The Brave New World of Cybersecurity: Evaluating Vulnerabilities
Facility managers have several tools at their disposal to determine vulnerabilities in facility systems, like building management software or access control.
In considering a facility's vulnerabilities, it is helpful to try to see through the mind’s eye of an aggressor. Let’s look at two types of malevolent activities, one influenced by the accessibility of tools, the other influenced by desire/emotions.
The single root failure to physical security is inconvenience. For instance, an executive or an employee may tolerate the inconvenience of a 10-minute delay to log on to their computer because of a password reset, but if they forget their identification card, and are barred entry to a building, frustration and anger ensue. One my favorite methods of gaining access to a building is to approach a security desk after hours with a business card (that I made from a color portable printer) with the title CEO and verbally strong-arm the guard who is paid $10-$12 hour into allowing me access into the building with the “Do you know who I am?” line.
That same convenience stretches into the hyper connectivity of systems to the local area network (LAN). More and more connections are being added to the network, and in some instance that network has spread to wireless systems — because we need the LAN now or want to be able to move our laptops anywhere in the building.
This has created a real cyber security threat, and not like the television show “Mr. Robot.” We’re moving into a world of hyper connectivity. Everything and anything connects to an internet telecommunications network. In our drive for convenience, we have made wireless connections to those same networks, and have literally hundreds/thousands of connections that are bringing in everything from supervisory control and data acquisition (SCADA) systems to building systems using BACnet or LonWorks to surveillance and access control systems.
So, you want to be a hacker?
One of the biggest exposures with network security is a misunderstanding of the threat that exists. Because of the TV shows and movies we watch, many believe that hackers are highly intelligent people that sit at large computers and input complex commands to access computer systems and take them over. That scenario is, in part, fiction.
To better appreciate the potential probability for a cyber security threat occurrence, it can be helpful to trace the access path while staying just shy of illegal activity.
There are many public hacking utilities out there used by hackers to identify vulnerable network systems and the devices connected to them. The granddaddy of them all is Shodan, essentially a search engine that collects information from all computers that are accessible or broadcasting to the internet. These can even be devices behind firewalls. Shodan looks for specific hardware namesakes, chipset manufacturers, and the like.
From Shodan, users can use search terms like CRAC, chiller, a manufacturer name, etc. It is essentially the filter that finds vulnerable computers and systems from the sea we call the internet. In many instances users will be connected to logons for systems or, worse, directly to the device itself. Because Shodan is a search engine, hackers can search for server versions, computer systems, like Windows XP (extremely vulnerable), or even ports that are used to facilitate communication between devices.
As we migrate more and more to IP cameras, it is important to recognize that literally anyone can view cameras throughout the world if they are located on unsecured systems. If the camera is not protected by a password, anyone could have full pan-tilt control. In addition, this now could conceivably allow access to the rest of the network and anything connected to it – like a chiller or security system.
Shodan is ground zero for an opportunistic digital or physical attack, however there are other websites out there, such as Censys. On their page, they have a link, which is entitled “What industrial control systems are exposed in my country”? From there, you can see what devices Building Management Systems (BMS) are communicating to the internet and are therefore vulnerable. As of June 16, 2018, there were 33,845 devices listed, and presumably increasing in number.
Another totally free tool, zoomeye.org, takes hacking to a new level because it probes and identifies vulnerabilities that it has discovered, which limits the vulnerability guesswork and increases the speed of access by a hacker.
The documentation of a network is extremely important, because without it, the system is problematic to control. Without a doubt, an undocumented network will be harder to control, easier to hack, and more difficult to audit.
Because it is easy to access computer networks, and the need to control access is predicated on convenience, facility managers should take the following precautions:
- Segregate networks so they are “air-gapped” from the internet, and especially do not connect wireless devices (WiFi) to networks that contain sensitive equipment.
- Evaluate the need for any remote or LAN access to any devices connected to the network. This includes web-based or mobile apps to allow you to remotely access facility information, inclusive of security cameras and similar devices.
- Allow only specific computers, via their respective internet addresses and machine access code (MAC) addresses, onto the network.
- Document and assign all IP addresses on a secure network. Identify port communication requirements, physical network connection, and purpose of the device (camera, etc.).
- Test your network. From the target network, jump on your favorite search engine and type “What’s my IP?” The resulting numbers are the IP address of the network. Head here or here and paste in the IP address. What you’re looking for is “unreachable,” “stealth,” or “filtered/closed responses.” An open/listening network is indicative that the system is ready for connection, which is not a good thing.