Smart Building Technologies Could Expose Companies To A New Breed Of Cyber Attack

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://techcrunch.com/2014/08/05/smart-buildings-expose-companies-to-a-new-kind-of-cyber-attack/

Last month major corporations and household names such as Evernote,
TweetDeck and Feedly were held ransom by Internet hackers. Many found this
concerning, but even more serious is that some businesses may not realize
how highly vulnerable they are to such an attack. What if it were your
building that was held ransom? Are there things that could have been done
to prevent a cyber attack?

When we think of the Internet of Things, it’s common to think of phones,
cars, tablets and countless other consumer devices, but don’t forget
buildings. Businesses are racing toward integration through web-enabled
technologies that can control everything from heating and lighting to
elevators and door locks. But imagine a cyber attack shutting down your
building’s lights and elevators. In addition to the security breach,
employees would need to be sent home, and depending on the size of the
company, this could result in losses of thousands or even millions of
dollars.

Building control is moving away from the human hand and it is time to view
a building as IT and not just the traditional brick and mortar. While
connected buildings that use the cloud and IP networks to more efficiently
control building operations are not new, there are new security precautions
that need to be implemented to prevent intruders. More emphasis on and
education around this topic is necessary.

Google’s Australian office hack last year should have served as the wakeup
call for smart buildings. Two security researchers exposed Google’s
vulnerable building management system for its Wharf 7 office. By going
through the Tridium Niagara AX platform, the researchers had access to
multiple panels. They were able to view blueprints of the building and the
water pipes within the system. If they wanted to, they could have even
clicked buttons labeled “active overrides,” “active alarms,” “schedule,”
and more. This was not a malicious attack so no damage was done, but the
possibility for a damaging security breach was there.

Once in a system, it could be relatively easy to access multiple building
controls, as was the case for Google. Many of the communications protocols
for building automation devices are built to integrate with each other for
product compatibility and interoperability. In addition, automation systems
that are set up on the same network as corporate and administrative systems
put companies at increased risk. In the Google hack, the building
management system was on a dedicated line and not on the same network as
its corporate and administrative systems, which poses an additional hurdle
for hackers.

The answer to preventing cyber attacks is not disconnecting your building
from the cloud, it’s for the industry and end users to be more educated
about the security risks and to be prepared for them. At times, it can
actually be human error and mistrust in a system that can lead to more harm
than good.

Take Target’s data hack, for instance. The breach that made headlines
around the globe started with someone gaining access to the building via
the heating, ventilation and air conditioning system. Without digging a
little deeper, it is easy to point to the technology installed as the major
issue and the only reason this breach happened. In reality, without manual
intervention, the hack could have been contained within moments of
occurring.

In the Target breach, the automated, intelligent, self-healing IT security
system was overridden to perform just as a passive alert system. In turn,
this alert was – by all accounts – ignored by the monitoring personnel. The
virus/worm detection system, which actually did end up detecting the
eventual intrusion into the point-of-sale system, could have automatically
stopped the whole thing in its tracks, if it weren’t being limited.
Unfortunately due to the apparent insistence on manual (human) oversight
and interference with the system, the hack took hold and an alert was
raised but nothing was done for what appears to be a number of days.

Like any industry involving tech, growing pains are to be expected, but the
reality is that buildings are now IT. The hacks mentioned above are not
reflective of the industry as a whole, but do provide a good lesson. When
selecting automated system for a building, security must be a factor.

Utilizing the cloud is not something to be afraid of and its uses will only
increase. A lack of education creates fear, which is why as the
intelligence of our buildings increases, there is also a need for us to
increase our intelligence of how systems within our buildings operate.

For 30 years, our building stock has represented some of the biggest
robotics systems on the planet. The benefits of this explosion in
automation have been deep and numerous. Further benefits are now becoming a
reality, but without a serious focus on security, we risk losing those 30
years of progress and missing out on the next wave of advances.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!