implications of a BMS being accessed by unauthorized people?
- Lighting changes, shutting down electrical power, physical access control system (opening or closing secured doors, monitoring or shutting down security cameras and alarms), shutting down heat or a/c or affecting temperatures of buildings, controlling elevators, disabling fire suppression systems: anything controlled by a BMS
- Using the BMS to access other components of the corporate network it is connected to
Losing control of a BMS can have serious effects and adversely affects security, availability, comfort, and productivity for corporate and residential tenants/owners, with implications as an entry point to any corporate network resources it can access.
How does this happen?
BMS and their devices can be detected via scans of wired and wireless networks. Instructions for logging in and default ids and passwords can be easily found on the internet. It doesn’t take technical expertise to break into a system. Web sites like Shodan (https://www.shodan.io/ )scan and collect devices as part of the IoT universe and can be a starting point to find sites with a BMS. Most break-ins use credentials guessed/stolen or default passwords.
Target: millions of customers’ credit card information was stolen—the point of entry was credentials to a heating and ventilation system.
In 2012, hackers illegally accessed the Internet-connected controls of a New Jersey-based company’s internal heating and air-conditioning system by exploiting a backdoor in the software.
In 2013: Researchers gained access to Google Australia‘s BMS using a default password.
In 2013, hackers had broken into an unnamed state government facility and made it “unusually warm”.
In 2016, IBM researchers hacked into an unnamed business through its BMS.
In 2016, a security researcher took control of a company’s physical security using its internet-connected BMS.
What Can Be Done?
The following are suggestions to protect a corporate BMS from being exploited.
- Companies should inventory what they currently have in place for their BMS, including a physical inventory to determine if a standalone Digital Subscriber Line (DSL) or cable connection is connected to BMS-controlled systems. Determine if the BMS is connected to the corporate network.
- If a company has a cybersecurity staff or function, get them involved with the evaluation and ongoing security of the BMS.
- Add cybersecurity controls to the facility budget.
- Change all default user IDs and passwords.
- Shared user IDs and passwords should not be used—every person requiring access should have their own account.
- Network access to the BMS should be behind a corporate firewall.
- Remote access should require a Virtual Private Network (VPN).
- BMS systems should be isolated from the internal corporate network through its own Virtual Local Area Network (VLAN) and a firewall.
- Choose vendors carefully, and be aware of exactly what BMS functions are accessible via online portals.
- If possible limit access to the BMS to specific networks. If the BMS vendor requires remote access, limit access to that network.
- Be alert for patches for the BMS and its sensors.
Appendix of Real-World BMS Attacks
Intruders hack industrial heating system using backdoor posted online
Tomorrow’s Buildings: Help! My building has been hacked
Building automation systems are so bad IBM hacked one for free
Hacking the Doors Off: I Took Control of a Security Alarm System From 5,000 Miles Away
Researchers Hack Building Control System at Google Australia Office