This morning, a hacker may have targeted the smart building you work in. If so, the hacker likely went to a site on the dark web, searched for “building automation systems” or chillers, cameras, or a host of other internet-enabled devices or systems and found tens of thousands of options to enable entry.
Hospitals, banks, government buildings, data centers, and other building types have cybersecurity vulnerabilities. How do hackers exploit these? They look for building control systems connected to the internet, default passwords that have never been changed, vendor-made backdoors that have never been closed, and identical passwords used across devices and systems and groups of buildings.
The risk of building controls being hacked is more than theoretical. Five high-profile hacks offer lessons for all facility managers.
1. Google Wharf 7 building
Ethical hackers were able to access the building control system for Google’s Australia headquarters in 2013 after finding the specific office location on Shodan, a search engine on which hackers search for their favorite type of cyber vulnerabilities. Although the system was running off a DSL line and controlled only the building’s HVAC system, it showed water lines and buttons marked “active overrides,” “active alarms,” “alarm console,” “LAN Diagram,” “schedule,” and the building management system key. How could the hackers spelunk so deep into the BAS system of a company as presumably tech-savvy as Google? A couple of things helped.
For one thing, the BAS for the offices was built on a widely used platform that contained security risks, which have since been mitigated by newer versions. Once gaps have been discovered, platforms like this issue patches to users. It’s up to the users to implement them, however, and in this case the patches hadn’t been installed. Failure to implement these patches is a key cybersecurity mistake, experts say. In fact, some experts claim these patches go unheeded 90 percent of the time.
Google’s system was exposed on a public IP, meaning it was directly connected to the web rather than being hidden behind a firewall, according to Fred Gordy, director of cybersecurity with Intelligent Buildings. The hackers used this access to find administrative passwords for control panels. Armed with the passwords, the hackers could get into several other buildings managed by the facilities integrator because they figured out the integrator’s username and password and then looked for other systems the integrator had installed, discovering the integrator had used the same username and password in other sites.
2. X-Force penetration tests
In 2016, IBM X-Force conducted penetration tests against a building management company that operates more than 20 buildings across the United States. The IBM group systematically probed the company’s firewall and found doors left wide open, enabling access to passwords that helped them get into the BAS and a configuration file that led to the central server. Still, they couldn’t get in. So the X-Force made it a geographical issue, driving to the building and parking there. They then connected to the building’s wireless gateway and found an address that offered what they sought: access to every building the company managed, including a data center. An unethical hacker might have caused a tsunami of consequences with that kind of access. However, X-Force partnered with the equipment vendors to address the security issues and the building automation company to close configuration gaps.
What lessons can be learned from this incident? When buying internet-connected surveillance cameras and digital video recorders, immediately change default passwords and look for connection ports left open. Companies still neglect to do these things, especially after items have been installed, concerned more about the immediate cost of time- and resource-consuming tasks, experts say, rather than the perceived lesser threat of being taken off line or worse.
They would do well to remember the alternative, says Daniel Crowley, research director of IBM X-Force Red. Corporate espionage might inspire a competitor to hire a hacker to peek into data on your company’s facility use. Competitors might glean certain information by discovering who’s using particular conference rooms or hosting certain meetings. Or perhaps a hacker might just like to cause havoc, maybe shutting down elevators or blocking access to entire floors or departments in a 70-story building, possibly creating panic situations that require completely shutting down the building. That’s a lot more costly than changing a few passwords post-installation.
“You should make sure that on a BAS an attacker has to get through a series of gateway systems before they can talk to a device, because as soon as you can talk to another device it’s game over,” Crowley says. No controls between systems leaves them vulnerable — it means they can be used as a platform to start hacking into other things on the network.
3. Target’s contractor hack
Distinctly separated systems might have prevented the hack that significantly damaged Target’s brand in 2013. In this situation, contrary to popular belief, a hacker didn’t infiltrate Target by its HVAC system but by phishing employees of Fazio Mechanicals, an HVAC contractor for the company. One employee clicked on that link, which allowed hackers to capture credentials they used to access a work order system for billing, then pivot into Target’s point-of-sale system, Gordy explains. Hackers were then able to collect credit card data on 40 million users, which could be sold on the black market.
A couple of valuable lessons:
• The necessity of installing a solid anti-virus system that thwarts phishing techniques.
• The importance of training employees to be security minded, avoiding clicking on unfamiliar links, and looking for suspicious details in email addresses and signatures.
4. Casino’s smart thermometer
It was the smart thermometer of a casino lobby’s fish tank that gave hackers access to a high-roller database in 2018. Not much is known about this hack, yet Gordy says it’s “not too far removed from what happened with Target” — it was probably caused by poor network design. “If I can get into your financials through a smart thermostat, then you don’t have your network segmented correctly,” he says. Facility operations equipment should be physically separated or on virtual local area networks, and there should be no crosstalk between networks.
Cybersecurity experts emphasize that facility managers should employ tighter security measures for smart devices. The result is radically reduced options for hackers to get into the company’s BAS. Always change default passwords, which are so frequently the Achilles’ heel of many companies, Crowley says. “That password is often the small hole hackers leverage into a larger compromise,” he says.
It’s also common to find backdoor access points built into smart devices. Manufacturers create these, for instance, so their tech support departments can access a device for customer service.
Another problem with smart devices involves testing and debugging doors. Manufacturers perform the requisite testing and debugging in the production process but often forget to remove or close these before the product ships to customers.
Before installing any device that links to the internet, change default usernames and passwords. Finally, make sure each user has unique credentials and that there are no shared users.
5. High-rise building
A hacker targeted a commercial high-rise of between 40 and 50 floors, two of which were government offices. The hacker penetrated the parking system printer via an exposed wireless access point, telling it to print a message stating there was a bomb in the building. There was no bomb.
This raises a concern about branding for facility managers for buildings across a town, a region, a country, or the world. If a facility suffers one incident like this, Gordy says, how does that make the brand look? Target’s hack caused tremendous financial pain because customers lost confidence in the brand.
Implementing these lessons might protect lives, brands, and information. It will strengthen BAS security and lower the probability of being hacked.
Nichole L. Reber is a freelance writer who covers facility technology.
Email comments and questions to edward.sullivan@tradepress.com.
5 Real-World Incidents Offer Cybersecurity Lessons for FMs
