Check out what our friend and Smart Buildings Controls Expert, “Fearless Phil Zito”, had to say about his new book and the current state of Building Automation Controls and how hackers are getting into your building automation controls system and what you can do to stop them.
There are free tools readily available to anyone that can not only scan BACNet networks, it gives the user the ability make changes to individual control points, set schedules, review logs, view alarms and acknowledge, and turn your BACNet devices into “bricks”.
What Can The Tool Do?
The first thing I found was the ease of use of this program. In order to scan the network all I needed was one BBMD. First, use an IoT search engines to find a publicly exposed BBMD (there are literally thousands of exposed BBMD’s worldwide). The image below shows the results of taking one of these IP’s and entering it into the tool. As you can see from the one found using the IoT search engines, the scan revealed even more IP’s that are not listed on the IoT search engine. In addition to finding other BACNet IP devices, it discovered MSTP (serial communicating devices) BACNet devices as well. There can be hundreds of devices attached to the system and thousands of points underneath the devices that can be controlled with this tool.
All the devices and points can be accessed without using a user/password.
By clicking on device in the top left window (image below) the device’s associated points will be displayed in the bottom left window. These points can be dragged into the middle window and their value and status are displayed along with device ID, object ID, name, and update time.
Clicking on a point in the bottom left window will display its properties in the window on the far right.
You have full control of the properties to be able to write to it.
The point property window allows for editing of the point parameters. In the image below the call-outs show what is editable (in black) and parameters that could take the point offline (in red). Depending on the point type, command and control of these points/devices could lock operators out, change VFD speeds to an unsafe level, modify setpoints, etc.
There are many more things that this program can do and below is a couple of examples.
Edit Notification Settings
View Trend Logs
6 million commercial buildings in the US are believed to be secure. Every single one has exposed building controllers, security cameras and access control systems that an entry level hacker can hack into. Join Fred Gordy, Director of Cyber Security at Intelligent Buildings, and Ping Yao, CEO of Optigo Networks as they discuss the incredible vulnerabilities in our buildings’ systems, and what to do about it. If you are responsible for operational systems using open protocols such as BACnet & ONVIF, you won’t want to miss this webinar. We will discuss how easy it is to hack into many of the building systems, and more importantly, what are some of the basic steps that can and should be used to protect them.
Webinar Details: Date: Thursday September 15th Time: 11AM PDT | 2PM EDT
CAUTION: Regardless of your position in the world, this video should almost ruin your day, and linger long enough to bother you… for at least a week… but, will it motivate you to allocate the resources and processes your organization’s needs to deal with this kind of cyber incident? Therein lies the cyber security rub.
This NexDefense SANS Institute module provides a demonstration of a fictional cyber attack against a control system reliant infrastructure. It is a learning tool for educational purposes and designed to help organizations better understand and develop exercise scenarios. While the module was played during a large industry exercise, it was utilized to provide cybersecurity training awareness for the participants. This training module scenario is not the scenario that was used during the industry exercise.
This video will be available here for a limited amount of time. This module is just one of the many modules available as part of our STH.Engineer security awareness training product line. Find out more about the STH.Engineer training program.
Thanks to our friend, Fred Gordy, we got to participate in an eye opening event.Stromquist & Company had the privilege of hosting the Atlanta Cyber Security meet up. The speaker, Doug Wylie, CISSP VP Product Marketing & Strategy at NexDefense was amazing. Doug explains several different types of cyber attacks and breaks down blow by blow two major cyber attacks on control systems that caused major disruptions. If you are interested in joining a cyber security meet up group on your area please let us know in comments and we will connect you.
We had a chance to catch up with one of our favorite people at the 2016 Realcomm|IBcon show, Intelligent Buildings Tom Shircliff. Tom, the co-founder of Intelliegnet Buildings, gives us his thoughts on the show and trends he is seeing in Smart Buildings. He gives us a must do regarding Cyber security to make our smart buildings safer from cyber attack. Tom also shares with us the importance of water analytics as a way to make our buildings more energy effiecent and safer ( yes I did say safer). Intelligent Buildings provides smart building consulting for multiple real estate use-types, utilities and governments that leverages technology and change management to lower costs, reduce risks and enhance experience.
ControlTrends met up with Todd Radermacher, Regional Sales Director at Cylance, out of the San Francisco Bay Area, who specializes in Information Technology and Services. Todd tells us, “Trying to keep ahead of the bad guys is the business we’re in.” Cylance now offers the next generation antivirus protection — armed with artificial intelligence and mathematics (algorithms) to scientifically predict foul play — and prevent the loss of intellectual property or paying the ransom to get your seized database back. Cylance can protect you and your organization from multiple threats, including system- and memory-based attacks, malicious documents, zero-day malware, privilege escalations, scripts and potentially unwanted programs. Visit Cylance’s website to access Videos, Datasheets, Whitepapers, and Case Studies and request a CylancePROTECT DEMO today.
Thanks once again to Intelligent Buildings’ Director of Cyber Security, Fred Gordy, who keeps the global ControlTrends Community and systems integrators current with his Cyber Security updates. Fred is calling for the widest dissemination of this information possible, and for responsible parties, at every level to take immediate actions to eliminate their exposure and safeguard their building against eminent attack.
Fred Gordy, Director of Cyber Security at Intelligent Buildings, LLC: I did a cursory search using Censys device search engine of building control systems and the first systems to pop up were Niagara 4 systems. As most know Niagara 4 was released after the first of the year to integrator community at large. The discussion of cyber security for control system has been going on for over 4 years. So it is still amazing to me that control system devices are still being put directly on the web. These Niagara 4 systems would have had to been installed in the last 4 months.
The screen shot below are just the first page. I didn’t count the Niagara 4 system but I was still finding them 5 pages into the 357 pages listed.
Okay… Your control system was installed a couple of years ago and you were handed riser diagrams, As-Builts, mechanical drawings, etc. and you were good to go. Right?
Up until recently the standard implementation for a controls network was created by the integrator and given either a 192.168.X.X or 10.0.X.X IP schema. In some cases the only way to access the system was from a PC on the same network. In other cases the control network did not touch the corporate network, but it was accessible remotely. This was done by purchasing a router/VPN from a big box electronic store and your ISP (internet service provider) supplied you with a public IP to access your front-end from anywhere in the world.
But is that still the way it is setup?
If it is, it is the right way? Or it may have been set up correctly, but because of zero change management and oversight, your control network and corporate network have converged or holes have been punched in your security.
The following examples are possible representations of what a control network may look like or maybe what is has become after a few years of “a change here” and “a change there”. It is important that you know your control system network configuration and keep your documentation up-to-date.
Example 1 – The control network was originally air gapped (physically separated from the corporate network) and the only access was via a public IP to front end. The public IP put the control system in jeopardy by itself. At some point in time a second network card was added to the front-end and connected directly to the corporate network. By doing this there is now a hole punched into the corporate network and it can be used as a pivot point to access company systems.
Example 2 – The control network and corporate network are air gapped. There is no physical connection between the two. However, the control system is exposed to the world with a public IP. The leaves the control system vulnerable to have infected payloads ready and waiting for anyone who accesses the system.
Example 3 – Everything in this example is behind the corporate firewall and is seemingly safe. It has been my experience in some cases that the control system front-end is highly accessible and is used to check email, social media, etc. This practice can either cause the front-end crash or a means for a threat actor to inject malware for data mining, command & control, etc.
Example 4 – This example is little different in that there is a mix of public and private IP’s. Certain parts of the system are exposed and some would think that others are not. Depending on the system you have, most will allow tunneling, which means if the bad guy can get to a controller with attached devices, they can tunnel and command or damage the end devices.
Example 5 – This example deals with the physical security of a control network. In the example below, equipment with IP connectivity has been added to the network outside of the building. Because typically there is never traffic monitoring of a control network, the bad guy connects something either inline to remotely access the network from the comfort of their home or temporarily connect and inject malicious software to perform whatever task they have chosen.
Example 6 – In this final example, there is a segment of the control network that is exposed with a public IP and the other segment is on an internal, private network. At some point someone wanted or needed to get data from the internal networked control equipment the other network or vice versa, so they introduce a BBMD to route the traffic across the different subnet. Using Shodan, Censys, or ZoomEye the bad will more than likely find the BBMD and then with FREE Bacnet software scan the network and find the devices on the other side. With this FREE Bacnet software they now have unrestricted, no password needed, command and control of these devices.
If you haven’t reviewed your control system network architecture in a while, I suggest you do. If you don’t have change management in place, you need to. If you have any segment of your control network exposed to the world, work with IT and get it behind a high quality firewall.
The BlackHats are looking and probing and they have plenty of tools available to them to find you. Let’s not make it too easy for them.
If you’ve seen Jurassic Park you probably know what this line. If you haven’t, the scene is this… There is a goat that is tied to a stake on a platform with a cage around it and raised up from the ground inside the T-Rex cage. The goat is tied to the stake and of course the T-Rex eats the goat.
So what in the world does this have to do with control systems?
I have had the fortune of being able to speak at different events over the past couple of years and in an effort to explain to IT and OT how to protect control systems I used the Jurassic Park goat example in this context… The control system is the goat. It has to be there and it has to be tied to the stake. It is vulnerable and not able to protect itself. We have to put a cage around it to keep the T-Rex out.
Some manufacturers are making strides to harden their systems and that helps, but as I have said time and time again… this alone will never fully protect the system. When designing the system, thought must be given to several aspects such as:
- If the system does not need to be accessed by anyone other than the building engineer staff and there is 24/7 staff, don’t expose it. Keep it air gapped. What is an air gap? The system is not connected to the corporate network and/or the internet.
- If the system needs to be accessed by others on the corporate network and/or remote engineering staff, segment the network so that it does not “touch” the corporate network and routed specifically for those that have a need to access it and use a secure remote access that only specific people can use.
- Every user has to have a unique user and a means of password expiration, no greater than 90 days.
- NOTE: Older systems do not have the ability to initiate password expiration. More manufacturers are adding this feature today, but not all.
- NOTE: For systems that cannot be set up to auto expiry, a manual process will need to be implemented.
- Vendors should only have access on an as needed basis, which includes the Integrator during installation.
- Vendor and integration employees must have a unique user and a means of password expiration, no greater than 90 days.
- Remove manufacturer’s default username and password from the new devices you are installing and instruct the customer on how to change these users so that they can take ownership of their system.
- Audit existing field devices and remove default username and passwords. Instruct the customer on how to do this as well. They own the system, they should own the user management.
- If the system is not air gapped and will be exposed to the internet, use commercial grade IT devices to interconnect. If you are not qualified to install and configure these devices and there is no customer IT department who can and will take ownership of these devices, contract a licensed and bonded IT firm to do the work. This is a layer of liability you must decide to assume or not to assume because if there is ever a breach and forensics trace the breach to these devices, you could be liable.
- When possible, incorporate an AD or LDAP.
- When possible, use secure connection options.
- When possible,use certification.
- Change default ports of equipment.
- Design physical security into the system.
- Front end PC/Server needs to be located in a locked cabinet and not located on or under someones desk, even if the room has a lock or card access.
- Remove the keyboard, mouse, and monitor from the PC/Server.
- Secure field devices, switches, routers, etc. in lockable panels with unique keys that must be checked out to be used.
- Incorporate intrusion detection into panels.
- If audit and access logs are available, activate and configure them to retain historical data if in the event a breach occurs for forensics.
There are more steps that need to considered and implemented. This is a starting point. Ultimately integrators decide what their best practices are to be and part of that decision includes determining what their appetite for liability is.