Building Management Systems and Cybersecurity: The Internet of Things comes to Facilities Management

Whether you work or live in a professionally managed building, one normally doesn’t give much thought to how secure the building is, aside from good locks, security guards and fire alarms/sprinklers. However, our residences and workplaces should address cybersecurity issues as well, as the IT systems managing environmental and electrical systems are susceptible to attack.

Building Management Systems (BMS) or Building Automation Systems (BAS) have been around for years, but recently these solutions have been connected to the Internet for easier management and remote support of these systems. Unfortunately, most of these systems normally aren’t designed with robust security controls, and those that do have some authentication and authorization may be installed with default userids and passwords, or weak and guessable passwords are used.

To complicate the situation, many system manufacturers rely on sensors and other components which may be difficult to update and patch, yet still rely on Internet connectivity to perform their functions.

Some systems may have direct Internet connections while other may be connected to the corporate network. Many companies are entirely unaware that their BMS are connected to the internet, and if they do, may not understand the implications. As more and more devices and appliances are connected to the Internet for management and support, the Internet of Things (IoT) universe expands, along with the opportunity for abuse and exploits.

What are the implications of a BMS being accessed by unauthorized people?

  • Lighting changes, shutting down electrical power, physical access control system (opening or closing secured doors, monitoring or shutting down security cameras and alarms), shutting down heat or a/c or affecting temperatures of buildings, controlling elevators, disabling fire suppression systems: anything controlled by a BMS
  • Using the BMS to access other components of the corporate network it is connected to

Losing control of a BMS can have serious effects and adversely affects security, availability, comfort and productivity for corporate and residential tenants/owners, with implications as an entry point to any corporate network resources it can access.

How does this happen?

BMS and their devices can be detected via scans of wired and wireless networks. Instructions for logging in and default ids and passwords can be easily found on the internet. It doesn’t take technical expertise to break into a system. Web sites like shodan ( )scan and collect devices as part of the IoT universe can be a starting to point to find sites with a BMS. Most break-ins use credentials guessed / stolen or default passwords.

Real world examples:

Target: millions of customers’ credit card information was stolen—point of entry was credentials to a heating and ventilation system.

In 2012, hackers illegally accessed the Internet-connected controls of a New Jersey-based company’s internal heating and air-conditioning system by exploiting a backdoor in the software.

In 2013: Researchers gained access to Google Australia ‘s BMS using a default password.

In 2013, hackers had broken into an unnamed state government facility and made it “unusually warm”.

In 2016, IBM researchers hacked into an unnamed business through its BMS.

In 2016, a security researcher took control of a company’s physical security using its internet connected BMS.

What Can Be Done?

The following are suggestions to protect a corporate BMS from being exploited.

  • Companies should inventory what they currently have in place for their BMS, including a physical inventory to determine if a standalone Digital Subscriber Line (DSL) or cable connection is connected to BMS controlled systems. Determine if the BMS is connected to the corporate network.
  • If a company has a cybersecurity staff or function, get them involved with the evaluation and ongoing security of the BMS.
  • Add cybersecurity controls to the facility budget.
  • Change all default userids and passwords.
  • Shared userids and passwords should not be used—every person requiring access should have their own account.
  • Network access to the BMS should be behind a corporate firewall.
  • Remote access should require a Virtual Private Network (VPN).
  • BMS systems should be isolated from the internal corporate network through its own Virtual Local Area Network (VLAN) and a firewall.
  • Choose vendors carefully, and be aware of exactly what BMS functions are accessible via online portals.
  • If possible limit access to the BMS to specific networks. If the BMS vendor requires remote access, limit access to that network.
  • Be alert for patches for the BMS and its sensors.

Appendix of Real World BMS Attacks

Intruders hack industrial heating system using backdoor posted online

Tomorrow’s Buildings: Help! My building has been hacked

Building automation systems are so bad IBM hacked one for free

Hacking the Doors Off: I Took Control of a Security Alarm System From 5,000 Miles Away

Researchers Hack Building Control System at Google Australia Office

Kaizen Approach, Inc. Awarded Five Year IT Support Contract

Kaizen Approach, Inc., a service disabled veteran owned small business (SDVOSB), has been awarded a five year Prime contract for the Department of Defense. The contract is for IT support for learning solutions. Kaizen heads a team of seven companies to add value to the Intelligence Communities training and learning solutions.

Consider Tokenization to Secure Sensitive Data

With the rising number of security breaches and hacks, it is better to avoid losses by identifying and protecting sensitive data from exposure

Tokenization is defined as substituting a sensitive data element with a non-sensitive equivalent (token) that has no extrinsic or exploitable meaning or value. The token must bear no resemblance to the data and the security of the token relies on the infeasibility of determining the original data by the resulting token. Tokenization may use cryptographic methods to create the token, but the resulting token is not ciphertext, and is in the same format and length as the original data.

While most Tokenization projects are focused on payment systems, specifically credit card payments between customers, merchants and banks, there are additional uses for Tokenization solutions other than to satisfy Payment Card Industry (PCI) standards. Companies can benefit from Tokenization products by tokenizing Personally Identifiable Information (PII) and any other sensitive information, protecting their customer data from exposure.


Why use tokens?

When tokens are used, the result is minimized exposure of sensitive data to accidental or unauthorized access. Tokens are stored in files and databases, instead of the sensitive data.

Companies who are unfortunately hacked and have their data stolen can be assured that the tokenized data is worthless to the attacker.

Existing software applications can more easily operate using tokens, rather than expanding data fields and changing software to account for larger fields of encrypted data. Tokenization produces a token with the same character length and format as the input data. A real plus when dealing with existing software applications, saving time and money.

For employees who need to access sensitive data such as a social security number (SSN) for billing purposes or customer identity verification, tokenization products can either de-tokenize the sensitive data and reveal all or simply mask most of the original data and only reveal the last 4 characters, for example.

Protecting Tokenization Systems

 A critical component of protecting sensitive data is to ensure attackers cannot de-tokenize the tokens to access the original data, and that involves protecting the tokenization system itself. The risk reduction benefits of tokenization require that the tokenization system is logically isolated and segmented from data processing systems and applications that previously processed sensitive data replaced by tokens. Only the tokenization system can tokenize data to create tokens, or detokenize back to redeem the original data. Tokenization systems may be operated in-house within a secure isolated segment of the data center, or outsourced as a service from a secure token service provider.

The security of the entire system including sensitive data capture and authorization, tokenization methodology; storage, use, and subsequent access is dependent upon the customer’s own tokenization implementation.


Companies should consider using Tokenization solutions to protect their sensitive data. With the rising number of security breaches and hacks, it is better to avoid losses by identifying and protecting sensitive data from exposure.

Those considering Tokenization Solutions should ensure that these systems are Common Criteria and NIST FIP140 certified to ensure that the systems being evaluated have actually been cryptographic tested and assessed.

Tokenization is simpler to use with existing software applications processing sensitive data, saving time and money altering applications, files and databases to use ciphertext. When combined with a secure implementation of an accredited solution, tokens can save a company and their customers’ data from exposure and theft.

Small Business Banking: Protecting Your Money from Hackers

What if you checked your business banking account and found it seriously depleted, with thousands of dollars missing? Call your bank? Query your employees? Call the police?  You could do all the above but it is most likely that the bank will report that the money was wired from your business banking account using your company’s banking credentials.  Malware installed on computers used to access your business banking account may have captured your business account credentials, and these could be used by thieves to move funds out of your business accounts.

How does this happen?

Malware is installed on computers via direct downloads (someone opening an attachment in email or electing to download an application from a website) or via a drive by download, wherein software is installed on your machine just by browsing a website or clicking on a pop up window. If the machine is unpatched, or does not have anti-malware software protecting it, the odds are much greater that the downloaded malware will be not be stopped and will install and lurk on your machine.

Malware designed to run and monitor web site activity for banking or investment web sites will use a keystroke logger to capture banking credentials such as a userid and password. The malware will send the credentials back to the attackers, to be used by the thieves to login to your business banking account and wire funds out of your bank to their own offshore accounts.

What is my recourse with the Bank?

Shocking, but my bank will make me whole again, right? My personal credit card was stolen before and I only had to pay 50.00. My personal debit card was lifted from a big box retailer hack, and I didn’t lose any money. The protections that consumers enjoy are not transferable to the business world.  Regulation E, of the Electronic Fund Transfer Act, provides consumers protection from theft, should their cards or accounts be compromised. Consumers are protected from liability, not businesses.

The electronic funds transfer component of the Uniform Commercial Code, UCC-4A, does limit liability, if a sending customer did not authorize the funds transfer, but it is difficult to gain protection.  For example:  If the Banks’s security procedure is “commercially reasonable method of providing security against unauthorized entries” and the  Bank acted in “good faith” in compliance with security procedure, meaning honesty in fact and observance of reasonable commercial standards of fair dealing. The funds transfer validated by the Sending Bank with security procedure is deemed authorized, even if the Sending Business did not in fact authorize the funds transfer, as it was a hacker who actually did the transfer.

The Sending Business Customer is not liable for an unauthorized transfer if the Business proves that the wire transaction was not directly or indirectly caused by the Business Customer or its employees or agents; a person with access to Sending Business Customer facilities; or a person who obtained information from source controlled by Sending Business.

This is extremely difficult for the Business to prove if the Business Banking credentials (userid and password) were used to initiate the funds transfer, and if it happened on the machine normally used by the customer. How, the Bank will ask, were we supposed to know if it wasn’t the business user? The compromise occurred with the Sending Business Customer, not at the bank.

Legally, the Bank is not required to make your business whole. Your credentials were compromised, the bank’s wire/ACH funds transfer system worked as required—it wasn’t hacked—and your money is gone.

Has this really happened?

Unfortunately yes, many, many times. Here’s just a few of those publicized:

December 2014:  $374,000 from a PNC bank account belonging to a plastics company in Pennsylvania, and $190,800 from the bank account owned by an assisted-living facility in Pennsylvania.

August 2011: $561,000 lost from Sterling Heights, Michigan-based Experi-Metal Inc., $63,000 from Green Ford Sales of Kansas

May 2012, Kingsport, Tenn.-based Tennessee Electric Company, Inc. (now TEC Industrial) was the target of an account takeover that saw cyber thieves siphon $192,65654 out of the company’s accounts at TriSummit Bank.

The list of affected businesses is long. Many are not publicized. While some companies have successfully sued their bank to recover their losses, most have not won, and the legal fees and time may be enough to deter many business owners from contemplating lawsuits.

How do I protect my company?

What your Bank can do for you

If you’re not doing business with a financial institution which offers security protections against malware and credential loss, switch to one that does. Banks that offer tools such as Trusteer, a product which creates a virtual secure sandbox space on customer’s computers to access and execute business banking transactions, are the gold standard to seek out.  These are usual downloaded to your machines free of charge, with instructions how to run the program to safely access your business banking applications without fear of malware.

Some financial institutions offer tokens, sometimes called multifactor authentication, to login to their business banking site. In addition to a userid and password, the token will generate a code, which the user is required to enter to login. The code changes ever few seconds and if grabbed by a malware keystroke logger, is useless.

Banks can also provide user controlled limits on wires and funds transfer, requiring a phone call or a second person to authorize the action.

What you can do to protect your business

  • All your company machines must have up to date, running and configured antivirus and firewall software installed. There are many free and low cost products available. There is really no excuse not to properly protect your business machines from malware.
  • Keep operating systems and software applications patched and up to date on all business machines by enabling automatic security updates.
  • Do NOT use a smartphone to do your business banking. Malware is rampant on smartphones and many people do not update their phones with patches, or phone providers are slow to provide them. Anti-malware software is not as sophisticated as PC software, given the limitations of the platforms. Social engineering via texts and emails is easier on a phone, and people seem to be less suspicious. While many banks will send email or text alerts of banking activity, don’t respond to these. They could be fake messages designed to direct you to a website loaded with malware.
  • Do not do business banking from a wireless hotspot, such as a hotel, coffee shop or airport unless you are using a wireless security VPN which encrypts all your traffic.
  • Never use a shared machine or kiosk at a hotel, airport or other business. If you don’t control the machine, don’t bank from it.
  • As a best practice, isolate business banking, financials, accounting, etc. to one machine, one that is patched and protected with firewall and antimalware software and do not access the internet for mail or web from this machine. Watch YouTube videos and check Facebook from a personal PC, not a business machine.
  • Train your employees not to download attachments, either in email or from a web page from new and unknown sources.
  • Purchase Cyber Liability Insurance from a reputable insurance company to protect your business from losses due to hacking.

You work hard to grow and support your business. Don’t lose your hard earned money to a thief. Take similar steps to protect your assets in the cyber realm as you would with physical locks, bars and alarms for your business. Understanding the limitations of your business banking relationship is the first step.

Melissa McCoy

OPM Breach: Protecting Yourself from the Fallout

Everyone has heard about the massive breach of 21.5 million identities stolen from the Office of Personnel Management in an attack that was revealed in June of 2015. Any person who underwent a security clearance would be in the OPM database. The sensitivity of the information is immense as it contains personal information commonly used to identify you: mother’s maiden name, birthdate, place of birth, educational and work history, information about your family and your SSN.

Many financial and health websites use challenge questions and answers to identify yourself when resetting a password, updating account credentials or simply logging in from another computer.  It’s feared that hackers in possession of the OPM data could use that information to hijack sensitive accounts and gain access to financial information.

Change your challenge and identification questions

and answers on your financial accounts immediately

Take the time to identify your banking, financial services and bill payment websites, changing the following:

  • Change questions asked to those that would not be known during a clearance investigation: your favorite color or make of your first car, for example. Avoid any questions such as spouse’s name, birth place, where you went to school, etc.
  • If you can’t change your questions asked, change the ANSWERS to the questions. You just have to remember what they are. These do not have to be truthful. If you were born in Bethesda you could change the answer to Silver Spring. The point is to block online account access.
  • The next thing to do is to  change account alert notifications from email to a text message or a real phone call. Remove email notifications as your email account could be hijacked. It’s a bit more challenging and noticeable to steal one’s cell phone.

OPM is offering free credit monitoring services

Everyone affected will receive a physical letter with a PIN to activate free credit monitoring from a company called ID Experts. The company will provide the hack victims and their dependent minor children with free credit monitoring, identity monitoring, identity theft insurance and identity restoration services for three years. You can also take the steps, if you haven’t already, to examine your credit reports yourself by using

OPM Breach Facts

  • 21.5 million individuals affected
  • 133 million dollars spent for credit monitoring
  • Attack initially began in March 2014 and noticed in April 2015
  • OPM had been warned multiple times of security vulnerabilities and failings. A March 2015 OPM Office of the Inspector General semi-annual report to Congress warned of “persistent deficiencies in OPM’s information system security program,” including “incomplete security authorization packages, weaknesses in testing of information security controls, and inaccurate Plans of Action and Milestones” Encrypting this data at rest would have prevented this exposure