Building Automation Systems Are a Breeding Ground for Seigeware
As technological solutions to cyber crime become increasingly advanced, able to preempt attacks and weed out vulnerabilities before they’re widely known, attackers also become more adept at cloaking their presence and concealing their intent.
The targets of attacks also change with the times. Hacking websites and bank accounts is old hat; some of the most threatening dangers to the most modernized companies and even citizens are those that target technology that doesn’t yet have the robust security systems, or even standards, in place.
It’s sad but well known that average consumers don’t spend a lot of time worrying about whether the firmware on their IoT devices is up-to-date, leaving millions of devices around the world critically vulnerable to attack. However, you would be forgiven for assuming that companies implementing centralized control of a building’s life support functions–such as HVAC, fire security, doors and windows, etc.–along with more convenience-focused building automation systems would prioritize cyber security. This is not always the case, which can lead to a potentially disastrous situation for the homes and organizations that implement building automation systems (BAS) and the companies that manufacture, install and maintain them.
Siegeware and BAS Attacks
When attackers combine ransomware with BAS vulnerabilities, we get siegeware. The attacker takes control of a building and shuts down critical operations such as heating, cooling, alarm systems and even physical access, and will only rescind control once a ransom has been paid.
Gaining access to the BAS means attackers become the digital overlords of the building. By controlling the automated system that governs the functionality of the building, the attackers control the building itself. They can turn off ventilation, heating and fire suppression systems, and can potentially extend influence to other digital functionality of the building.
Hackers can access seven systems remotely once they hijack the BAS:
- Lighting control systems
- Fire detection and alarm systems
- Automated fire suppression systems
- Integrated security and access control systems
- Heating, ventilation and air conditioning
- Power management and assurance systems
- Command and control systems
The consequences of losing control of these systems ranges from discomfort to potentially life-threatening situations.
An Emerging Threat
Siegeware is quickly becoming one of the most dangerous and effective methods of cyber attack. Many companies have already fallen victim to these attacks, and those that haven’t given in to the ransom demands have faced highly disrupted operations as a result.
BAS allows a single command center to control and automate all connected systems in a building so that a high level of comfort can be achieved efficiently. But vulnerabilities exist in any connected system, and when the network is compromised, the prospect of physical danger becomes very real.
With increasing numbers of organizations adopting BAS infrastructures, the number of potential targets rises, along with the time spent by attackers searching for as-yet unknown vulnerabilities. To make things worse, many of these buildings are connected to the internet, where anyone with the correct username and password can get access. As of February 2019, there were 35,000 BAS systems connected to the public internet globally, and it’s highly likely that many of these are using default user names and passwords.
Even if the majority of organizations implement adequate security, those that do not face severe consequences. Countless schools, hospitals, universities and banks have all fallen prey to ransomware attacks in the past few years, and this is likely to mutate into large-scale siegeware attacks in coming months to many BAS-equipped buildings that do not have effectively secured networks.
Preventing BAS Hijacking
Any smart home or other BAS-controlled building is a potential target for siegeware attacks. If you live in a smart home, or are the building manager or security officer at an organization that utilizes BAS to control functions of the building, then it’s critical to provide that the security systems are up to the task of controlling access to the BAS.
Many contractors will simply set up the automated control system on a web-based login interface. It makes it easier for them to make any changes later on or solve any issues that might appear. However, such remote access is vulnerable to unauthorized access.
If there is remote access to your BAS it needs to be considered a critical IT system. See to it that you