As building management systems become a greater part of our daily lives, their susceptibility to cyber attack is ever increasing. How would your building handle getting hacked?
Imagine it. A G8 summit is taking place in an isolated, secure compound somewhere on the globe. The compound is surrounded by an impenetrable security cordon keeping all protestors and would-be aggressors firmly at bay. Leaders of the world’s eight most powerful nations are gathered in a conference room confident that all threat of human attack has been repelled.
But what of the threat of a cyber attack? Were a hostile attacker thousands of miles away able to hack in to the building management system of said G8 venue, could he or she be able to automatically activate the locks of our hypothetical conference room thereby trapping its occupants? Could highly sensitive and confidential communications be simultaneously broadcast on to the internet? Could gas rather than air be pumped into the ventilation system? Essentially, could a hijacked BMS turn the building itself into a weapon?
Such a scenario may sound far-fetched and appear to have more in common with the convoluted counter-terrorism plotting of American TV series like 24 and Homeland. But for many experts within the field of cyber security it represents a very clear and present danger and one that is steadily growing.
David Fisk is a professor at the Laing O’Rourke Centre for Systems Engineering and Innovation at Imperial College London and he has written and spoken extensively about the growing threat to building management systems and services posed by potential cyber attacks.
“An intelligent building, while offering greater service, also poses a clear cyber threat to its occupants,” he says. “The downside of linking intelligent buildings to the wider smart grid is that successful malicious software could shut the whole system down for weeks.”
While infamous hacking incidents connected to organisations like Sony and Wikileaks grab headlines around the world, the risk posed to building management systems garners virtually no attention. For Fisk, this is a clear indication that both the building and IT industries have failed to take the prevailing threat seriously.
“The market for software virus protection has been estimated at $2bn each year. But it is hard to find any discussion on cyber-security issues in intelligent building design.” But he does concede why this might be the case. “The hazard for BMS functionality is real but the risk is more difficult to assess.”
Victims of hacking
Alarmingly, while the scenario in the opening paragraphs remains mercifully unrealised, there have been a number of smaller breaches that might go some way to providing a clearer assessment of the risk Fisk is referring to.
One of the most notorious occurred on 15 November 2013 when US discount retail giant Target was the victim of an audacious cyber attack. Like many large retailers in both Europe and the US, Target employs third party contracting engineers to manage and monitor their stores’ HVAC (heating ventilation and cooling) systems.
Accordingly these contractors have full access to building management systems within all Target stores. By stealing BMS authentication and access protocols from one such contractor, hackers were then able to covertly gain access to Target’s customer database and proceeded to steal data files and credit card details for up to 110 million customers. While the incident thankfully involved no danger to or loss of life, consumer confidence in the retail brand plummeted overnight and the store reported a 46% drop in fourth quarter profit for that year.
There have been several other related incidents too. At a cyber security conference in Las Vegas in 2014, American security consultant Jesus Molina stunned delegates by claiming that he had been able to hack into the BMS of a luxury hotel in Shenzhen, China and assume full control of all lighting, temperature, access and entertainment systems in all its 200 rooms from his iPad.
And the notorious Stuxnet virus of 2010, while shrouded in mystery and still the subject of fervent online speculation, allegedly destroyed Iran’s uranium enrichment programme and gravely compromised the country’s nuclear ambitions by ruining one-fifth of its nuclear centrifuges.
The USB-enabled virus targeted the Siemens computer software that controlled the centrifuges and conspiracy theories abound that it was surreptitiously despatched by the US government, a claim America has neither confirmed nor denied. Stuxnet is commonly thought to be the first piece of malware specifically designed to target industrial infrastructure.
The virus may sound like something lifted from a Cold War spy novel. But according to Reeny Sondhi, Autodesk chief of product security, “a Stuxnet-type attack should be considered a credible threat to building services”.
Ironically, the risk of cyber attack on building services has increased as buildings have become more intelligent. Today, BMS relies on a highly sophisticated convergence of multiple building services systems consolidated into a detailed digital database that is remotely accessible through a simple browser interface.
The advantage is increased management efficiency, monitoring capability and system interoperability. The disadvantage is a single, external open-source that can potentially provide criminals with full access to the entire facilities management operation of one or multiple buildings. This is in stark contrast to original BMS facilities from the 1960s onwards, which were previously dedicated, hardwired machines where, in Fisk’s words: “The only aggressor hazard was presented by a rogue operative with a hammer!”
Sondhi, however, takes a slightly different view, bullishly pointing out that despite potential security breaches, the benefits of current technologies far outweigh any drawbacks. “Where there is no argument that the democratisation and digitisation of building information has brought tremendous benefits to the industry overall, it brings the possibility that the information can be exploited by those with malicious intent. That said, the filing cabinets that previously stored building information were also arguably less secure than today’s data centres and cloud-based storage.”
Preventing an attack
So what measures can buildings take to minimise their vulnerability to a cyber attack? Sondhi argues that Autodesk is “embedding security at every stage of the software development life cycle, from inception to deployment, and takes extensive measures to protect the project information created with and stored in our software and services.”
Gregory Strass is building systems IT and cyber security lead at energy management specialists Schneider Electric. He is also the co-author of a recent research paper identifying the best strategies to improve cyber security in building management systems.
Strass has identified five key protocols that are essential to protecting BMS from cyber crime: password management, network management, user management, software management and vulnerability management.
It may seem rudimentary but “changing default passwords and ensuring password complexity are key,” explains Strass. “Many think that changing default credentials is unnecessary because no one would ever be interested in their device, let alone be able to find it on the internet. Unfortunately the opposite is true.”
Strass also identifies network management as being a key defence - in other words, “safeguarding other ‘points of entry’ a hacker could get into the system such as securing web interfaces, securing all points of access, enabling a minimum number of open ports and ensuring secure segments running open BMS protocols”.
Once the BMS has been cyber secured from external and network threats, Strass’ next recommendation of user management involves “safeguarding the system from within”. This comprises granting users no more than the minimum BMS access privileges required to do their job and efficiently managing user accounts.
The same principles can be applied to software management. This includes rigorous enforcement of only authorised software, ensuring that only a limited number of users have administrative privileges to install or deploy software and constantly updated software security patches.
Strass identifies his final recommendation as one of the most important, vulnerability management. He suggests the implementation of a formal vulnerability management plan document for each BMS software installation or update which employs a rating system that estimates vulnerability as ranging from “critical to low”.
Further to these five measures, Fisk urges one additional fundamental move to minimise the risk of cyber attack: having a plan B. “The correct strategy is to draw up a plan for the worst rather than rely on assertions by software and hardware providers. The key defence is to ensure a ‘fall back’ or ‘dumb capability’ within an intelligent building.
“An identified minimum level of service and hardwired hardware that can provide manual operation in an attack scenario is essential. The very existence of such a plan may not make the reward of a targeted attack worthwhile.”
But for Sondhi, there is no single solution to the cyber security threat and addressing it will require human as well as technological change. “There is no silver bullet or single solution that can single-handedly solve every problem facing information security professionals with the sizeable and intimidating task of securing, protecting and defending the IT infrastructure from disruption on the cyber front.
“Apart from the robustness of building an IT network with security rigour and continuous monitoring, investment needs to be made in proper security awareness of employees to minimise physical security breaches such as insertion of infected USB devices along with following a disciplined patching approach to remediate vulnerabilities in the network.”