By Brian Contos
From the February 2023 Issue
Imagine a Fortune 500 company that was so lax with its cybersecurity that it didn’t bother to include even the most basic protections for its computer network, like strong passwords, antivirus, or up-to-date software. Imagine this network was so poorly managed, that the company didn’t know how many computers it had, where they were located, or who had access to them. As a result, tens of thousands of the company’s computers were regularly left unprotected and unmonitored, while being publicly accessible over the web.
This level of insecurity is almost unthinkable today, when cyber threats loom large and companies are paying higher costs for network breaches. And yet, this describes the problem we are dealing with when it comes to the Internet of Things (IoT) and Operational Technology (OT) devices that make up modern smart buildings.
Building automation systems (BAS) are good at automating and managing lighting, HVAC, access control, and other systems. They are integrated and efficient. Most are designed for solid reliability. But what they generally lack is robust cybersecurity. These systems typically have subpar cybersecurity controls and a large number of vulnerable IoT and OT devices. For example, these devices often have default passwords (or no passwords at all); out-of-date firmware; unpatched vulnerabilities; and most are not inventoried, audited, or regularly monitored. Consequently, the myriad of IoT and OT devices that make up a typical BAS are highly vulnerable, often unaccounted for, and remarkably easy for an outsider to access.
These security shortcomings make smart buildings an easy target for hackers. A growing number of cybercriminals and even nation-state actors are now exploiting unprotected systems to stage “botnets” and establish persistent backdoors which they can use to re-enter the BAS at will, as well as to move deeper inside the building’s network or to infiltrate the IT systems of its corporate tenants.
Facility managers need
to realize that
cyberattacks on building
systems are not a remote
or unlikely threat.
These attacks are already happening
on a regular basis.
Facility managers need to realize that cyberattacks on building systems are not a remote or unlikely threat. These attacks are already happening on a regular basis. In fact, chances are that any facility manager reading this article probably has multiple malware families already embedded in their BAS. These malware infections could be corrupting valuable equipment, increasing the building’s energy usage, and exposing their operations—and those of their tenants—to risks ranging from data theft to ransomware, denial-of-service, and espionage.
How Is The BAS Hacked?
A BAS is essentially a large IoT and OT network, spread across multiple systems (HVAC, lighting, electrical, security, etc.), which can contain hundreds to thousands of individual ‘smart’ devices.
Just like traditional computers such as PCs, these smart devices run on operating systems with a wide array of software applications and are designed to be connected to the Internet—which means they can also be targeted by hackers. However, compared with traditional computers, IoT and OT devices have abysmal cybersecurity, since they lack even some of the most basic security controls we take for granted in PCs, such as antimalware, strong access control, and local firewalls. They are also notorious for using default passwords, having unpatched vulnerabilities, and for being too easy to access, since most have multiple connectivity features turned on by default (example: WiFi, Bluetooth, Ethernet, and a host of communication protocols and services).
Attackers can hack a BAS in several ways. One common method is to scan the Internet for open device ports (like Telnet, HTTP, HTTPS, FTP, and SSH, to name a few), which can allow the hacker to simply login to these smart devices as if they were a legitimate user. Since 50% of IoT and OT devices still use default passwords, this attack is exceptionally easy. Hackers also use “worm” malware which is able to automate this process by scanning the Internet for vulnerable devices, entering the default password and then instantly self-replicating and spreading to other devices on the same network. This is how the Mirai botnet was able to infect millions of IoT devices, including building security cameras.
Another way for hackers to hunt for vulnerable BAS devices is through the Shodan search engine. Shodan allows anyone to search for specific types of exposed smart devices, as well as specific device versions (with unpatched vulnerabilities) and geographic regions.
Hackers will also use phishing emails, aimed at building management personnel, corporate facilities teams, maintenance staff, and the individual BAS vendors, to steal the login credentials for key systems or devices within the BAS, remote access services (or vendor management portals), or building management terminals.
An insider with physical access can also infect, sabotage, or reprogram these devices rather easily. All it may take is a simple press of the device’s physical reset button to force it back to a factory default setting, which will clear out any security patches or hardening and make the device more vulnerable.
The most common cyber threat to building systems is “botnet” malware. Botnets are essentially networks of zombified devices which a hacker has gained some level of control over after infecting them with a special type of malware.
Botnets used to be focused on computer systems, but as IoT and OT technologies have proliferated, they have become an easier and more lucrative target for hackers.
In most instances, botnets hijack the IoT or OT devices so the hacker can run power-intensive tasks, such as launching a distributed denial-of-service (DDoS) attack on websites or carrying out “credential stuffing” password attacks on companies.
At a minimum, a botnet infection in the BAS will slow down and corrupt these expensive devices, resulting in reduced performance, unpredictability, “bugginess,” and a significantly shorter lifespan for the device. However, a large botnet inside a building system will also function like a vampire by sucking up key resources and using extra energy, therefore reducing the building’s operational efficiencies and increasing costs.
Multi-pronged attacks are another risk, since botnet malware is essentially an open door on the network that a hacker can use to import other types of malware that could further damage the building’s systems, such as ransomware or “wipers.” Additionally, cybercriminals often create botnets for the purpose of renting them out to other hacking groups. Consequently, multiple sets of hackers, each with differing motives, may gain access to the BAS devices, which increases the risk of more costly damage.
A more specialized use for botnet malware is illegal cryptomining. Known as “cryptojacking,” this attack is similar to other botnet infections, but with one important difference.
Cryptomining is an extremely power-hungry operation, even more so than traditional botnets, which means the cryptojacking malware uses up more processing power and local resources from the infected building system and draws a substantial amount of electricity to do so. Illegal cryptomining will certainly increase the building’s overall energy usage, since one bitcoin transaction takes 1,449 kWh to complete, or the equivalent of approximately 50 days of power for the average U.S. household. However, in addition to the facility’s higher energy costs, cryptojacking attacks in the BAS also pose a risk of physical dysfunction and overheating in the building’s key systems, which could lead to critical failures.
Since BASes manage important functions, like building access controls, security monitoring, fire alarm/suppression, HVAC, etc. they cannot afford to fail. But if their IoT and OT components are infected with cryptojacking malware, there is a strong likelihood that these devices will underperform to the point of becoming unreliable. They could fail altogether, resulting in physical disruptions and safety risks. This is how a building’s security system could suddenly be disabled without warning. Or how a fire suppression system might fail to work in a time of need.
Hackers are also exploiting building systems in order to stage stealthy attacks on corporate IT networks.
This may sound far-fetched, but it isn’t. My company has been involved in multiple cases recently in which U.S. companies were targeted by ransomware groups and cyber espionage actors after the attackers first snuck in through a vulnerable part of the BAS, such as the security camera system or door access controllers.
By infiltrating the BAS, which is largely unmonitored, hackers can set up a base camp in these systems which will go undetected. They can then use this safe vantage point to “sniff” the local network traffic and look for vulnerable devices which share a network connection with the infected IoT or OT device. In this way, the hacker can gradually climb his or her way up the network.
Few companies are able to monitor for this type of attack, so they are completely blindsided when they occur. The unmonitored nature of building systems also makes it harder for companies to fully remove a threat once it has been detected. Even if the hacker is booted from the IT network, they can maintain their foothold in the BAS and use it to launch additional attacks on the company’s network in the future. This allows the hacker to achieve long-term persistence and makes it even harder for companies to protect their networks.
How To Prevent Attacks On Building Systems
While building systems are vulnerable to hackers, the good news is that they can be protected without the need for complex processes or expensive security teams.
Most attacks on building system devices exploit basic security failures like default passwords and unpatched vulnerabilities. Therefore, by simply changing the device passwords and updating the firmware, facility managers will greatly reduce their overall risk.
Additional measures to further harden these devices include: disabling remote services; turning off unnecessary connectivity features; and checking for valid “certificates,” which ensures the device has an authenticated and encrypted connection to the network. Facility managers should also consider periodically rebooting BAS devices, as this simple step will clear many types of malware from the system.
However, large facilities will be more of a challenge to secure, due to the sheer size of the BAS, which could contain hundreds to thousands of smart devices, ranging from sophisticated IoT devices to industrial-grade OT systems. These large systems can be difficult and labor-intensive to secure manually, so facility managers should consider investing in automated solutions.
At the end of the day, the only way to keep the BAS secure from malicious attacks is to know where all these devices are, what they are, and what condition they’re in. A full inventory of all the BAS components is vital, along with security updates, hardening, and regular monitoring.
Contos is the Chief Security Officer (CSO) of Phosphorus. He is a 25-year veteran of the cybersecurity industry. He most recently served as Vice President of Security Strategy at Mandiant, following its acquisition of Verodin, where he was the CISO.
Do you have a comment? Share your thoughts in the Comments section below, or send an e-mail to the Editor at firstname.lastname@example.org.