In this episode, we begin our discussion on how to secure your building automation. We will explore, potential threats to a building automation system, how to assess risk, and common cyber security controls
Click here to download or listen to this episode now.
Resources mentioned in this episode
Training Video
Transcript
Phil Zito 0:00
So this is the smart buildings Academy podcast with Phil Zito episode 319. Hey folks, Phil Zito here and welcome to episode 319 of the smart buildings Academy podcast. In this episode, we are going to start a three part series on how to secure your building automation system. So in this episode, we are going to explore potential threats to building automation systems how to assess risk, and common cybersecurity controls. This is mainly going to be a conceptual episode and then the next two episodes, we're going to get a little bit more hands on with the third episode being very hands on. But if you skip this episode, you won't understand most of the concepts. So definitely don't skip this episode. Alright. So a little background here. As far as I can remember, up until probably around 2014 2015, cybersecurity really wasn't that big of a deal to building automation systems. And that is because primarily, we were a serial network. So field bus network, with maybe a couple IP devices, right, we had a server and maybe a couple supervisory devices, but by and large, are what is called exposure to risk was fairly low. Now fast forward to 2022. And we've seen all of these malware attacks. So that's malicious software. That's what malware stands for. We've seen all of these malware attacks on industrial systems, power systems, etc. And if you actually dig a little deeper, there are attacks on control systems. Now I often hear from folks when we're talking about cybersecurity, we don't very often hear about building automation systems being hacked. Why should we care? Well, the issue with that is that building automation systems, their attacks happen, but they're often not reported. Which brings us to understanding how attacks are reported how vulnerabilities are reported. And it's going to be the first area in which we're going to dive in, then we're going to look at risk and then we're going to look at cybersecurity controls. So as far as how risk is reported, right? When we are concerned about an attack, or how attacks are reported, when we're concerned about vulnerabilities or attacks, my first place to go to is ICS cert. That's India, Charlie, Sierra dash cert, Sierra echo Romeo tango. And if you go there, what you will find is alerts, advisories and reports. And alerts are critical infrastructure issues, right threats that could hit critical infrastructure of which building automation, we serve a lot of critical infrastructure, right? We are serving healthcare, we're serving data centers, we're serving schools, we're serving government, municipalities, etc. And then we get into advisories. So advisories are where we can start to dig into potential cybersecurity risks with a specific building automation system. Now, the easiest way to do that is to look at ICS cert advisories by vendor, and then going and finding whatever vendor it is that you are concerned with, right. So whoever that vendor may be out of respect, I'm not going to call out any vendors on here, you can go and search for vendors on your own. But ICS CERT is going to tell us of what vulnerabilities exist. Now, if
you were to look at ICS cert, about six years ago, there weren't a ton. It happened that there was a cybersecurity researcher named Billy Rios, who happened to find a pretty common vulnerability in a building automation system, you can go and research once again, out of respect for control vendors, I'm not going to call out who had the vulnerability. But anyways, this guy goes and he finds a vulnerability in a major control system. And he's able to log in and mess with some graphics and mess with some set points and stuff. It was a pretty easy vulnerability to fix. But it became all the news. And it became all the news for three reasons. One was that this vendor was a major vendor. And so all the competing vendors were like, Hey, let's point this out, while fixing our systems because they're vulnerable to the same thing. So that no one notices there was that there was too This guy was trying to create a consulting practice for himself in what is was a greenfield environment, right? It was an environment of which there weren't really any cybersecurity consultants for building automation, there were tons for SCADA there, which is industrial controls, there weren't really any for building automation at the time. So you got that going on. And then the third thing going on control systems at the time, we're going IP, they're going much more web based. And so their exposure on things like showdown.io, which if you've never seen showdown.io, let me verify that that's still the login for it. Yep. You can actually search by vendor, you could type in the name of the software. And you can see publicly exposed building automation systems, at which time, people were then able to detect these building automation systems that were running on legacy systems that were on the network. So you got these kind of three things colliding, right in like the 2016 17 timeframe. And all of this is bringing to attention this focus on cybersecurity. Okay, so what naturally happens in the building automation world, as far as product creation and cybersecurity goes? Well, typically what will happen is the OEMs will have a couple large, really large contracts. In most cases, those large contracts, I'm actually just gonna pan this camera up just a little bit, it fell down just a little bit. So what happens in most scenarios, as these large customers, they make up a big portion of the OEMs revenue, and because of that, they have a loud voice when it comes to product creation. So what happens is, with this product creation, you start to see a big focus on cybersecurity, because naturally, these large government and private sector companies are focusing on cyber. And so they start to expect that from their controls companies. So on one hand, you've got this new interest in analyzing building automation software, because of potential risks, the potential market for cybersecurity consultants, and on the other hand, you have all these organizations becoming more cyber aware. And they're now starting to come to the OEMs and demand that OEMs have more cybersecurity controls. All of this comes together, and equals more monitoring on control systems, which now leads to more ICS cert alerts, it leads to adoption of the NIST 800 framework, specifically 853. For controls around the let me let me pull this up on my
browser real quick for controls that can be used around building automation systems. And so you're starting to see this new focus. Now, why do I have this three part series going on right now, because we live in a world right now where there is an increased concern about cyber attacks. And we saw the pipeline on the East Coast go down, we saw meat factories be affected. So we know that industrial systems are being attacked. Now earlier in this episode, I mentioned that a lot of building automation systems get attacked, but don't get notified. And that is because the notification rules for breaches and attacks, especially at smaller buildings don't really take effect. There's no real overarching, hey, you need to report if you've been cyber compromised until you get to like hospitals and things like that. Additionally, as you dig into these types of attacks, you'll start to realize that a lot of compromised attacks, people aren't aware. I mean, the target attack went ignored for a long time, as well as the Home Depot attack went ignored for a long time. And those were the point of sale attacks, because people were ignoring the reporting. Okay, so that paints kind of a picture of where we're at. Now let's talk about the attack process. And then when we talk about the attack process, we'll talk about our potential risks. We'll start to look at how to assess that risk. And then we'll talk about common security control categories. And then over the next couple episodes, we'll dive even deeper into securing your building automation system. Alright, so here's how an attack will typically happen. First thing that will happen is what is called reconnaissance. Now reconnaissance is can be active reconnaissance and can be passive reconnaissance. You know, they can go and google facility maintenance tech at ABC hospital needs to work on, you know, ABC system version, whatever. And by doing that, they've started to figure out what kind of control system that hospital has in place. Now, once they've done that they can go and move from there reconnaissance phase, right? One second, let me grab this real quick, I want to bring something up that I can read to you. There we go. Let me bring this up. Okay. So as I mentioned, they move to their reconnaissance phase, right. And once they get to their reconnaissance phase, they're going to go and kind of figure out what they're going to attack if it's worth attacking. And this is where they can do things. Like running. If you've ever heard of Nmap. And NMAP is a software that can do analysis, it can go and an analyze the protocols that are speaking, it can see what ports are open on a machine, it can go and figure out exactly what the exposure is and what the attack points are at a site. So from there, they will make an attack and an attack could be compromised in via phishing via emails, it could be taking advantage of some sort of software compromise, maybe taking advantage of a race condition that's like, where memory works faster than CPU or CPU works faster than memory. And thus, they're able to insert Malik Milligan, bad code, I can never speak that word for the life of me. But once they've done
that, they will then go and use that to establish a foothold Now, typically, except in the area of ransom, where they're locking down your control system. Typically, control systems are used as pivot points, what they're really typically after our business systems, hence why, if you've ever wondered why it is so firm about having a dedicated network for control system, why they want things isolated, it has to do with them being concerned of someone moving laterally, from your building automation network, to the production network, maybe to business network, maybe to finance network, accounting network, etc. So, what they will typically do, except in the case of ransomware, is they will go and establish what is called a foothold. And then from there, they will either do a lateral move to another system, or they may go and as I mentioned ransomware. And then the cycle continues, right? They'll use your BAS as a platform to go and recon other business systems. And once they've recon those other business systems, they move laterally. And then they go and basically do whatever they got to do. So as a building automation professional, we have to ask ourselves, what risk do we have of that happening, because I see a lot of folks out there who are pushing the same level of cybersecurity controls, which by the way, cybersecurity controls, those are technical, administrative and physical measures that are taken to limit the potential either for an attack or to the reduce the severity of an attack. Sometimes you can't, you know, eliminate an attack. But if you have proper detection in place, you can at least detect it sooner, and you can limit the severity. But these cybersecurity controls, they are in response to risk. So if I could give you one piece of advice, and it's a long piece of advice, but it would be to go in and understand the NIST 800 framework. And the NIST 800 framework is the National Institute of oh my gosh, I gotta remember what that is. I can't remember NIST off the top of my head. I think it's Standards and Technology, if I remember correctly, but they created a standard known as NIST SP 800, which is a special publication, and it's a series of documents. The most common document being the 853, which is where all of the cybersecurity controls are listed, but you want to dive into this document and NIST 800, I thought it was 31. Our risk assessment 830. There we go. I was close, I was one off. So NIST 830 is a guide for conducting risk assessments. And most of you, I would say 95% of you do not need to conduct a risk assessment, you can pretty much through common sense tell what risk exists. If you're in a hospital, that is a more likely target, then Jimmy Bobs, you know, to story office building.
That's probably not a high risk target. But the whole point of risk assessments, and establishing a value or risk value to your assets is going to help you determine what level of controls you want to put in place. Now, I tell you all of this, so that you understand how the cybersecurity folks think at your customer site, because in reality, as we'll see, in parts two and three of this series, you are going to do a couple simple things that will mitigate a lot of attacks. That being said, I still want you to understand this because if you ever do DoD work, if you ever do any sort of large private sector work, understanding how risk assessments work, understanding how cybersecurity people are going to look at your systems is going to be important. But you go through the NIST 830. And you're able to assign a risk value to potential threats. And then based on the cost of impact of that threat, both in the impact to business continuity in the monetary cost, etc, that then adds up to a threat value. And you can implement controls, potentially up in cost, potentially up to that threat value. That's how you determine that. Now, as I mentioned, there's three primary areas of controls. And those are administrative, technical and physical. The easiest ones for us to go and implement are physical. And administrative technical usually requires the customer, except for a handful of things like using encryption, certificates, patching, etc. Sorry, it's, as you all know, it's so dry here. And I still do not have a humidifier. So you have to forgive my coughing. As I was mentioning, though, administrative and physical are the easiest things. So I've often run into customers who are like, Hey, your system needs to be super CyberSecure, which I don't know what super CyberSecure means. So we'll take that at face value. But what I say to them, is cybersecurity. And technical controls do not and this is important do not matter. If the system's not physically secure, and you don't have good administrative policies. So I want to give you like a helpful tip that you can use today right now. And that is physical security and administrative security controls you can implement right now to make all of your systems and installation safer. What I mean by that, physically, making sure there's a UPS on the server, making sure the server is in a data closet, making sure that your panels actually have unique key blocks on them. Making sure that wherever you put your control systems, the IP control systems that can be compromised, that they are actually secure and isolated from outside folks.
Because it doesn't matter what level of cybersecurity you have if I can physically get to your machine. There's a saying in the cybersecurity world that if you can physically access the machine, you can compromise it. It's just a matter of time till you can compromise it if you can physically access it. So having our physical access secured is critical. The second thing is administrative. We've all seen everyone share usernames and passwords. We've all seen poor passwords. We've all seen people browsing ESPN, or, you know whatever the fantasy football team website of the day is on the server. So not having proper administrative controls like internet use policies, password policies, unique passwords, Password Reset policies, not having those things implemented, is going to make your control system less secure. So right off the bat, just implementing those two things is going to make your control system more secure today. So how do we assess risk so that we can make a decision? Well, this is where it becomes really difficult for control systems, because there's not a lot of data around control system breaches. So for us, you know, there's that term actuary tables when they do an risk assessment on you from an insurance perspective, whether you're going to die based on your life cycle or lifestyle. So we don't really have actuary tables for control systems. And that in in itself becomes a problem because we're like, alright, we need to assess risk. But we have nothing to base that risk on. So what I like to do is I like to look at the industrial tables, which there are industrial tables, you can look at likelihood of cyber attack, industrial control systems. And when you do that, you're going to come up with a couple of websites. FireEye has a good PDF on it. Packet Labs has a nice little data sheet on it. And based on that, you're able to see the likelihood of attacks on specific vertical markets like healthcare, industrial, shipping, transportation, etc. As well as what kind of attacks happened in the controls to mitigate them. So once we do that, once we figure out, okay, this sector is likely to have this kind of attack, then we're able to put a percentage on that. And we're able to go and say, Alright, healthcare is likely to have a ransomware attack, right, because it's got private health data, it has an end data breach is not likely to have a DDoS, which is a direct distributed denial of service, sorry, attack, which basically brings down the network. So you're not likely to have a DDOS on health care, but you are likely to have a data breach so that people can collect private data. Now you have to ask yourself, alright, if someone wanted to collect private data, and they wanted to use my building automation system as a foothold to do that, how would they do that? Well, first, they would have to compromise my server. So, you know, I see all these people wanting to secure their field level networks, I would ask myself, what has an operating system that can be used to pivot and that's typically my supervisory devices, and my servers. So how do I mitigate those risks while closing unnecessary ports, going and patching my software going and keeping my software up to date going and, you know, keeping my servers secure, and not running unnecessary services? So I'm able to look at the potential risks that I found in that industrial table, I'm able to say, okay, the percentage of that happening is x, what would it cost my company if my building automation server was used to compromise 10,000? You know, patient data records and cost of record compromise? cybersecurity? What is it at today? So individual, let's look cost of individual pH I, personal health.
Let's see, there used to be an easy per person chart, but I'm not finding it here. But if I remember correctly, it was something to the effect of like, a was like $1,000 is what they were willing to pay for it. That's how much people are going to pay for a data but like a piece of personal data, but if I remember correctly, it was like 50 bucks, a record that you could get sued for. I'm not 100% sure on that. But you can see how it adds up. And so that's kind of the math you do in your head. And then that's how you determine what level of cybersecurity controls you put in place. Alright, but here's the real simple answer to things like if you were saying Phil for 95% of the sites, what should I do? I would say, have a password policy. have unique usernames and strong passwords. Have your systems locked up have unpatched have certificates installed and turn Turn on HTTPS. I mean, if you do those things, you will be ahead of the curve on most of the people. And we'll talk more about those kinds of controls in the next two episodes. Alright, so through this episode we've went and we've talked about potential threats. So far, we've talked about our threat around compromise, for data stealing, basically, now we're going to look at our threat for direct denial of service. So depending on like if you're doing an airport, or maybe you're doing a local government or school district, this is where DDoS could potentially come in play. So what happens is with DDoS, is a bunch of computers, get malware on them. And that malware allows people to remotely control those computers. And then with those remote control the computers they send packets, which are data packets to your exposed server. So if your building automation server isn't exposed, you're less likely of a risk to DDoS. But what they'll do is they will send a flood of packets and then the server cannot handle all the packets, and it will shut itself down. And you've seen this happen a couple times lately, where you had web service providers shut down. Most recently, I think it was a DDOS against the domain naming servers. And so you saw like Yahoo go down Pay Pal a couple of sites. And that was last year, maybe the year before. So DDoS is a potential attack. But it's not the one I'm most concerned about. The one I'm most concerned about is not ransomware is not DDoS. And it's not compromising for escalation. The one I'm most concerned about is disgruntled employees. So what I see on a lot of controls, companies and a lot of sites is people not going and actually shutting off credentials as soon as someone leaves. So people still have access to the building automation system. And what that means is they can go, they could change set points we've all seen where like you have all your K factors on the graphic for your calibration factors for testing balance, and someone changes those and there's no record of the change because you have no auditing enabled on your control system. And none of the records are written down and there's no backups. So now this person by just changing all the key factors, or changing set points has really hosed up your system, you got to spend 1000s, if not 10s of 1000s of dollars bringing a system back up. So that is the thing that if I were a control system provider, that's what would keep me up at night, I'd be less worried about you know, ABC country, deciding to attack my control system. There definitely is that risk if you're like DOD, or healthcare or maybe some sort of large private institution. But for most folks, I would look at purposeful or accidental user compromise and user damage to your building automation system. That would be my biggest worry of a threat. So those are the primary threats.
We've talked about how to assess risk. And we've talked about some common cybersecurity controls that you can implement. We're going to dive even deeper into those in the next two episodes, which will be on Wednesday, and Friday of this week. As always, everything can be found at podcasts as smart buildings academy.com Ford slash 319. That's podcasts at smart buildings academy.com Ford slash 319. I hope this has been helpful. What will guide me moving forward? Is the questions you ask either in the chat if you're here on YouTube, on our website, in the discussions you use or if you're on social LinkedIn or Facebook, the questions you ask there, those questions are going to guide how I explained things in parts two and three. So definitely your engagement and questions will guide what we cover and whether we may be at a four, part four, Part Five, depending on what you ask. So thanks a ton for being here. I hope this kind of gave you a history of cybersecurity in the building automation world, gave you an understanding of some basic terminology and give you an idea on a couple things you could do right now. That would be beneficial to your control system. Thanks so much for being here. And I will see you all Wednesday 9am Mountain Standard Time. Thanks. Take care.
