In considering a facility's vulnerabilities, it is helpful to try to see through the mind’s eye of an aggressor. Let’s look at two types of malevolent activities, one influenced by the accessibility of tools, the other influenced by desire/emotions.
The single root failure to physical security is inconvenience. For instance, an executive or an employee may tolerate the inconvenience of a 10-minute delay to log on to their computer because of a password reset, but if they forget their identification card, and are barred entry to a building, frustration and anger ensue. One my favorite methods of gaining access to a building is to approach a security desk after hours with a business card (that I made from a color portable printer) with the title CEO and verbally strong-arm the guard who is paid $10-$12 hour into allowing me access into the building with the “Do you know who I am?” line.
That same convenience stretches into the hyper connectivity of systems to the local area network (LAN). More and more connections are being added to the network, and in some instance that network has spread to wireless systems — because we need the LAN now or want to be able to move our laptops anywhere in the building.
This has created a real cyber security threat, and not like the television show “Mr. Robot.” We’re moving into a world of hyper connectivity. Everything and anything connects to an internet telecommunications network. In our drive for convenience, we have made wireless connections to those same networks, and have literally hundreds/thousands of connections that are bringing in everything from supervisory control and data acquisition (SCADA) systems to building systems using BACnet or LonWorks to surveillance and access control systems.
So, you want to be a hacker?
One of the biggest exposures with network security is a misunderstanding of the threat that exists. Because of the TV shows and movies we watch, many believe that hackers are highly intelligent people that sit at large computers and input complex commands to access computer systems and take them over. That scenario is, in part, fiction.
To better appreciate the potential probability for a cyber security threat occurrence, it can be helpful to trace the access path while staying just shy of illegal activity.
There are many public hacking utilities out there used by hackers to identify vulnerable network systems and the devices connected to them. The granddaddy of them all is Shodan, essentially a search engine that collects information from all computers that are accessible or broadcasting to the internet. These can even be devices behind firewalls. Shodan looks for specific hardware namesakes, chipset manufacturers, and the like.
From Shodan, users can use search terms like CRAC, chiller, a manufacturer name, etc. It is essentially the filter that finds vulnerable computers and systems from the sea we call the internet. In many instances users will be connected to logons for systems or, worse, directly to the device itself. Because Shodan is a search engine, hackers can search for server versions, computer systems, like Windows XP (extremely vulnerable), or even ports that are used to facilitate communication between devices.
As we migrate more and more to IP cameras, it is important to recognize that literally anyone can view cameras throughout the world if they are located on unsecured systems. If the camera is not protected by a password, anyone could have full pan-tilt control. In addition, this now could conceivably allow access to the rest of the network and anything connected to it – like a chiller or security system.
Shodan is ground zero for an opportunistic digital or physical attack, however there are other websites out there, such as Censys. On their page, they have a link, which is entitled “What industrial control systems are exposed in my country”? From there, you can see what devices Building Management Systems (BMS) are communicating to the internet and are therefore vulnerable. As of June 16, 2018, there were 33,845 devices listed, and presumably increasing in number.
Another totally free tool, zoomeye.org, takes hacking to a new level because it probes and identifies vulnerabilities that it has discovered, which limits the vulnerability guesswork and increases the speed of access by a hacker.
The documentation of a network is extremely important, because without it, the system is problematic to control. Without a doubt, an undocumented network will be harder to control, easier to hack, and more difficult to audit.
Because it is easy to access computer networks, and the need to control access is predicated on convenience, facility managers should take the following precautions:
How To Evaluate Facility Security Vulnerabilities
The Brave New World of Cybersecurity: Evaluating Vulnerabilities
