Blog / 8 min read
Digital transformation initiatives are being increasingly adopted across all critical infrastructure sectors due to their undeniable benefits: from driving innovation and safety to cutting costs and reducing energy consumption. To capture these benefits, many organizations are adding internet of things (IoT) sensors and other cyber-physical systems (CPS) to the networks and equipment that underpin their facilities’ building management systems (BMS).
The internet connectivity introduced by these IoT devices, however, can also expand the attack surface for bad actors looking to infiltrate smart buildings. Since BMS commonly utilize insecure protocols and legacy systems without adequate security controls, they tend to be uniquely vulnerable to cyber threats. Further compounding the issue, many organizations struggle to gain visibility into — much less protect — the often-extensive amount and variety of BMS in use. These conditions give rise to a low focus on managing BMS cyber risks company-wide, causing many organizations to find that they are wholly unprepared to meet the challenges of a continuously evolving threat landscape.
A building management system (BMS), which is at times also referred to as a building automation system (BAS) or building control system (BCS), is a type of cyber-physical system (CPS) designed to control, monitor, manage, and optimize various aspects of building operations. Examples of building management systems include:
heating, ventilation, and air conditioning systems or HVAC controls, which are used to maintain comfortable indoor conditions while optimizing energy usage;
physical security and access controls such as access cards, surveillance cameras, and alarms;
fire and life safety systems such as smoke detectors, fire alarms, and emergency response systems;
elevators and more
Key objectives of BMS are to increase operational efficiency by centralizing the control and monitoring of diverse building systems, create a safer, more secure, and more comfortable environment for occupants, and help preserve the safety, availability, and integrity of the operations and processes occurring within the facility. However, as noted above, these systems are increasingly being connected to and controlled via the internet, which is creating new attack vectors for cybercriminals looking to disrupt critical assets and systems. In the next section, we will discuss the cybersecurity challenges facing BMS and how hackers are capitalizing on the vulnerabilities present within these systems.
As network-connected BMS grow in popularity and complexity, understanding their inherent cybersecurity challenges has become more important than ever. Here are a few of the most prominent challenges faced by BMS today:
BMS typically have multiple access points including web interfaces, wireless connections, and third party-integrations. These entry points can be tough to identify (much less secure), thereby increasing the attack surface and leaving the system more vulnerable to potential cyber threats.
Many building management systems use outdated software and protocols which lack modern security features. These legacy systems may contain known vulnerabilities that attackers can exploit.
BMS environments typically use a diverse mix of proprietary and open-standards protocols to communicate, thereby complicating security teams’ ability to discover, protect, and manage BMS. Additionally, many older protocols such Bacnet, Modbus, and others commonly used by BMS lack built-in encryption and other security features. As a result, building layouts, user credentials, HVAC configurations, or other sensitive data transmitted by or to BMS that use these protocols is far more susceptive to compromise.
BMS protocols can also contribute to inadequate network segmentation due to their characteristics and communication methods. Without proper segmentation practices in place, the entire BMS network can be exposed to potential threats. If one component or device is compromised, hackers can gain access to the entire system. This may result in the manipulation of building operations — leading to adverse impact on HVAC, lighting, access controls, or even safety systems, which can cause safety hazards for occupants.
Weak passwords or default credentials are commonplace in BMS components and make it easier for attackers to gain unauthorized access. Many times, access controls can also be improperly configured enabling unauthorized users to gain administrative privileges or access to critical systems.
As we now know, building management systems control virtually every aspect of a smart building and can deliver significant efficiencies and cost savings. However, this often overlooked segment of critical infrastructure faces many cybersecurity challenges which have made them increasingly vulnerable to attacks. These vulnerabilities have been seen through the following cyberattacks:
Attack on Building Automation Engineering Firm:
A building automation engineering firm in Germany experienced a nightmare scenario when they lost contact with hundreds of their BMS devices — including light switches, motion detectors, shutter controls, and others. All smart devices were considered to be bricked by the attack. According to the co-founder of Limes Security, Thomas Brandstetter, “Everything was removed… completely wipe, with no additional functionality”. Following the attack, the engineering company started to look for help externally in search of a way to regain access and control to their BMS. However, all vendors claimed that no reset was possible and suggested that the equipment should be completely ripped and replaced. This overhaul of BMS would have cost over a hundred thousand euros considering hardware, installation and verification costs — and displayed the financial ramifications an attack of this nature can cause.
Hack of Casino via IoT device in Fish Tank
In 2017, the hack of a casino took place via an IoT device in a lobby aquarium. The fish tank which was breached had sensors connected to a PC that regulated the room temperature, food, and cleanliness of the tank. Once inside the fish take, the attacker was able to move laterally through the network and compromise more than 10 gigabytes of proprietary personal and payment data from top patrons of the North American casino. This out-of-the-box hack raised concerns over the new and more imaginative ways that threat actors are taking advantage of vulnerable BMS devices. It also displayed the imminent need for a strong BMS cybersecurity strategy.
HVAC Hack Shines Spotlight on Risks to Healthcare
A hacking incident reportedly targeted a Massachusetts-based HVAC vendor that provides HVAC systems to several Boston-area hospitals. During the alleged attack, the threat actor tried to extort the vendor to pay a fee; however, Boston Children’s Hospital claimed that “there is no risk to either hospital operations or business operations as a result of this incident, and no patient information was affected”. Thankfully, no patients were harmed during this incident, but the event did raise a call to action for healthcare organizations to better protect their building management systems. If an attack like this were successful, operating rooms and isolation rooms would be gravely affected, with temperature and humidity being a major factor controlling growth of bacteria and maintaining certain pressures to stop the risk of infectious diseases spreading.
Building management systems are often overlooked as potential points of vulnerability due to security teams' focus on protecting traditionally targeted assets and systems. However, as the world becomes increasingly interconnected, cybercriminals are understanding the criticality of BMS operations, and the pathway they provide to other critical infrastructure. In order to eliminate many of the core challenges in BMS environments, organizations should adopt the following industrial cybersecurity principles:
Critical infrastructure organizations often lack the visibility into various BMS assets they are connected to across their environment. Maintaining a comprehensive inventory of all OT, IoT, IIoT, and BMS assets that underpin your OT environment is the foundation of effective industrial cybersecurity. At Claroty, we continue to expand our library of protocol parsers to add new depth to our knowledge of BMS devices. Our solutions can specifically highlight these critical devices, allowing users to zero-in on specific assets with comprehensive and accurate device profiles and communication mapping.
Since most BMS use outdated software and protocols, they are simply incompatible with traditional IT systems — but that doesn't mean they have no place in OT. Claroty helps to solve this problem by integrating with our customer already existing tech stack. This allows organizations to seamlessly extend their existing tools and workflows from IT to OT.
Unlike their IT counterparts, most BMS environments lack essential cybersecurity controls and consistent governance. After providing visibility into all BMS and integrating your IT tools and workflows with OT, Claroty eliminates this gap by extending your IT controls to OT. This allows organizations to unify their security governance and drive all uses on their journey to cyber and operational resilience.
With new and different types of entry points to exploit, the growing connectivity of BMS has made it easier for cyber criminals to gain unfettered access to an organization's extended internet of things (XIoT). Thankfully, critical infrastructure organizations across sectors can meet these challenges by prioritizing cybersecurity in their building management practices — starting with the adoption of the above three principles for securing BMS environments. Laying the groundwork for a strong cybersecurity strategy and partnering with a cyber-physical systems (CPS) protection partner, like Claroty, can help organizations identify and address vulnerabilities in their critical BMS systems. With Claroty, organizations can ensure their unique environment is properly protected while achieving cyber and operational resilience.