Control system tech has been in buildings for about as long as computers and servers have been a part of the financial world. More than likely, the computers and servers have been updated/replaced numerous times, and cybersecurity measures have been updated and re-imaged more times than that. However, there is a good chance that the building control system technology has not been updated since it was installed decades ago, and no cybersecurity measures have ever been implemented.
Over the years, these systems have been connected to the internet by various means. Some through consumer-grade solutions or shared remote access software, while others were connected directly to the internet using a public IP. A public IP is an IP address that can be accessed directly over the internet. This means anyone, anywhere in the world, could access it. Finding these IP addresses is relatively simple using IoT search engines like Shodan (https://www.shodan.io/) or Censys (https://censys.io/). Anyone can sign up for a free account with either and begin searching using keywords like “building control,” “ICS,” “BBMD,” “BACnet,” or insert control system manufacturer name. Tens of thousands to hundreds of thousands of devices in various countries will appear within less than seconds.
Another issue that has been overlooked is building control system networks (BCSN)with either a public IP or third-party, shared remote access software has been bridging to corporate IT networks. These BCSN’s typically unmanaged switches, no access controls, shared user accounts, long-abandoned accounts, and a signal vendor account that the vendor uses in every system they install at all their customers. This means that an attacker can enter through the BCSN and pivot over to the corporate network.
How big is this attack surface?
Buildings have HVAC, standard and emergency lighting control, fire detection and protection systems, elevators, escalators, video surveillance, card access, UPS, generators, solar, power monitoring, water monitoring, gas monitoring, room management systems, people counters, etc. All of these have multiple devices attached to each. To put it conservatively, there can be thousands of unmanaged, unmonitored, unpatched, and unsupported entry points. Further complicating this is that in over 90% of the assessment performed, the BCSN architecture was not fully known, and the number of devices connected was not accurate. In one such case, the asset owner thought there were only four devices connected to the HVAC network, but a scan of the network found 32 devices connected. One of the devices was a Raspberry PI, a low-cost, single-board computer that can be ordered off the internet and programmed to do various functions. No one knew who put it on the network and when they tried to find it took them two weeks to locate it. A Raspberry PI was found on NASA’s JPL network, and it was found to have allowed hackers to steal 500 megabytes of data from a major mission system. (https://www.engadget.com/2019-06-20-nasa-jpl-cybersecurity-weaknesses.html)
Another contributor to vulnerability/attack surface is the total lack of building control system cybersecurity vendor management. Most service agreements have response times, service and maintenance requirements, etc. But what they fail to outline are cybersecurity requirements such as access control, backup and recovery, patching, etc. The vendor is rarely required to notify the asset owner when one employee leaves, gets fired or no longer needs access to the system. Given this and the vendor typically uses one user account for all its employees and the system is exposed remotely, the system is extremely vulnerable to a disgruntled former employee.
Without a vendor management cybersecurity program, the exposure can be huge. To put it into perspective, if a building owner has 30 buildings and each building has ten systems. Each system has two to three techs servicing it (not to mention that any other vendor employee could access the system). There are over 900 unmanaged and unaccounted for technicians that have unfettered access locally, but they can also access these systems remotely at any time. There is usually no audit trail, but it would only show one username negating accurate forensics if there were.
If the Problem is so Big, What Can I Do?
Even though this problem has been building for decades, some things can be done that don’t require ripping out systems and starting over. One of the first areas to address is asset management. The good news is that once the system devices have been inventoried and documented and the networks have been identified and documented, building control systems do not change that often. Asset management of building systems requires a much lighter lift than IT asset management.
Now that you have identified the building system networks taking back access control is the next most important step. If you have identified that there are public IP’s, have them removed. You will most likely find that vendors have installed remote access solutions that they have sole control over. These need to be removed and replaced by remote access that you control and can audit. Also, make sure that each vendor employee has a unique user account.
The third and equally important area to address is vendor cybersecurity management. You can choose to do this on the renewal of service agreements or go ahead and address it at the point of your assessment of service agreements for cybersecurity compliance.
This is new territory for your facility staff and the vendors that support the building systems. Introducing and enforcement will require a layered approach that enables all parties’ adoption. Remember, the group you are working with are “fixers.” They know how to make things work. They will either help make it work or make a way around these policies, processes, and technologies.