In the classic action-adventure film “Mission: Impossible” from 1996, Tom Cruise’s character Ethan Hunt hacks into the HVAC system of a target building, compromising its security controls to successfully complete his mission. Today, the futuristic scenes depicted in the movie have become a reality.
In a recent advisory report, the U.S. Department of Homeland Security (DHS) assigned the highest severity rating to vulnerabilities found in a popular smart building automation system. This system connects to the network and controls HVAC, heating, door locks, and more through a web interface. Attackers can exploit this vulnerability to gain full system access via unauthorized backdoor scripts and execute commands with the highest privileges on vulnerable devices.
As every Building Management System (BMS) is online and accessible via the internet, these systems can be hacked to disrupt the operations of smart buildings. The impossible has become possible.
Cyberattacks on critical infrastructure are becoming increasingly common. In fact, The New York Times recently reported that the U.S. is intensifying cyberattacks on the Russian power grid. The players in this new battlefield include nation-states, terrorists, and cybercriminals. Fortunately, many controls that help mitigate unintentional negligence, malicious insiders, and human errors by employees can also address external threats from hackers and saboteurs.
The recent DHS advisory report indicates that BMS in smart buildings are unable to withstand these threats. Due to their integration and interconnection with hardwired solutions, cloud solutions, and third-party applications, these systems have a large attack surface that is increasingly trending upward.
Meanwhile, as more buildings become “smart,” and more infrastructure becomes integrated, along with the Industrial Internet of Things (IIoT) becoming the de facto standard for BMS, risks are expected to rise geometrically. In fact, market research firm Frost & Sullivan reported that the BMS market generated $5.8 billion in 2019, with a projected compound annual growth rate (CAGR) of 4.7% by 2022.
While BMS can provide significant benefits in streamlining processes and reducing costs, failing to internalize security as part of their deployment and management can also pose risks. For example, shutting down the HVAC system could lead to rapid overheating in data centers, damaging hardware and causing widespread and permanent harm to the business.
How vulnerable are these systems? The DHS advisory report warns that attackers can gain “full system access” to BMS through “unauthorized backdoor scripts,” allowing them to execute commands with the highest privileges on vulnerable devices. The advisory also notes that this vulnerability can be exploited remotely with minimal technical skill, with a severity rating of 10.0—the highest score on the industry-standard Common Vulnerability Scoring System. The advisory states that exploiting this vulnerability could “lock down an entire building with a single click.”
The movie scenes have become a reality, highlighting the importance of having robust BMS security systems that can monitor threats at both the network and device levels. While IT operations have consistently maintained a security posture, the same approach has yet to be applied to critical infrastructure operations such as building operations.
As seen in the recent ransomware attacks on Norsk Hydro, a Norwegian aluminum giant, and Hexion & Momentive, the world’s largest specialty chemicals and materials company, the integration of IT and OT requires closer collaboration between the two domains to achieve necessary levels of visibility, security, and controls across both infrastructures. Since IT tools do not directly communicate with OT, only through higher levels of security integration, collaboration, and intelligence sharing can threats originating from either environment be identified and moved laterally between the two.
As long as industrial cybersecurity is integrated into BMS infrastructure and combined with IT security tools, addressing and remediating vulnerabilities will be faster, easier, and more cost-effective. At the same time, the likelihood of security incidents causing building operation systems to crash will become “less likely.”
Original DHS Advisory Report:
https://ics-cert.us-cert.gov/advisories/ICSA-19-157-01
Related Reading
How to Attack a Building: Smart Buildings Become the New Playground for Hackers
From Corporate Espionage to IoT: The Building Industry Faces Hacker Threats
