I just finished reading two interesting articles about hacking BAS systems and thought I would share my thoughts with all of you on how a BAS could be used to hack a building. First off, we still have some educating to do around BAS as a whole in the industry. Reading through Brian Prince's article at Dark Reading titled Google Building Management System Hack Highlights SCADA Security Challenges brings to mind one of the first areas in which we need to educate our IT counterparts.
A SCADA system is a process control driven system (think a Cheeto's factory or an electrical Grid). Those places use SCADA and a SCADA system is quite different from a BAS. I'm sorry if you disagree but you are just plain wrong.
There is a reason SCADA and not BAS systems are used for our power grid and industrial processes (and while the main reason is process speed, the other is the fact that many SCADA systems are years ahead of most BAS in terms of systems integration and control).
Now, personally I have theory why we put much development effort into a SCADA system then we do into a BAS system and it has something to do with people liking Cheetos more than their tenants. Well, maybe that isn't completely accurate but I would rather visit a Cheetos factory then a building full of angry HR ladies.
Ok, back to reality. The fact of the matter is that for IT our BAS box (controller) is a pain in the A@@. Half the time it isn't LDAP compliant, we sneak our network into the building like some third-rate ninja, and then it sits on a self-created bastardized network that resembles something between bailing wire hooked into a hub and a Sub-Saharan DSL line.
As if that wasn't enough to make our IT counterparts cry uncle, even when IT does finally get to run some SNMP trapping and network monitoring on our devices we refuse to let them patch our systems because of Java or Windows .Net compliance. Look Mr. IT I know Java 3.0 has issues and you're using Java 7.x but if you upgrade Java on my box our User Interface won't run.
Don't be the Controls Zombie
With all this crap literally being hand delivered to the IT departments of some organizations it's no wonder that they run from us BAS folks like we have a mutated version of leprosy.
Here's the Deal
Average controls guys know how to wire a thermostat, connect a transformer, and download some configuration files.
Good controls guys understand the sequence and how the system should run.
Exceptional controls guys can speak IT, get energy management, and can understand their impact on a business.
Ok, let's focus this article rather than it going off like a shotgun at a duck hunt for the blind . IT fundamentals are the key, how many BAS guys understand the impact of VLAN's, Access Lists, and Firewalls (no I am not talking about that annoying red wall that you need to try to run your comm-trunk through). If you and I are going to stay in this industry we must learn to speak and communicate around IT.
Fears and Failures
We must understand what keeps our clients up at night. When we have top companies like Google being hacked and their BAS being accessed we better damn well be able to explain to our customers how they can avoid that happening to them. The image below was taken from the Cylance Tech blog.
They exploited a simple hole in the Google BAS system. Cylance was able to access the file directory of the BAS system and grab a configuration file that had the username and hashed password. Cylance then put the hashed password through a decrypting software and voilà they have the password for the BAS.
Now, here's the thing....
There are multiple ways to get into a system.
Some Techniques to Kick in the Door
- Spoofing to Steal login credentials
- Hitting the directory structure of a public url looking for critical files
- Performing man in the middle attacks and grabbing port 80 traffic.
Spoof aloof
Ok, so what is spoofing? Spoofing is where I send you an email telling you that your eBay/paypal/Facebook... whatever account has been hacked and I send you to a website that looks quite similar to the real thing. I recently got an email telling me that my PayPal account was hacked, if I hadn't been paying attention to the letters I wouldn't have noticed it was from Peypal.com not Paypal.com.
Even more prevalent is the spoofing call. With some basically googling and foreign terminology you can get the number to someones desk phone and call them claiming to be their IT department. This works awesomely on facilities groups as these folks often try to avoid IT like the plague and thus don't know if the person on the phone is really with their IT group or not.
(Word of advice, no IT guy is going to call you for your user name and password as that is available via their current IT software).
Directory structure private/public what.....
What does all that jibber jabber mean? Basically, just like your hard-drive, websites have a nice orderly format called a directory structure. Usually this is not hidden, this has become such a prevalent hacking method that the NSA wrote about it in great detail in their recently published NSA hacking methods e-book.
So whats a facility manager to do? Well for one, hire people who can spell internet (Hey seriously its a hard word to spell, at least according to some of my competitors marketing material it must be). Look, it's really quite simple, just follow some basic steps, you know what I am in a particularly good mood so here's another good resource.
Port 80, 443, oh where should my traffic be!
Port 80 is basic web services (HTTP), 443 is secured HTTPS. Whats the difference what is AES, whats DES? WHY SHOULD YOU CARE!!!. I mean seriously, you are planning your maintenance schedules, trying to prepare a utility budget based on a 3-inch mound of utility bills, and now this guy is asking me to know what port I use for my BAS?
Well one way to avoid this whole shindig is to simply pay your guys double time on Sunday to come into the office in order to use a BAS that could be remote accessed via a tablet at your house. Hey, I mean it eliminates the IT threat, well that is until one of the janitors brings a poker game he downloaded from home and installs it on the BAS PC and shuts down your BAS network, but hey that never happens... right?
Look, I don't expect you to master IT security. You don't need a Masters in Information Assurance to be in building management. But when your technician is connecting your BAS to the outside world the least you can do is know why it's important that his system uses HTTPS and AES encryption....
Here's some literally light reading to brush you up.
Focusing In
So if those three bullets made no sense to you then you need to get up to speed fast. Go get your Network+ cert or your ICND 1. Those will give you the fundamental knowledge to speak IT. You must, MUST(Insert Loud Voice from the Clouds Here) being bi-lingual, speak HVAC/DDC and Speak IT. Your choices are to do this, or simply reside yourself to changing filters and occasionally putting k factors in a controller for an air balancer.
It's a sad day to me when I sit with consulting engineers who know more about a communication trunk than the controls tech does.
Ok, pretty grim, pretty depressing.
The point of this article is not for me to find creative ways to tell you your're stupid. The point is to encourage you to begin a journey on learning a new skill set. So if I ended the article here I would just be plain cruel, let me lay out a few tools to help you.
Rinse, and Repeat
First off, this amazing author wrote three great articles about Network Fundamentals, TCP/IP, and the OSI model.
Unfortunately I misplaced those articles so you're stuck reading mine below.
Next up is applying the skills you have developed. All this talk, reading and studying is for naught if you don't use it. So get out there, get involved start having discussions on your jobs sites around which VLAN you are using, ask about how you can help the IT group handle patch management, find out if you can share your controllers via SNMP (version 3 of course!). Basically, get in the muck, get into situations where your are asked questions you have no clue how to answer.
Go to Wikipedia, Google, come back and tell them what you learned. If you want to run a marathon you don't watch the Olympics and then sign up for a race! As much as learning through osmosis is touted these days with people guaranteeing to make you an expert in x,y,z in 10 minutes the reality is learning takes time, study, and application.
Conclusion
Finally, start teaching, I got into this industry and floundered about for the first year, I shut down networks when I accidentally changed the DNS server IP. I've turned chillers on and off so many times it sounded like I was making a rap song with the sounds coming out of the compressor.
You learn through trial and error, but you gain mastery when you teach.
So I ask you what is the best security nugget you've learned during your career.
Discuss below in the comments.