New-generation building management systems blow a hole in security

By Ron Condon, UK Bureau Chief 19 Sep 2008 | SearchSecurity.co.uk

Security UK News Digg This!     StumbleUpon     Del.icio.us

But there is no fire, and nothing wrong with the air-conditioning – nothing mechanical at least. The problem is that a hacker has broken into the all-electronic building management system and is manipulating the controls, possibly from the other side of the world. It is not where you expect hackers to attack, but the potential for disruption of business is just as high as any worm or virus, or theft of information.

That is a hypothetical situation, of course, but one that could potentially happen now in just about any large new building, according to Ken Munro, managing director of UK-based penetration testing company SecureTest Ltd.

He says that while building management systems, which handle everything from air-conditioning to lighting and door-locks, traditionally worked on serial networks and were segregated from other networks, they have now become IP-enabled and are therefore open to all the threats that afflict conventional IT systems.

"The potential for harm is enormous," says Munro. "You could turn off the air-conditioning in a data centre, or drop the temperature in an office, or set off the fire alarm, which will unlock all the doors."

He says building management systems are wide open to abuse because their networks are poorly segregated, and they tend to be managed by facilities staff with little or no background in IT or networking. "Building management systems fail basic security requirements," Munro says.

The move to more intelligent buildings is fuelled by concerns over energy wastage and security, and has prompted manufacturers of lighting, access control and heating and air-conditioning systems to try to build standards to support better integration.

Much of this effort is under the umbrella of the Open Building Information Exchange, whose stated aim is to create "a standard XML and Web Services guideline to facilitate the exchange of information between intelligent buildings, enable enterprise application integration and bring forth true systems integration."

But none of the systems are designed with security in mind, claims Munro. To test his theory, he did an exercise to discover what controls are used in the new Terminal 5 building at Heathrow. A quick Google search revealed that the main controller came from Trend Control Systems Ltd. He then got hold of an example of the product and found it was open to simple hacking techniques. Munro has since informed the authorities, but has so far received no response.

"We have no idea how the boxes are configured in T5 – we were looking at a box in its default state, so the system in T5 could be perfectly secure, though I doubt it," he says. "The fundamental issue is that the controller, embedded operating system and Web server have not been 'hardened' to any significant degree. This is a common problem with embedded operating systems, as they're hard to patch and update."

A similar problem exists in the world of closed-circuit television (CCTV), where technology has moved on from discrete analogue networks to today's modern IP-based CCTV systems. "CCTV was traditionally put in by TV engineers," says Sarb Sembhi, an independent security consultant. "These same people are putting in networked CCTV after maybe just three days' extra training."

Sembhi adds that many companies are upgrading their old CCTV systems to modern networked versions without realising the security implications. "The new cameras are now built to support applications. They are effectively computers, but they do not have security built-in," he says.

According to Sembhi, the danger is that CCTV cameras could be controlled by an unauthorised user, or viewed by the wrong people. For instance, criminals might be able to hack into police closed-circuit TV systems or into a bank's premises.

Vulnerabilities in both building management systems and CCTV underline the need for information security people to work more closely with physical security, says Martin Roberts, a partner in the security practice at KPMG, LLP.

"Both information security people and physical security people share the same common goal, which is asset protection," he says. By focusing on risk and the business impact of risk, he suggests, it is possible for both disciplines to share a common language and develop a "healthy respect" for each other's concerns.

That will include understanding the various regulations and guidelines that each have to follow, which may sometimes bring them into conflict, such as opening all doors in the event of a fire alarm going off.

Tags: Network security tips,  IT Security Frameworks and Standards,  Threat and Vulnerability Management,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network security tips A wireless LAN security update: Developments in technology and law Portable USB thumb drive encryption: Software and security policy Buying an IPS: Determine why you need intrusion prevention SMS two-factor authentication for electronic identity verification Three portable data storage encryption methods UTM appliances in the enterprise: Are they enough? Using Windows software restriction policies to stop executable code Using HTTPS: How to encrypt and secure a website How to buy an IPS: Features, testing and review How to prevent iPhone spying: mobile phone management tips IT Security Frameworks and Standards PCI compliance UK: The future of European merchant PCI compliance ISO 27001 SoA: Creating an information security policy document Panel advocates need for cloud computing data security standard Exclusive PCI DSS news: EU regional director rallies UK merchants Jericho Forum: Self-assessment guide How to develop a culture of security in the enterprise ICO issues draft guidelines for personal information online Using ICO privacy impact assessment template for DPA compliance How to write an information security policy The elements of a compliance-oriented architecture Threat and Vulnerability Management Microsoft issues temporary fix for Windows Shell zero-day Attackers target Windows Shell zero-day via USB sticks How to stop Conficker: Anti-Conficker patch management, defense Trojan virus attack using hijacked Web browser sessions hits UK banks Law firm security gets positive verdict with UTM device IBM to acquire BigFix for configuration, vulnerability management Perimeter defenses deemed ineffective against modern security threats Critical Adobe Reader, Acrobat update due today Twitter settles with FTC over security issues, careless policies Frustration growing over limited ability to shut down botnets

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Financial Services Authority  (SearchSecurityUK.com) IISP (Institute of Information Security Professionals)  (SearchSecurityUK.com) ISO 27001  (SearchSecurityUK.com) Jericho Forum  (SearchSecurityUK.com) UK Identity Cards Act  (SearchSecurityUK.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary