In December 2018, the FBI warned that unpatched devices on networks were exposed to hackers through an open port used to communicate with control systems.
The alert was specific to port 1911 and the associated Fox protocol used for building management systems (BMSes). It focused on one protocol and one open port on the internet. This is another example of security problems with BMSes and smart building controls.
There have been a few high-profile cyberattacks on businesses via a building management system. One instance was the Target stores attack in 2013. Criminals gained access to Target's point-of-sale (POS) system software to obtain the credit and debit card data associated with over 110 million accounts.
However, the criminals did not directly attack the POS, but instead began stealing login credentials used by Target's heating, ventilation and air conditioning vendor when they connected to the Target web applications. Through this vector, the attackers gained access to Target's Active Directory and, ultimately, the Target POS system where they could collect credit card numbers and other sensitive data.
In another example from 2014, a hacker broke into the building control system of a five-star hotel in Shenzhen, China, to manipulate room control systems and steal customer data.
What is a building management system?
A building management system is also known as a building automation system, a building management and control system, direct digital control, and building control. A building management system is an intelligent microprocessor-based controller network installed to monitor and control a building's technical systems and services, such as its air conditioning, ventilation, lighting and hydraulics.
BMSes are more than just temperature control systems, and they can be directly integrated with a broad range of building services, including access control, security, power, lighting, fire systems, elevator and escalator controls, smart whiteboards, and clinical systems. A building management system can be proprietary to a vendor using such protocols as C-Bus and Profibus or it can use analog and serial connections or internet protocols.
The expanded use of BMSes is driven by the quest for increased building automation to save resources. Some governments require advanced building controls to achieve environmental goals, and LEED green building certification requires optimal controls. According to ASIS International, the use of building management systems is growing at approximately 15% to 34% annually. By 2022, the building management system industry is expected to be worth around $104 billion.
A building management system is modular in nature
A simple way to look at a BMS is to consider it a series of building blocks or components that are connected and networked to achieve optimal building controls. A BMS can range from a simple, IP-enabled thermostat in your home to large, automated, intelligent building systems that track employee movement and access.
The four key modules of a building management system include management, automation, field devices and communications. The management level includes the human-machine interface, enterprise software, workstations, servers and, sometimes, network switches.
Automation is the primary control for field devices. An example of automation equipment is programmable logic controllers.
The field device level includes physical devices such as sensors and valve/louver actuators connected to actual equipment. Examples include fans; temperature, pressure, and level sensors; and light switches.
Communication can be conducted via the more common Ethernet and IP-based protocols or proprietary communications systems. Common protocols include BACnet, LonWorks, DeviceNet and Modbus.
Common business management system vulnerabilities
Advanced BMSes are computer systems that send and receive signals on a network to control field devices. These systems are just like any IT device or industrial control system where there are numerous opportunities for cyber and physical vulnerabilities to exist.
For instance, a BMS can be installed with open and exposed ports that can be used as an attack vector. For the Fox protocol used by some BMSes, a Shodan query identified 20,000 components directly connected to the internet via port 1911, according to a report by CyberScoop.
Another common BMS vulnerability is ineffectively controlled remote access to systems. The Target hack demonstrated how remote access, if it is not rigidly controlled, can be used against customers.
A third vulnerability is missing or incomplete physical security protection of BMS field devices, controllers and workstations. Open and unlocked control cabinets and programmable logic controllers are an opportunity for an attacker to connect to a BMS network and inject malware or otherwise sabotage devices.
One last, often-overlooked vulnerability is an aging BMS. Many buildings still have legacy BMSes installed that could be subject to simple attacks, although some of the older systems are analog-based and are not as easy to hack as modern, Ethernet-based systems. Regardless, the old systems may have default passwords that can be found on the internet and that cannot be changed or patched. These old systems may also have open ports that cannot be blocked unless you install a major -- and expensive -- upgrade or retrofit.
To learn more about building management system attacks and protections, check out part two of this series.