Buildings held to ransom by
Siegeware
ANYONE THAT MANAGES A BUILDING AUTOMATION SYSTEM (BAS) TO REMOTELY MANAGE EVERYTHING FROM HVAC AND FIRE ALARMS RIGHT THROUGH TO CONTROLS, LIGHTING AND SECURITY SYSTEMS, COULD BECOME A VICTIM OF CYBERCRIME. IN THIS ARTICLE, SENIOR SECURITY RESEARCHER AT ESET, STEPHEN COBB, EXPLAINS HOW BUILDINGS CAN BE HELD TO RANSOM.
IMAGINE MANAGING A dozen buildings in a number of cities and you received the following text on your phone?
“We have hacked all the control systems in your building at 400 Main Street and will close it down for three days if you do not pay $50,000 in Bitcoin within 24 hours.”
In this scenario, the building at that ad- dress is one of several upscale locations in your company’s portfolio. The buildings all use something called a BAS or Building Auto- mation System . As many as eight different systems may be remotely accessible. In this scenario, if someone has in fact gained control of the BAS, then it is entirely possible that the sender of the threatening message could make good on their threat. This is not an imaginary scenario. I have met with someone who got a message like that and it was not a hoax. When her company bravely refused to pay the attack- ers, use of the targeted building was indeed disrupted. Yes, Siegeware is real.
I would not be writing about this form of cy- bercrime if I thought there was only one isolated incident. No security researcher wants to spread unwarranted fear, or give criminals any ideas. But it turns out that the law enforcement officers who were contacted for assistance by the opera- tions manager in this case told her: “We’ve seen this before.” In other words, this was not the first
38 CLIMATECONTROLNEWS.COM.AU