Connect with us

Hi, what are you looking for?



Mission Possible: ICS Attacks On Buildings Are a Reality

In the 1996 thriller, Mission Impossible I, Ethan Hunt hacks the HVAC system of a building to breach its security controls and carry out his mission. Well, the future has arrived. 

In the 1996 thriller, Mission Impossible I, Ethan Hunt hacks the HVAC system of a building to breach its security controls and carry out his mission. Well, the future has arrived. 

In a recent advisory the Department of Homeland Security gave a maximum severity score to a vulnerability in a popular smart building automation system. The system is web-connected and controls air conditioning, heating, door locks, etc. through a web interface. Using the vulnerability, an attacker could gain full system access through an undocumented backdoor script and run commands on a vulnerable device with the highest privileges. 

Since every Building Management System (BMS) is online, they can be reached and hacked via the internet to sabotage operations. The impossible has become possible.

Cyber attacks on critical infrastructure are becoming increasingly common place. In fact, the New York Times recently reported that the US is stepping up online attacks against Russia’s Power Grid. The protagonists in this new battleground includes nation states, terrorists and cyber criminals. Fortunately, many of the same controls that help mitigate negligence, malicious insiders and employee mistakes – can also address external threats from hackers and saboteurs. 

The recent DHS advisory illustrates that BMS in smart buildings are not immune from these threats. Since these systems are integrated with and interconnected to both hardwired and cloud based solutions, as well as third party applications, their attack surface is large and getting larger. 

Meanwhile, risks are expected to geometrically increase as more buildings go “smart”, more infrastructures converge, and IIoT becomes the de-facto standard in BMS. In fact, according to Frost & Sullivan, the BMS market generated $5.8 billion in 2019 and is projected to grow at a compounded annual growth rate (CAGR) of 4.7% by 2022.  

While BMS can yield huge benefits when it comes to streamlining processes and cutting down costs, it can be equally detrimental if security is not considered as part of its deployment and management. For example, shutting down the HVAC system can quickly melt down a data center and cause pervasive and permanent damage to the business.

Advertisement. Scroll to continue reading.

How vulnerable are these systems? The DHS advisory cautioned that an attacker could gain “full system access” to the BMS through an “undocumented backdoor script.” This would allow an attacker to run commands on a vulnerable device with the highest privileges. The advisory also noted  that the vulnerability required a “low level” of skill to remotely exploit, and was rated 10.0, the highest rating on the industry standard common vulnerability scoring system. The authors wrote that exploiting the vulnerability could make it possible to “shut down a building with one click.” 

This development underscores the importance of having a robust BMS security system in place that can  monitor for threats at the network and device level. This has long been the security posture for IT operations, yet historically the same approach  has not been applied to critical infrastructure such as building operations.  

As we’ve seen from recent ransomware attacks at aluminum maker Norsk Hydro and chemicals manufacturers Hexion and Momentive, the convergence of IT and OT requires closer cooperation between these two worlds to achieve the requisite levels of visibility, security and control across both infrastructures. Since IT tools don’t speak OT, and vice versa, identifying threats that can originate in either environment and move laterally between the two, requires greater security integration, collaboration and intelligence sharing. 

If industrial cybersecurity is baked into BMS infrastructure and integrates with IT security tools, addressing and remediating vulnerabilities will be faster, easier and less costly. Meanwhile, the likelihood of a security incident taking down a building’s operational systems will become less “possible”.

Learn More About Securing Building Automation Systems at SecurityWeek’s ICS Cyber Security Conference

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join security experts as they discuss ZTNA’s untapped potential to both reduce cyber risk and empower the business.


Join Microsoft and Finite State for a webinar that will introduce a new strategy for securing the software supply chain.


Expert Insights

Related Content


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


Wago has patched critical vulnerabilities that can allow hackers to take complete control of its programmable logic controllers (PLCs).


Otorio has released a free tool that organizations can use to detect and address issues related to DCOM authentication.


Cybersecurity firm Forescout shows how various ICS vulnerabilities can be chained for an exploit that allows hackers to cause damage to a bridge.

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...


More than 1,300 ICS vulnerabilities were discovered in 2022, including nearly 1,000 that have a high or critical severity rating.