Wow! What an eventful week I have had. I read through the Cylance Google Hack article again and after fully digesting the information around the hack I had an epiphany.
Most facility owners are just a few clicks away from a multi-million dollar due care/due diligence lawsuit.
I will get into the how in a second but let's first describe what due care and due diligence means.
This article does not represent professional legal and/or business advice. This article is simply an expression of my many years of experience in this field and is meant for educational purposes only. This article seeks to show how you could be attacked by a BAS Hacker in order to help you in securing your buildings.
Please Pardon this Interruption While I Destroy Your Business
At fist glance both terms look quite similar however there is a subtle difference that can create a "double-wamey" in terms of fines and/or jail time!
Due Diligence is when you take the effort to conduct a reasonable examination of the security systems within your building, campus, ect. Due care is when you actually execute a strategy to protect and prevent a system from being effected.
Digging a little deeper, what is a "Reasonable examination of the security systems"? Reasonable is "usually" determined by what a similar person, organization, ect would do in the same situation. If you neglect to educate yourself on the security flaws of your building automation system that could be considered a due diligence issue. This becomes especially concerning if previously it was disclosed that your system has a security flaw.
Due care is also based around reasonable action. If you have a small strip mall it is not reasonable for someone to expect you to put your BAS interface in a steel reinforced room with armed security. However, if you are in charge of a Federal reserve bank that level of security may be considered reasonable.
In a legal matter you can perform Due Diligence and still be sentenced to upwards of 50% the court ruling for a due care violation and vice versa. These two terms are separate and exclusive.
Red Alert!
Back to my story, the article got me thinking. What would an attack look like? How could ab attack damage a client? Why should a client worry about an attack?
You should be aware that there are sites that scan networks looking for exposed devices. Once a hacker has access to this list he has several options at his disposal:
- H can Google the default user name and password and attempt to log into each device
- He can Try to access the device root and look for user index/password files
- He can Try to RDP, Telnet, or SSH into the device
- He can Conduct a Port Scan and try to send malicious code into the device via an open port.
Now if the hacker succeeds and gains access to your system he can wreak all sorts of havoc upon a building or portfolio of buildings. This is scary stuff and we will definitely cover how to secure your building. I will not in this article be discussing how you can damage a building or its systems but the building owners should understand that there are multiple ways!
Now, after this attack, depending on the severity (loss of property or life) you could be legally liable for the attackers action because of the Due Care/Due Diligence topic we discussed before.
Shields Up!
I used to be ok with the idea of a public BAS system. This was back when I was ignorant and uneducated and when there were still AOL CD's at the grocery store checkout line. With what I now know there is no way on Earth that I would advise a client to give a public IP to a BAS device. (You may find yourself ask, "Phil it's just a commercial office building, what can go wrong?" The short answer is A LOT!).
Well what's a facility director to do? I am here to help you, I care, and I want you and your clients to be safe. Now while nothing is 100% the 4 tips I am about to give you will help you become more secure than you were before.
Tip 1: Secure the Access
Use best practices around user security
- Delete the Default User
- Set Rights to all other users
- Ensure the only one who has access to the audit log is the administrator
- Enforce a password policy (1 Upper case, 1 Lower Case, 1 Number, 1 Symbol, longer then 8 characters, no obvious words or names)
- Enforce a password policy (yes I said it twice) - force a password change every 60 days or immediately after a network penetration
- Do not allow users to write down passwords
- ENFORCE THE POLICY
Tip 2: Secure the Device!
- Ensure the device is in a clean, ventilated space that does not exceed its environmental limits.
- Ensure the cabinet is locked and the space is monitored.
- Ensure that if someone wants to access the device they need to use RDP via an on site secured computer.
DO NOT PUT SUPERVISORY DEVICES IN MECHANICAL ROOMS TAKE YOUR CHEAP BUTT AND SPEND THE MONEY TO PUT THE DEVICE IN THE IDF/IT CLOSET AND RUN THE WIRE!
Tip 3: Secure the Internal Network
- Ensure that any Plant controllers (Large AHUs, Chillers/Boilers/Generators) are on their own physically isolated IP network.
- Ensure that any supervisory devices are on their own network physically and on their own VLAN for cross site communication.
- Ensure that any servers are on their own VLAN, have only the manufacture recommended ports open, are fully patched, and are being monitored via the IT group (if you have one).
- Ensure that you have given the SNMP MIB's to the IT department so they can monitor the device and ensure that you have ACL's in place to determine by whom and when the device can be accessed.
Tip 4: Secure the External Network
- Do not, even if it means world peace, the end of hunger, and the payment of the US deficit, give a BAS device an external IP.
- I have also seen that companies are notorious for putting a device on a NAT(network address translation) router and then simply giving the device free reign of the external network because it's "NATTED". I mean do you really think NAT is going to stop a penetration or that a hacker is not going to be able to sniff packets and determine there is an exposed BAS system?
- Finally, if you use a proxy server, IDS (intrusion detection system), or firewall (You should use 2 of the 3 minimum!) make sure you do not create exceptions for your BAS's IP traffic and make sure you keep your detection signatures up to date!
Conclusion
If this has been a little deep for you then good.
You come to this site to learn, if you want to read happy little articles that don't challenge your thinking and that you don't remember 5 minutes after you read them then there are a lot of sites out there for you!
However, if you want to continue to challenge yourself and join me on this quest of growing your knowledge and skills then I urge you to join the discussion through the comments section below.
Give us your tips and tricks, what methods have you seen attackers use?
