time that criminals have tried this type of attack and in my opinion it is better to let potential vic- tims know about threats so that they can plan how to defend against them, rather than hope those threats don’t materialize.
Clearly, holding a building for ransom by lever- aging its reliance upon software is now on the criminal agenda, part of the expanding arsenal of techniques for profiting from the abuse of technology. In my experience, giving a name to different types of attack helps spread awareness of them and focus efforts to defend against them. So, instead of saying holding a building for ran- som by leveraging its reliance upon software, I suggest we call it siegeware.
Today, the functionality of many buildings – such as the ability to control room temperature, door locks, and alarms – is controlled by a Build- ing Automation System (BAS).
Numerous practical and financial benefits can accrue from enabling remote access to a BAS, but when you combine criminal intent with poorly protected remote access to software that runs a building automation system, siegeware is a very real possibility. To put it another way, siegeware is the code-enabled ability to make a credible extortion demand based on digitally im- paired building functionality.
How widespread will the siegeware problem become in 2019? That will depend on several fac- tors: how aggressively cases are investigated by law enforcement; how many victims refuse to pay; and how many targets of opportunity the bad actors can find. To this last question, you can use Shodan – the internet search tool – to get a sense of scale. When I searched in mid-Febru- ary 2019 for BAS systems that were reachable from the public internet I found 35,000 potential targets globally. That was for just one category of product, and the number was up from about 21,000 at the end of August, 2018.
Right now, a criminal searching
for a range of different BAS systems
to target probably has close to
30,000 to choose from in the US
alone. These are IP addresses
which, when entered into a web
browser, may produce BAS login
screens like the examples below (I
have obscured building names/lo-
cations): The next stage for the at-
tacker is to try the default user
name and password for that type of
system (these can be found with ba-
sic Google skills). Unless the de-
faults have been changed, and rate
limiting on password attempts has
been implemented, a motivated
criminal will probably gain access. The immedi- ate goal of this search-and-guess-password pro- cess is something that looks like this – a cooling system dashboard (pictured).
Sometimes you don’t even need to guess a password to get this far: this is a live dashboard, accessible to anyone on the internet, without a password. And because the internet is so good at documenting technology, you can easily deter- mine that this is a Liebert DS data center cooling system, for which a lot of documentation is avail- able online. It is also relatively easy to figure out who owns the system and where it is located.
“WHEN THE COMPANY REFUSED TO PAY,
THE BUILDING WAS TARGETTED AND TENANTS WERE DISRUPTED.”
– SECURITY EXPERT, STEPHEN COBB.
FIGURE 3 – Cooling system dashboard
You don’t have to be a particularly imaginative criminal to see some real possibilities there.
Of course, it doesn’t have to be like this. There is plenty of advice out there for organizations that want to reduce the risk of siegeware attacks. A good place to start would be “Intelligent Build- ing Management Systems: Guidance for Protect- ing Organizations” available on the Security In- dustry Association website.
Clearly, now is a good time to determine the state of facility automation in the building where you work. Is there any level of automation, and if so, how is access to the building automation sys- tem protected?
A key factor to be aware of when making en- quiries along these lines is the relationship be- tween building owners, property managers, and contractors. My research suggests that some contractors find it very convenient to install a web-based login that they can then access at any time, remotely, and with ease, often over smart- phones and tablets. It is possible that the manag- ers/owners of the building will not know about such remote access unless they ask.
So, if you are at all concerned about the possibil- ity of a siegeware attack, ask around to see if there is any remote access for the BAS in “your” building. Then try to find out how well protected it is. Has access been placed behind a firewall? Does access require a VPN connection? Is access protected with multi-factor authentication or just a pass- word? If the latter, then immediately call a meeting to get that fixed, and I don’t just mean make sure it is a hard-to-guess password. At a bare minimum there has to be rate limiting and lockout on failed password attempts and “alarms” that go off in mul- tiple places when such incidents occur.
Frankly, anything less than hiding the BAS login behind a VPN with 2-factor authentication means a building is at risk from criminals wield- ing siegeware.
With 2-factor authentication so easy to use, failure to take advantage of it to protect a BAS is likely to fail a reasonable test, should tenants sue in the wake of an attack. ✺
BAS Attack
FIGURE 2 – Potential targets
CLIMATE CONTROL NEWS APRIL 2019
39