It seems every week lately I get a question about the security of Building Automation Systems.
But, the problem is the folks are asking the wrong questions.
Yes, it is scary that the average BAS technician doesn't have an IT background.
It does keep me up at night that most implementations of BACnet are insecure and that with YABE you can pretend you're a BBMD and connect to exposed BAS's to change setpoints.
But the fact is the Target hack and IoT DDoS have about as much in common with a BAS as my fat ass has with a Gym...
Here's the deal.
There is a ton of marketing out there to get you all hyped up about security. The fact is, if you keep your BAS patched and behind a decently protected network, statistically you're not a highly exposed target.
And let's be real for a second, every BAS out there has had security vulnerabilities and they will continue to in the future. The reality is that people writing software are.... People..
And people make mistakes, kind of like how I keep eating cheeseburgers instead of salads.
But I digress...
I wanted to write this post because a lot of folks e-mail me about the "fill in the blank with the latest hack" and ask me if it exposes them to risk. I don't blame folks for being concerned. But let me help you.
In this post, I'm going to dig into the two most quoted hacks and expose what really happened.
The Target Breach
So for those of you with ADD, who don't want to read a detailed explanation. Here's the deal. A guy at an HVAC company got his laptop hacked. It just so happens this laptop could access the Target network. So the attacker jumped from the laptop to the Target network and then found their way to the Point-of-Sale system. No BAS hacking required. As a matter of fact don't take my word for it.
Here it is directly out of Fazio Mechanical's official response:
Fazio Mechanical does not perform remote monitoring of or control of heating, cooling and refrigeration systems for Target.
No BAS hacking required.
So here's the rest of the story.
First, the attacker had to find a target (no pun intended). So, they most likely (conjecture here) went to the Target supplier portal, looked up suppliers and sent out phishing e-mails. Unfortunately for Fazio, someone at their company clicked on the link... well, at least according to news sources they did. Once this happened, a malware named Citadel was installed on the employee's computer and stole their login credentials.
Now that the attacker had access to a Fazio machine they were able to use a VPN that Fazio had to access the vendor server. This server existed for vendors to submit invoices. Now no one knows exactly what happened next but somehow the server was hacked.
From that point on it was a hop, skip, and a jump to access the point-of-sale system.
The hackers now had a way to collect credit card data and funnel that data back out so they could sell it on the black market.
Lessons learned:
- Have some sort of paid anti-virus installed
- Train your folks to be security minded
- Change your passwords regularly (although the that may not have helped here)
- Keep your production network separate from vendors
Next up, IoT DDoS Armageddon!
The IoT DDoS
Alright, so this one is a bit more complicated and includes some really cool technical concepts (at least cool to a techie dork like myself).
So here's the deal. On October 21st, 2016. A bunch of IoT devices directed network traffic at a Domain Name Server. The server was overwhelmed by the traffic and folks were no longer able to access websites like Twitter, Pinterest, Reddit, GitHub, Etsy, Tumblr, Spotify, PayPal, Verizon, Comcast, and the Playstation network (so basically a lot of sites).
The IoT devices were hacked by software that scanned the internet looking for certain devices. Once these devices were found the software tried out a list of default usernames and passwords. If the default username and password was still present (meaning no one changed it), then the software would log in to the device and install some malware.
This malware would take control of the devices, turning the devices into what was known as a Botnet. A botnet is a collection of hacked machines that can be controlled via a single computer to perform actions. In this case over 150,000 IoT devices (cameras, DVR's, etc.) to launch this attack.
Once the 150,000 devices were under their control the hackers attacked the DNS for the websites I wrote earlier in this article. Now, let me add some context to what I just said.
Whenever you type in Google.com or Yahoo.com, there is a server that turns that domain name into an IP address. You see your computer doesn't know how to get to Google.com, it does know how to get to Googles IP address though.
Here's the problem, it's not feasible for you to try to remember all of the different IP addresses Google could be using. To solve this problem the DNS server "resolves" the IP address for these domain names.
Well, when the attackers took down this DNS server the computers that were trying to access certain sites were no longer able to resolve the IP addresses from the domain names.
So what does this have to do with BAS devices?
Look I get it, so many BAS companies out there are touting their IP-enabled BAS devices. And unlike consumer devices, you can't easily Google to change default usernames and passwords.
But - And here's the huge "but"...
The average BAS device shouldn't be exposed to the Internet. Ok, I'm going to go off on a tangent for a second but it will all make sense at the end, I promise.
I often get asked this "challenge" by folks. It goes something like this. Your BAS has a USB drive so if I access it I can hack it or Your BAS is on a server so if go into the IT closet and login into it I can hack it. (Yes, I know Stuxnet was transferred on a USB drive, but that's a whole nother story)
Ok, but here's the problem. If someone is in your freaking IT closet hacking your stuff don't you think you have bigger issues????
Alright sorry, I had to get that off my chest.
Here's the deal. The IoT hack is not going to destroy your BAS.
Your BAS is not going to turn into a giant Botnet like the Low Orbit Ion Cannon (a popular crowd-sourced botnet used to take down websites in 2011).
If you do these things you will be relatively secure:
- Keep your IP devices off the public internet
- Use NAT whenever possible to hide IP devices
- Change the default username and password
- Patch your systems
Wrapping Up
Ok, so there you have it. The real story behind all of these "BAS" hacks.
I hope that this opened your eyes. I definitely believe that BAS need to be more secure and that we BAS Professionals have a duty to become more educated in regards to IT and cybersecurity.
However, these attacks are not the end of the world and as you saw they have very little to do with BAS.
Ok, so what has your experience been with cybersecurity?
Scroll down to the comments section and let me know your thoughts about this topic.
