SoS Musings #57 - Securing Building Automation Systems

SoS Musings #57 -

Securing Building Automation Systems

Although there are advantages to implementing Building Automation Systems (BAS), there are still cybersecurity risks to consider. According to Schneider Electric, a BAS allows an operator to access, control, and monitor all connected building systems via a single interface. BAS technology enables centralized control of a building’s systems through networked electronic devices. In the past, a considerable amount of manual effort was needed to fine-tune HVAC (Heating, Ventilation, and Air Conditioning), power, lighting, and access control systems. With BAS solutions, these historically isolated systems are integrated, and operators are given a centralized view of the systems, thus increasing visibility and providing greater control. A BAS possesses many characteristics, including risks and priorities, that differ from traditional information processing systems, and therefore, have different performance and reliability needs, as Mario Navarro Palos at ISACA pointed out. An unprotected BAS could lead to damages to a building and pose a significant threat to the health and welfare of its occupants. Bernhard Isler, a senior systems architect for Siemens Switzerland, pointed out that if malicious users access a BAS, they could cause the system to malfunction and produce unwanted behavior or inflict damage to HVAC and other equipment, potentially leading to life-threatening conditions and the damage of IT property. A report published by the US Department of Energy’s (DOE) Pacific Northwest National Laboratory (PNNL) in March 2020 revealed that half of commercial buildings had intelligent building control devices directly connected to the Internet and could be accessed remotely, with 95 percent of the assessed sites having no disaster recovery plan in place. The report also revealed that almost 40 percent of BAS servers have been targeted with malware, phishing scams, or ransomware. As BAS solutions become more connected, their vulnerability to potential cyberattacks grows. BAS should be considered, managed, and safeguarded as part of critical infrastructure where security is critical in the ongoing maintenance of systems. It is essential for companies, manufacturers, and the security community to continue exploring and strengthening the security of these systems.

There are real-life consequences to attacks on BAS. A Distributed Denial-of-Service (DDoS) attack on a BAS in two apartment buildings in Lappeenranta, Finland, halted the distribution of heat, leaving residents cold during the winter of 2016 when temperatures were below freezing. The DDoS attack was reportedly noticed after the BAS used in the two properties began sending unusual alarms and could not be accessed remotely. The DDoS attack flooded the BAS with fake Internet traffic, causing it to repeatedly reboot and deny administrators remote access. A building automation engineering firm in Germany faced a cyberattack that locked it out of the BAS it had constructed for an office building client, causing it to lose contact with hundreds of light switches, motion detectors, shutter controllers, and other BAS devices. The company found that three-quarters of the BAS devices in the office building system network were locked down with the system's own digital security key, which the perpetrator behind the attack took over. Due to the attack, the firm had to go back to manually flipping central circuit breakers on and off to control the building's lights. Thomas Brandstetter, the co-founder and general manager of Limes Security, whose security firm was contacted by the victim engineering firm, said the BAS devices were ultimately bricked because they were wiped to the point where they no longer functioned properly. Limes Security was able to retrieve the hijacked Bus Coupling Unit (BCU) key from one of the bricked device's memory through some creative hacking. The engineering firm was then able to reprogram the BAS devices and get the building's lighting, window shutters, motion detectors, and other systems up and running again. However, this incident was not an anomaly as Limes Security has since been receiving other reports of similar attacks on BAS systems running on BAS technology widely used in Europe called KNX. Another engineering firm in Europe experienced a similar attack on a KNX BAS that locked it out too. To further bring attention to the vulnerability of BAS to attacks, Forescout’s Elisa Costante and her team of security researchers looked for security vulnerabilities in BAS equipment and developed proof-of-concept malware to exploit some of those weaknesses. During their analysis of popular BAS components such as protocol gateways and PLCs for HVAC and access control systems, 10 security flaws, including cross-site scripting (XSS) bugs associated with web application interfaces, privilege escalation bugs, and buffer overflow flaws were discovered. They created a proof-of-concept worm that spreads itself among BAS devices and demonstrated that BAS hacking does not require heavily resourced nation-state backing. As attacks on BAS can cause life damage to a building and its occupants, securing these systems is a necessity.

BAS vulnerabilities leave buildings open to large-scale cyberattacks. The Forescout OT Research Team conducted an experiment to gain further insight into BAS security. They built a realistic BAS simulation lab consisting of surveillance, access control, and HVAC devices communicating with different BAS protocols interconnected on an IP network and then tested each device for vulnerabilities. The study resulted in the discovery of XSS vulnerabilities, a path traversal vulnerability, a file deletion vulnerability, an authentication bypass vulnerability, a buffer overflow vulnerability, and a hardcoded secret vulnerability. If an attacker were to exploit the XSS vulnerabilities, they can inject malicious scripts into trusted web interfaces used on the vulnerable devices, that could then be executed by an unsuspecting user’s browser to access cookies, session tokens, and other sensitive data, as well as carry out malicious activities on the user’s behalf. The exploitation of the path traversal and file deletion vulnerabilities could allow an attacker to manipulate path references, and access or delete critical files and directories stored outside the root folder of the device’s web application. Using the authentication bypass vulnerability, an attacker can manipulate a session identifier sent in a request in order to steal application users’ plaintext passwords and other credential information. The hardcoded secret and buffer overflow vulnerabilities were found to be the most severe issues as they can allow a remote attacker to execute arbitrary code on the targeted device and take complete control over it. IBM Security’s X-Force Ethical Hacking team also highlighted BAS security issues through a real-world experiment in which they conducted a penetration test to infiltrate a BAS. They offered to perform the test with an established building management firm in North America and discovered a range of security flaws that left the system vulnerable to remote hacks. Through design flaws, they were able to gain control of the DLink router that connected the BAS to the Internet, also discovering that the device password was stored in cleartext as it was not encrypted. From this point, they discovered and accessed the BAS control software from the Internet. A flaw contained by the system diagnostics page in the BAS software allowed the researchers to access the device’s configuration settings, including encrypted passwords. From there, they decrypted the passwords and found the password for the central command server, which is used to manage stations for many buildings across North America. The researchers then went to the facility where the software was deployed and gained access to the central command server by using the password and connecting to the system from outside the building via the Wi-Fi network. They warned that a malicious actor could alter the physical conditions of all the buildings controlled by the system by accessing and controlling the central BAS server. Such efforts must continue to be made to uncover and highlight BAS vulnerabilities in order to spark the development of stronger security strategies and methods.  

There are several ways for companies and manufacturers to improve BAS security. It is essential to establish a defense-in-depth approach to securing BAS, which involves applying a cybersecurity framework such as the National Institute of Standards and Technology’s (NIST) Cybersecurity Framework (CSF), which covers identification, protection, detection, response, and recovery. Organizations are encouraged to conduct a tailored security assessment for BAS to improve situational awareness. This includes evaluating, analyzing, and reviewing security architecture, policies, plans, procedures, baselines, services acquisition, and more. It is important for organizations to consider implementing network segmentation, segregation, boundary protection controls, and stricter firewall rules. BAS designers and operators, as well as facility managers, must be made aware of security risks through proper training to ensure existing BAS solutions are secure against cyberattacks. PNNL calls on system users to be trained in basic cybersecurity hygiene to help prevent them from falling victim to phishing scams, malware, and other threats that could lead to the compromise of a BAS system. IBM recommends encouraging secure engineering and coding practices, using application security scanning, implementing IP address restrictions, disabling remote administration features and unnecessary ports on wireless routers, and ensuring that all BAS device software is up to date. Another way to improve BAS security is to get professionals who install and manage BAS systems more involved in IT or security team operations since BAS systems are often handled by engineers, and building management firms and security teams rarely cross paths with BAS operations.

The security community should continue exploring and developing novel solutions to bolstering BAS security as attacks on these systems pose threats to security and safety.