If You’re Breached, You May Be Facing Two Battles

FTCV01

According to an arstechnica article Monday, August 24, a federal appeals court ruled that the Federal Trade Commission (FTC) can now sue a company that employs poor IT security practices.  This resulted from a lawsuit that the FTC filed against the Wyndham Worldwide Corporation who suffered three breaches from 2008 to 2009. (click here to see FTC vs Wyndham)

FTC Chairwoman Edith Ramierz wrote in a statement to Ars, “Today’s Third Circuit Court of Appeals decision reaffirms the FTC’s authority to hold companies accountable for failing to safeguard consumer data. It is not only appropriate, but critical, that the FTC has the ability to take action on behalf of consumers when companies fail to take reasonable steps to secure sensitive consumer information.”

What could this mean to control system community?

This means we can no longer sit back and use the excuses “that’s the way it has always been done” or “so what if someone turns an air handler off” or “nobody cares about hacking a control system”.  If the hack occurs through a BAS to customer data, not only could you be liable to consumers, the FTC could come after you as well.

This is not the only action by the FTC.  According to an article on Security Week the agency has settled more than 50 cases so far.  Given the federal appeals court ruling this week, the FTC authority in such matters have been reaffirmed.  Lawsuit such as these will likely increase.

As system integrators, building owner/operators, vendors, and manufacturers we need to step our OT security practices.  IT and OT are converging more and more everyday and lines are becoming less obvious. And rightfully so. We have to shoulder our share of the responsibility or we could be in the cross hairs of the FTC as well.

There is a credit card company that uses the phrase “what’s in your wallet”.  Maybe we should start asking our selves “what’s in our budget” and add review and upgrade of our IT/OT infrastructure.

Practical Application for Using Shodan

Finding Devices, Protocols, Vendors, etc.

Disclaimer – It is not the intent of this post to point out a particular BAS software vendor, protocol, or device.  The intent is to show that we, the system integrator, still have work ahead of us to do our part)

Shodan’s search engine is fairly flexible and easy to use.  The various lists below are what I found using a URL search like the two shown here (you must be logged in for the URL search to work)

  • https://www.shodan.io/search?query=PDU+country%3A”US
  • https://www.shodan.io/search?query=PDU+country%3A%22US%22

Notice the two bold sections of the URL string.  The first is what you are looking for and the second is the country.  The URL Encoded Characters for a colon are %3A. The quotation mark can be entered as it is but in case it doesn’t work the URL Encoded Characters for a quotation mark are %22.

You can also add the city.  There are three bold sections in the URL search below.  The last is the city.  I add +city:”Atlanta”.

https://www.shodan.io/search?query=PDU+country%3A”US“+city%3A”Atlanta

In the search Shodan search window the above looks like this:

Search_Example3

You can also add other search criteria such as city, port, product, org (internet provider), os (operating system), etc.  The example shows adding a city to the search.

  • Part 1 – https://www.shodan.io/search?query=
  • Part 2 – enter the device or protocol or vendor or etc. you want to look for (example PDU)
  • Part 3 – (optional) +country (example: +country%3A”CA” – this will search Canada)
  • Part 4 – (optional) +city (example: +city%3A”Toronto” – this will search Toronto)

The completed URL search would look like this:

https://www.shodan.io/search?query=PDU+country%3A”CA”+city%3A”Toronto”

Below are the results of various searches.  The first group is by manufacturer.  It list the total number for each in the United States and the top 5 cities.  The second group is by Protocol.  It also list the total number for each in the United States and the top 5 cities.  The last set is by device type with United States total and top 5 cites.

Vendors

Protocol

PDUChillers

Thermokon’s Newest Products — Released in 902MHz EnOcean’s Frequency for North America

Thermokon is pleased to announce several game-changing 902 MHz EnOcean products recently added to their extensive EasySens product platform, which include these application advantages:

» Cost savings due to Energy Harvesting: producing energy from the sensor environment
» Flexibility with sensor location – quick and easy mounting and commissioning
» Reduction of fire load – no need for wires
» Easy integration into existing buildings – no wiring
» High-end designs and direct mounting to all surfaces
» Compatibility to other manufacturers: International Standard (IEC 14543-3-10)

Screen Shot 2015-08-24 at 7.48.34 AMThe room sensor is designed for temperature and (optional) humidity detection, local set point and fan speed adjustment for room control in buildings. The sensor transmits its measured values wirelessly to the corresponding receivers, which process the information respectively to the centralized control unit. The configuration is done via a serial interface. The room sensor can be integrated into various switch designs programs of the indoor installation range.

Screen Shot 2015-08-24 at 7.47.18 AM Application: Small, radio controlled, battery-powered radiator valve actuator for room temperature control, which mounts directly onto commercially available radiator valves manufactured by Heimeier, Honeywell-MNG, Junkers, Honeywell-Baukmann, Oventrop (1998 and later), Cazzaniga, and many more. The actuator is radio controlled based on the EnOcean wireless protocol according to the international standard IEC 13543-3-10. The EnOcean Equipment Profile EEP A5-20-01 (Battery Powered Actuator) is supported.

Screen Shot 2015-08-24 at 7.48.07 AMApplication: Bi-directional gateway for EnOcean-based sensors and actuators as well as controllers and control systems with BACnet IP interface. Configuration / commissioning with EasySens AirConfig Software tool. For details of the BACnet protocol please visit http://www.bacnet.org/.

The Atlanta Better Buildings Challenge, Pecha Kucha, and The Belimo Energy Valve

Here is a video of my Pecha Kucha at the Atlanta Better Buildings Challenge. Pecha Kucha is a presentation style that allows the speaker 20 slides and 20 seconds to explain each slide. The Atlanta Better Buildings Challenge is the vision of Atlanta mayor Kasim Reed. He challenges commercial buildings in Atlanta to reduce their energy consumption 20% by the year 2020.

ICS/SCADA Security Essentials, Atlanta – Billy Rios, Instructor

 

440x220_Rios_410-4

My friend and mentor Billy Rios will be the instructor for the upcoming SANS Institute ICS/SCADA Security Essentials in Atlanta, September 28 thru October 2. Billy is not only an expert on this subject, but is highly engaging and thought provoking.  His instructional delivery method coveys information that can be easily understood and is comprehensive.

The course is not specifically BAS focused but it does cover topics that are important to our type of integration.  Also, attending this course will earn you 30 CPEs.

There is link below for information on this course.

http://www.sans.org/community/event/ics410-atlanta-28sep2015-billy-rios

ControlTrends at The Atlanta Better Buildings Challenge

I got a chance to hang out with the movers and shakers of the Atlanta Better Buildings Challenge last night. Atlanta’s mayor, Kasim Reed, gave us an update on the progress Atlanta Building owners are making towards reducing their energy spend by 20% by the year 2020.

Yours truly got to speak to the group using a very scary speaking format called Pecha Kucha, a powerpoint presentation format designed to keep long winded people like me from talking too long. The format is 20 slides in twenty seconds. YIKES!!! It was one of the most challenging things I have ever done. The slide presentation is set to update every twenty seconds with or without you. How did I do?? Well, that is reserved for another post.

I got to meet a lot of cool people, including Aaron Bastian. Aaron is the communications manager for the mayor’s office of Sustainability. Hear what Aaron has to say about the Atlanta Better Buildings Challenge and stay tuned to ControlTrends for all the latest Control and Smart Building News you can use.

Data Center Equipment Exposed With Default Manufacturer User and Pass

Shodan Cataloging of Liebert & APC

(Disclaimer – It is not the intent of this post to point out a particular BAS software vendor.  The intent is to show that we, the system integrator, still have work ahead of us to do our part)

Last week I searched for Niagara systems on Shodan and the numbers were 27k plus in just the US.  This week the US number is down just over 15k.  This does not necessarily mean it will continue to go down.  It just means that is the number Shodan has picked up thus far.

This week I search for Liebert and APC.  These are typically used in data centers and you would not expect to find them exposed.  However, I was able to find some.  And the US is once again the leader in the pack of most exposed.

The good news is the number was only in the double digits for Liebert.  The number of exposed APC devices were significantly less than Niagara, but numbered close to 4,000.  The US was number one with 3,819 and the UK was number two with 578.

Checking out the details page of some sample units show the information available is fairly descriptive.

The image on the right shows a Liebert Challenger that (according to the location description) is in a server room.The application software is listed as well as the firmware version. 20150817_OB_CRAC_Bacnet
The image on the right is the detailed information for this public IP.It also list:

  • City
  • Country
  • Internet Service Provider
  • Last Update (this is the date and time Shodan last connected to the the site which was four hours before this screen capture)
  • Services – Telnet Port 23
  • Ports – 23, 80, 47808 (all default)
  • Etc.

Notice at the top is the street map.

 

20150817_OB_CRAC_LOC

Another example of potentially critical equipment that is exposed and cataloged by Shodan is APC.

The image below shows an APC SNMP device with an exposed IP which happens to be a power strip that controls VM, APP, and SQL servers.

The details for the exposed IP listed are:

  • City
  • Country
  • Internet Service Provider
  • Last Update (this is the date and time Shodan last connected to the the site which was three hours before this screen capture)
  • Services – Telnet Port 23
  • Ports – 23, 80, 161 (all default)
  • MIB version
  • Etc.

Notice at the top is the street map.

20150817_OB_APC_LOC800W

Like I said in the last post, we all know this is something that we cannot change overnight, and at the end of the day we cannot force the end user to spend the money and make the changes necessary to make their systems safer.  However, we need to architect new systems securely and make the necessary recommendation to our customers on how to secure their legacy systems.

If you would like more information on any of my other post, email me at fred.gordy@smartcore.com.

Top US Cities With Exposed Niagara Systems

And Other Scary Stats

(Disclaimer – It is not the intent of this post to point out a particular BAS software vendor.  The intent is to show that we, the system integrator, still have work ahead of us to do our part)

The information I list below I got by running a report on Shodan today (8/13/2015).  And it didn’t cost a dime and I didn’t have to use any query language… just plain ole English.

I opened the site (https://www.shodan.io/) and in the search bar I typed “niagara”.

20150813_searchText

 

20150813_searchText2

Next I clicked the United States.

At this point I clicked “Create Report” to save this search in case I want to review the data later on.

Notice in the image above the number of exposed Niagara systems in the United States is 27,182.  I ran a report last week and the number was 15,948.  The numbers should be heading down, not up.

This number represents (if you divide it by the number states) an average of 543.64 Niagara systems per state that are exposed to the world with the only thing between them and a hack is a username and password in the Niagara station.

 

20150813_topCities

The top five cities are listed on the left from the search results.

  • Houston —– 384
  • Chicago —— 308
  • Denver ——- 301
  • Seattle ——– 104
  • Indianapolis –  83

The next thing listed is equally disturbing.  Not only are the systems exposed on the web with only a username and password to protect the system, most are riding on top of an operating system that is no longer supported by Microsoft.  Almost twice as many systems are running Windows XP than Windows 7 or 8.  Support ended for XP April 8, 2014.

The next most common operating system listed is Windows 7 or 8 (lumped together).  Mainstream support for Windows 7 ended January 13, 2015.  Windows 8.# still has support for a few years yet. This report does not distinguish between the two.

20150813_TopOS

 

The image below shows the AX versions that are running.  This statistic is both encouraging and discouraging.

Apparently AX versions have been upgraded to more secure versions, but based on the statistics listed above, they were left exposed on the web and on an operating system that is no longer supported.

 

20150813_TopAXVersions

We all know this is something that we cannot change overnight, and at the end of the day we cannot force the end user to spend the money and make the changes necessary to make their systems safer.  However, we need to architect new systems securely and make the necessary recommendation to our customers on how to secure their legacy systems.

If you would like more information on any of my other post, email me at fred.gordy@smartcore.com.

 

What Makes a Company Great? It starts with their Philosophy

As we prepare for the nomination period for the 2015 ControlTrends Awards, I am reminded of how many great people, products and companies we have in our industry. It made me wonder what is at the core of these amazing players that make up the Building Automation Controls and HVAC Group.

I came across this video and post from Una de Boer, the director of marketing at Delta Controls. Una is one of the bright, hardworking, thoughtful people in our Industry and does a wonderful job of answering my question. So, with her permission, please check out the following video and Una’s words from one of her LinkedIn posts.

No one wakes up in the morning thinking, let me do a bad job.

One of the most important lessons I’ve learned in the last few years is that if you create an environment where people have the opportunity to do it right, we will. We will also be sticklers for detail, insist on creating the very best product available (rather than the minimum viable one), revise a brochure no fewer than 19 times, argue with each other vehemently at product management meetings (and then adjourn for a friendly group lunch). We will have really strong feelings about recycling and intense debates about whether or not our company should mail hard-copy Christmas cards (nope, not worth the negative environmental impact). We’ll organize the rescue of feral kittens from the abandoned lot next door, stay with the company forever, and take it really hard when things go wrong – even 22 years later.

One of my colleagues, Michelle, has worked at Delta Controls for 22 years. She started out in the production line and back in the day, the control boards were stamped and hand-signed by the assembler. Now Michelle works in Quality and Repair. Last year, a board came to her with a problem; a 20 year old board. That in itself was unusual: our industry has a life expectancy of approximately 10 years, and technology races forward at lightning speeds, so rather than sending a controller back for repair after 20 years, most building managers would probably just get a new one. In a way, this unusual occurrence was a high-quality problem, one we could even be proud of: our boards outlive the industry life expectancy…by a lot.

Michelle, however, was less than impressed. The board had her initials on it. As luck would have it, we were conducting a factory tour with some guests, so she had an audience and had to explain to them what she was working on. “I guess I didn’t do a good job on this one,” she said, about the control board she built 20 years ago that failed only after doubling its life expectancy. It’s like a 140 year old woman getting a cold, needing to see a doctor, and then saying “I guess I’m not as healthy as I thought.”

Michelle fixed the board and the owner is getting a few more years of productive use out of it. Plus all of us got some mileage out the story, too. You’ll hear us talk about Michelle’s board – and her disappointment in it – in the lunch room, in meetings, in presentations. We marvel at how hard one of our colleagues took it when something went wrong, two and a half decades later. We respect her unrelentingly high standards and we hold her up as a role model.

Because she cares. Because she wants to do it right. Because she does do it right.

Doing it right is more than an opportunity: it’s a mandate and it will change the way you work. It will create a culture of excellence and all the irritations that come with it. Because when people care, there will be debate. There will be high standards – personally and professionally. There will be friction. There will be fractious meetings. There will be disappointments (just ask Michelle). But there will be good design, products that last (almost) forever, and pride.

It’s a good thing to get up in the morning knowing you’re going to do a great job.

Written by
Una de Boer

CABA — Where the Pros go to get Big Data on Big Data

I got a chance to catch up with Ron Zimmer from CABA. If you need to get the facts and information on all things Smart Buildings, and Building Automation Controls, Ron and the team at CABA can hook you up. Watch Ron and learn more. The Continental Automated Buildings Association (CABA) is an international not-for-profit industry association dedicated to the advancement of integrated technologies for homes and buildings. The organization was founded in 1988 and is supported by an international membership of over 300 organizations involved in the design, manufacture, installation and retailing of products relating to home and building automation.