There’s a lot to like about operating in a “smart” building. With the click of a button, from anywhere in the world, air conditioning and heat can be controlled, lights can be turned on or off and doors can be locked. However, with that convenience comes some risk—often in the form of cyber attacks.
Since all of these Internet of Things (IoT) devices operate over wireless networks, hackers can find a way to get their hands on them and start controlling them, too. When that happens, incidents like a hacker shutting down the cooling system that stores pharmaceutical drugs at a Netherlands supermarket can occur. Elisa Costante, senior director of Industrial OT Technology at enterprise security company ForeScout, noted the hacker was a former disgruntled employee who was able to log into the building’s automation system remotely using old credentials.
“A key takeaway from this incident should be that insider threats are a valid risk for any organization and a BAS (Building Automation System) can be hacked by someone with a little know-how and motive,” Costante wrote.
According to Costante, BAS vulnerabilities have increased during the past two years. One of the vulnerabilities that ForeScout discovered existed on a universal software infrastructure that lets building control integrators, HVAC and mechanical contractors to build custom, web-enabled apps in order to access, automate and control smart devices in real time over a local network or the Internet. While convenient, this software infrastructure is susceptible to malicious users who can access the HVAC system, like the hacker at the Netherlands supermarket. The HVAC system might be just the beginning—once a hacker gets into a network, they could possibly find databases that have customers’ personal information like credit card numbers.
“This is similar to what caused the Target breach, where attackers managed to exfiltrate millions of customers’ credit card data by leveraging the compromised credentials of an HVAC contractor with access to Target’s network,” Costante wrote.
Total visibility into BAS networks is one way to combat such attacks, according to Costante. If organizations or commercial real estate owners have enhanced security and network monitoring, they’ll have a better understanding of the BAS environment and its connections. Full visibility into the BAS network also makes it easier to create effective security infrastructures, identify attacks and find blind spots in the system.
“In the case of the (supermarket incident), visibility into the network would have identified the employee logging into the system and performing dangerous operations within the network,” Costante said. “Baselining the network traffic would have helped to identify systems issuing commands that were out of the realm of normal operations.”