The systems which control heating, lighting and security in most buildings are particularly vulnerable to cyber attack, a defence and security product company has warned. In analysis done in late 2015, QinetiQ found that these systems create a route for serious damage and disruption to be caused to most major companies and organisations; capabilities now showcased in the real-world through the spear-phishing attack on a Ukrainian power network. Those that would suffer the most disruption include airports, stadiums, hospitals and government departments.
Despite the dangers, such as no communications at an airport or lighting failure in a hospital, the systems which control these applications remains some of the least secure, QinetiQ believes. The firm says in a whitepaper that these systems have evolved from technologies not designed to be connected. They are therefore often designed, installed and managed by people who have not been trained to understand the security implications.
This creates vulnerabilities that could be exploited by those looking to damage an organisation or create panic, such as activists, terrorists, aggrieved nation states or disgruntled former employees. It could also help criminals physically break in. The paper outlines the consequences of a compromise, the potential attack vectors and recommendations for mitigating these risks.
Attack vectors often exist because such systems have not been securely installed. The QinetiQ research team found Building Management Systems (BMS) were often simply switched on or plugged in, connecting them to insecure networks or leaving them accessible via Wi-Fi. Default passwords were often left unchanged.
The paper recommends that installation of these systems must involve an understanding of how these systems are connected to the online world and how to restrict this. Installers and facilities managers setting up the systems should be trained and certified to ISO 27001 or equivalent, or consultants with these qualifications should be involved.
Andrew Kelly, Principal Consultant, Cyber Security, QinetiQ and co-author of the paper said: “Devices that were never built for security are increasingly becoming connected to networks, and so becoming hackable. We are seeing this in the domestic sphere too, as the Internet of Things becomes more prevalent, but it is the but BMS-connected devices have particular potential to wreak havoc as they control systems necessary for business to function. Despite this, they have some of the laxest security, both in their design and in their installation and maintenance.
“This is a pressing issue. The challenge is that it crosses two previously unconnected areas: facilities management and IT. But as more BMS become connected, these departments either need to work more closely together, or facilities managers need to become security experts.”
About QinetiQ
QinetiQ employs 10,000 in defence, aerospace and security. The whitepaper can be downloaded at:
http://www.qinetiq.com/services-products/cyber/Pages/bms-the-cyber-security-blind-spot.aspx#
