New-generation building management systems blow a hole in security

Building management systems are being targeted by hacker attacks because of poorly segregated networks. Corporations need to bulk up on security, perform risk assessments and administer upgrades to avoid becoming a target.

Imagine the scene. It's a cold day in London but inside Terminal 5 at Heathrow Airport, the temperature is rising fast. People are beginning to sweat in their winter clothes, and the check-in staff is wilting under the heat. Suddenly, the fire extinguishers go off, chaos ensures, and the whole building has to be cleared fast.

But there is no fire, and nothing wrong with the air-conditioning – nothing mechanical at least. The problem is that a hacker has broken into the all-electronic building management system and is manipulating the controls, possibly from the other side of the world. It is not where you expect hackers to attack, but the potential for disruption of business is just as high as any worm or virus, or theft of information.

That is a hypothetical situation, of course, but one that could potentially happen now in just about any large new building, according to Ken Munro, managing director of UK-based penetration testing company SecureTest Ltd.

He says that while building management systems, which handle everything from air-conditioning to lighting and door-locks, traditionally worked on serial networks and were segregated from other networks, they have now become IP-enabled and are therefore open to all the threats that afflict conventional IT systems.

"The potential for harm is enormous," says Munro. "You could turn off the air-conditioning in a data centre, or drop the temperature in an office, or set off the fire alarm, which will unlock all the doors."

He says building management systems are wide open to abuse because their networks are poorly segregated, and they tend to be managed by facilities staff with little or no background in IT or networking. "Building management systems fail basic security requirements," Munro says.

The move to more intelligent buildings is fuelled by concerns over energy wastage and security, and has prompted manufacturers of lighting, access control and heating and air-conditioning systems to try to build standards to support better integration.

Much of this effort is under the umbrella of the Open Building Information Exchange, whose stated aim is to create "a standard XML and Web Services guideline to facilitate the exchange of information between intelligent buildings, enable enterprise application integration and bring forth true systems integration."

But none of the systems are designed with security in mind, claims Munro. To test his theory, he did an exercise to discover what controls are used in the new Terminal 5 building at Heathrow. A quick Google search revealed that the main controller came from Trend Control Systems Ltd. He then got hold of an example of the product and found it was open to simple hacking techniques. Munro has since informed the authorities, but has so far received no response.

"We have no idea how the boxes are configured in T5 – we were looking at a box in its default state, so the system in T5 could be perfectly secure, though I doubt it," he says. "The fundamental issue is that the controller, embedded operating system and Web server have not been 'hardened' to any significant degree. This is a common problem with embedded operating systems, as they're hard to patch and update."

A similar problem exists in the world of closed-circuit television (CCTV), where technology has moved on from discrete analogue networks to today's modern IP-based CCTV systems. "CCTV was traditionally put in by TV engineers," says Sarb Sembhi, an independent security consultant. "These same people are putting in networked CCTV after maybe just three days' extra training."

Sembhi adds that many companies are upgrading their old CCTV systems to modern networked versions without realising the security implications. "The new cameras are now built to support applications. They are effectively computers, but they do not have security built-in," he says.

According to Sembhi, the danger is that CCTV cameras could be controlled by an unauthorised user, or viewed by the wrong people. For instance, criminals might be able to hack into police closed-circuit TV systems or into a bank's premises.

Vulnerabilities in both building management systems and CCTV underline the need for information security people to work more closely with physical security, says Martin Roberts, a partner in the security practice at KPMG, LLP.

"Both information security people and physical security people share the same common goal, which is asset protection," he says. By focusing on risk and the business impact of risk, he suggests, it is possible for both disciplines to share a common language and develop a "healthy respect" for each other's concerns.

That will include understanding the various regulations and guidelines that each have to follow, which may sometimes bring them into conflict, such as opening all doors in the event of a fire alarm going off.

Read more on IT risk management