In the 1996 thriller, Mission Impossible I, Ethan Hunt hacks the HVAC system of a building to breach its security controls and carry out his mission. Well, the future has arrived.
In a recent advisory the Department of Homeland Security gave a maximum severity score to a vulnerability in a popular smart building automation system. The system is web-connected and controls air conditioning, heating, door locks, etc. through a web interface. Using the vulnerability, an attacker could gain full system access through an undocumented backdoor script and run commands on a vulnerable device with the highest privileges.
Since every Building Management System (BMS) is online, they can be reached and hacked via the internet to sabotage operations. The impossible has become possible.
Cyber attacks on critical infrastructure are becoming increasingly common place. In fact, the New York Times recently reported that the US is stepping up online attacks against Russia’s Power Grid. The protagonists in this new battleground includes nation states, terrorists and cyber criminals. Fortunately, many of the same controls that help mitigate negligence, malicious insiders and employee mistakes – can also address external threats from hackers and saboteurs.
The recent DHS advisory illustrates that BMS in smart buildings are not immune from these threats. Since these systems are integrated with and interconnected to both hardwired and cloud based solutions, as well as third party applications, their attack surface is large and getting larger.
Meanwhile, risks are expected to geometrically increase as more buildings go “smart”, more infrastructures converge, and IIoT becomes the de-facto standard in BMS. In fact, according to Frost & Sullivan, the BMS market generated $5.8 billion in 2019 and is projected to grow at a compounded annual growth rate (CAGR) of 4.7% by 2022.
While BMS can yield huge benefits when it comes to streamlining processes and cutting down costs, it can be equally detrimental if security is not considered as part of its deployment and management. For example, shutting down the HVAC system can quickly melt down a data center and cause pervasive and permanent damage to the business.
How vulnerable are these systems? The DHS advisory cautioned that an attacker could gain “full system access” to the BMS through an “undocumented backdoor script.” This would allow an attacker to run commands on a vulnerable device with the highest privileges. The advisory also noted that the vulnerability required a “low level” of skill to remotely exploit, and was rated 10.0, the highest rating on the industry standard common vulnerability scoring system. The authors wrote that exploiting the vulnerability could make it possible to “shut down a building with one click.”
This development underscores the importance of having a robust BMS security system in place that can monitor for threats at the network and device level. This has long been the security posture for IT operations, yet historically the same approach has not been applied to critical infrastructure such as building operations.
As we’ve seen from recent ransomware attacks at aluminum maker Norsk Hydro and chemicals manufacturers Hexion and Momentive, the convergence of IT and OT requires closer cooperation between these two worlds to achieve the requisite levels of visibility, security and control across both infrastructures. Since IT tools don’t speak OT, and vice versa, identifying threats that can originate in either environment and move laterally between the two, requires greater security integration, collaboration and intelligence sharing.
If industrial cybersecurity is baked into BMS infrastructure and integrates with IT security tools, addressing and remediating vulnerabilities will be faster, easier and less costly. Meanwhile, the likelihood of a security incident taking down a building’s operational systems will become less “possible”.