Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

ICS/OT

Mission Possible: ICS Attacks On Buildings Are a Reality

In the 1996 thriller, Mission Impossible I, Ethan Hunt hacks the HVAC system of a building to breach its security controls and carry out his mission. Well, the future has arrived. 

In the 1996 thriller, Mission Impossible I, Ethan Hunt hacks the HVAC system of a building to breach its security controls and carry out his mission. Well, the future has arrived. 

In a recent advisory the Department of Homeland Security gave a maximum severity score to a vulnerability in a popular smart building automation system. The system is web-connected and controls air conditioning, heating, door locks, etc. through a web interface. Using the vulnerability, an attacker could gain full system access through an undocumented backdoor script and run commands on a vulnerable device with the highest privileges. 

Since every Building Management System (BMS) is online, they can be reached and hacked via the internet to sabotage operations. The impossible has become possible.

Cyber attacks on critical infrastructure are becoming increasingly common place. In fact, the New York Times recently reported that the US is stepping up online attacks against Russia’s Power Grid. The protagonists in this new battleground includes nation states, terrorists and cyber criminals. Fortunately, many of the same controls that help mitigate negligence, malicious insiders and employee mistakes – can also address external threats from hackers and saboteurs. 

The recent DHS advisory illustrates that BMS in smart buildings are not immune from these threats. Since these systems are integrated with and interconnected to both hardwired and cloud based solutions, as well as third party applications, their attack surface is large and getting larger. 

Meanwhile, risks are expected to geometrically increase as more buildings go “smart”, more infrastructures converge, and IIoT becomes the de-facto standard in BMS. In fact, according to Frost & Sullivan, the BMS market generated $5.8 billion in 2019 and is projected to grow at a compounded annual growth rate (CAGR) of 4.7% by 2022.  

While BMS can yield huge benefits when it comes to streamlining processes and cutting down costs, it can be equally detrimental if security is not considered as part of its deployment and management. For example, shutting down the HVAC system can quickly melt down a data center and cause pervasive and permanent damage to the business.

How vulnerable are these systems? The DHS advisory cautioned that an attacker could gain “full system access” to the BMS through an “undocumented backdoor script.” This would allow an attacker to run commands on a vulnerable device with the highest privileges. The advisory also noted  that the vulnerability required a “low level” of skill to remotely exploit, and was rated 10.0, the highest rating on the industry standard common vulnerability scoring system. The authors wrote that exploiting the vulnerability could make it possible to “shut down a building with one click.” 

Advertisement. Scroll to continue reading.

This development underscores the importance of having a robust BMS security system in place that can  monitor for threats at the network and device level. This has long been the security posture for IT operations, yet historically the same approach  has not been applied to critical infrastructure such as building operations.  

As we’ve seen from recent ransomware attacks at aluminum maker Norsk Hydro and chemicals manufacturers Hexion and Momentive, the convergence of IT and OT requires closer cooperation between these two worlds to achieve the requisite levels of visibility, security and control across both infrastructures. Since IT tools don’t speak OT, and vice versa, identifying threats that can originate in either environment and move laterally between the two, requires greater security integration, collaboration and intelligence sharing. 

If industrial cybersecurity is baked into BMS infrastructure and integrates with IT security tools, addressing and remediating vulnerabilities will be faster, easier and less costly. Meanwhile, the likelihood of a security incident taking down a building’s operational systems will become less “possible”.

Learn More About Securing Building Automation Systems at SecurityWeek’s ICS Cyber Security Conference

Written By

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

ICS/OT

The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

ICS/OT

Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).

Cybercrime

Energy giants Schneider Electric and Siemens Energy confirm being targeted by the Cl0p ransomware group in the campaign exploiting a MOVEit zero-day.

ICS/OT

Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.

ICS/OT

Municipal Water Authority of Aliquippa in Pennsylvania confirms that hackers took control of a booster station, but says no risk to drinking water or...

ICS/OT

Mandiant's Chief analyst urges critical infrastructure defenders to work on finding and removing traces of Volt Typhoon, a Chinese government-backed hacking team caught in...