Regular readers will no doubt recall, writes Mike Gillespie, that here at Advent IM we have long been discussing cyber threat to physical infrastructure, and the potential for smart buildings to be attack through cyber space. Mike, pictured, is a member of the Professional Security magazine editorial board, and is a trainer and consultant on cyber-physical security.
As far back as 2015 in fact, when Advent IM discussed the cyber threat to building management systems and highlighted the example of the cyber attack that penetrated a German steel mill, eventually paralysing the operating systems of the blast furnaces. The damage was heavy and the potential for loss of life high, as staff found they were unable to shut down the furnaces for some time. It is now 2021 and the problem is still not being taken seriously or being adequately addressed. Meanwhile, attacks on vulnerabilities found in smart buildings are becoming more sophisticated and targeted.
Damage and harm
The recent news of the Modipwn vulnerability, highlights again how real this problem is; it has not gone away. While this Modicon attack is specific to a certain technology, what it shows is that effectively any of these legacy PLCs (programmable logic controllers) and associated technologies, could cause the take over of a smart building. This could potentially cause physical damage and even harm to occupants. Like many other non-core IT, these technologies have not been designed to allow for dynamic patching. They rely on building managers knowing that they have this technology, that it is vulnerable, where to get the patch from and then having the skills and knowledge about how to implement it. The threat is growing, with evidence from leaked documents, obtained by Sky News, explaining how state attackers are planning to exploit civilian infrastructure to conduct cyber attacks, including those on smart buildings. The document stated how systems that control lighting, ventilation, heating and security systems in smart buildings across the world may be exploited by Iranian hackers.
Smart over time
These systems can be automated or semi-automated. Buildings in the UK may not have originally been ‘smart’ but over time, these automated systems have been installed to improve efficiency of systems within a building, such as simpler predictive maintenance, improved air regulation through automated air conditioning, reducing energy usage, occupancy sensors, and cost savings.
In your home
We only need to look at our own homes to see how many of our devices and appliances can be connected to the Internet and managed through an automated system, from your smart fridge to smart door cameras. The reliance on these systems is great, when they are safe and working well. Unfortunately, criminals will exploit these, as seen in multiple cases where home surveillance systems have been infiltrated to spy on families and even talk through baby monitors … scary! Even scarier when you extrapolate out that situation to the workplace, with offices, factories and core infrastructure potentially vulnerable.
Given the range of IoT (Internet of Things) and OT (Operational Technology) devices installed in smart buildings, it is clear that an attack could come through HVAC (heating), and security or building management systems. If hackers were able to control these systems, they could cause havoc in workplaces and lead to disruptions to daily business. It is important to note that attacks can be, and so often are, started internally, cause by an unwillingly unknowing employee, downloading malware from a phishing email or watering hole attack.
Avoiding attacks
Poorly implemented systems can cause more hassle than efficiency, if these systems have not been properly planned, securely implemented and those who need to maintain it have not had appropriate training. The system may be under-utilised and arguably more importantly, vulnerable to misuse. Although rogue hackers generally are not looking to infiltrate smart buildings in particular, as reported by Kaspersky in 2019, cyber attacks against smart buildings should not be under-estimated. Smart systems are increasingly in hospitals, public transport, shopping centres and even prisons. Any or all of these can make for an attractive target for hackers with the right motivation. Regular audits to maintain the security of computers that control smart building automated systems, is the first step organisations should consider when avoiding these attacks. Keeping your eyes peeled on the threat landscape is the second step to consider for those who are tasked with maintaining these systems. Faced with an increase in these kind of attacks, now is a vital time for businesses to review their security infrastructure in a holistic way and ensure all assets are appropriately protected. Training reviews and awareness to ensure your staff know their part in the protection of assets is absolutely crucial, as it is people, behaviours and attitudes that are fundamental to ensuring good security. p
