How Common Are Attacks Through The BAS?
OTHER PARTS OF THIS ARTICLEPt. 1: The Power and Convenience of Networked BAS Come With Cybersecurity Concerns As WellPt. 2: This PagePt. 3: Steps To Take To Improve BAS CybersecurityPt. 4: SIDEBAR: 10 Questions FMs Should Ask About Cybersecurity
Even though those major hacks did not involve building controls, that’s not to say there isn’t evidence of such intrusions. According to the General Accounting Office, the number of cyber incidents involving industrial control systems (in this case, including building and access controls) that were reported to the Department of Homeland Security increased 74 percent from 2011 to 2014, with 245 incidents reported in 2014. “Many more incidents occur in critical infrastructure that go unreported,” DHS says.
Stuxnet is, to date, the most famous attack on an industrial control system. American and Israeli intelligence penetrated industrial controls from afar to destroy about 1,000 nuclear-fuel centrifuges at an Iranian uranium enrichment plant. In late 2014, the German government reported that unknown hackers had penetrated the business network in an unnamed German steel mill, then got over to the production network and disrupted the industrial controls system.
This prevented the proper shutdown of a blast furnace, causing massive damage. In Ukraine, malware shut down power systems supporting as many as 80,000 people. A study by the security firm Cylance in late 2014 said a group of Iranian hackers had attacked more than 50 targets in 16 nations, sometimes penetrating computer networks to such a degree that they could take over and manipulate the machines. The U.S. victims included an airline, a medical school, and an energy company.
Most of the well-publicized hacks have not targeted industrial control systems, but rather enterprise networks. Leading a short list would be the massive penetration of Target’s point-of-sale network through an HVAC vendor that was using the retail chain’s work order system. In February, a hacker locked up computer systems at Hollywood Presbyterian Medical Center in Los Angeles and only returned access after a $17,000 ransom was paid. Referencing that hospital hack, a new CABA study, “Intelligent Buildings and Cybersecurity,” concludes, “Such ransomware attacks are increasingly being aimed at large institutions and may eventually target BMS/BAS in larger structures such as mass transit facilities, convention centers, hospitality, healthcare, government plazas, and others in order to shut down critical building functions such as elevators, HVAC, or entry/access points.”
Intrusions Through Building Controls
Opinions differ on how much actual BAS intrusion by bad actors has occurred. Zimmer says most companies would not make an intrusion public knowledge. Tom Shircliff, co-founder of Intelligent Buildings, says there have not been massive penetrations, just “odds and ends.” Rios referenced a DHS report that publicly recorded two BAS hacks: a manufacturing plant in New Jersey that had its energy management system penetrated, and a state agency that had its BAS penetrated. He says he himself has assisted companies in “cleaning things off their BAS” following intrusions, but can’t elaborate.
Michael Chipley, Ph.D. — a veteran consultant to federal agencies and creator of cybersecurity workshops for the National Institute of Building Sciences and author of the Whole Building Design Guide section on cyber security — believes many BAS have already been compromised or infected with malware, and the question is when hackers wish to exploit this. Building owners and facility managers, he says, may not realize their building control system could be completely exposed on Shodan, which describes itself as “the world’s first search engine for Internet-connected devices.”
Experts say it’s difficult to estimate hackers’ success at compromising BAS because of the lack of monitoring by facilities. How would facilities even know if it did happen? “With one of the last BAS networks I looked at, the engineers had put a movie server inside the automation network,” Rios says. “There’s no oversight as to what’s going on in those networks. An attacker could be running wild in that network and no one would know.” Gordy cites one estimate that successful hackers are on a network — undetected — for an average of 243 days.
In addition to the “real world” examples, ethical hackers have made a number of successful penetrations of BAS. An IBM team, for example, broke into an unidentified “smart office” in North America. IBM’s Paul Ionescu later wrote, “We were able to decrypt the passwords and discover the password for the central command server, which controls stations for several buildings across North America.” Rios and a colleague doing independent research ethically hacked the BAS at a Google building in Australia in 2013, in part, he says, because of weak password use and unpatched or outdated systems. Rios says he has also successfully penetrated a popular brand of drug infusion pumps used in hospitals.
Gordy’s previous employer, McKenney’s, a BAS integration firm, began running a honeypot experiment to lure would-be attackers. Gordy set up a fake system that looked like a typical small data center, as well as monitoring software. Over about six months, there were about 30,000 attempts to breach the system. “I probably had about 500 people get in past my password,” he says.