In this episode, we discuss common attack methods that can be used to attack a BAS, we look at how attacks progress, and we discuss cyber security controls that can be put in place using existing frameworks.
Click here to download or listen to this episode now.
Resources mentioned in this episode
Training Video
Transcript
Phil Zito 0:00
This is the smart buildings Academy podcast with Phil Zito episode 321. Hey folks, Phil Zito here and welcome to episode 321 of the smart buildings Academy podcast. In the past two episodes, we've been diving very deep into how to secure your building automation system. And in this episode, we are going to kind of take what we've covered so far. And we're going to add a little bit of color to it. But we're mainly going to focus in on bas attack methods. So how are people going to attack your building automation system? What controls can you put in place to mitigate those attacks? And just, you know, any questions folks have in the chat or have sent us directly? I got a couple questions to cover. All right, let's dive in. As always, everything can be found at podcast smart builders academy.com, forward slash 321. Once again, that is podcast dot smart buildings academy.com Ford slash 321. So in the previous couple episodes, we went through how to establish a threat rating for your customers building or for your building if you're a customer watching this. So we talked about how you can do that how you can use actuary tables from industrial attacks, and kind of figure out what is the likelihood that there is a cyber risk for my building based on my vertical market, then once you understand that, once you understand the attack, and how likely that is to happen. We then talked about some frameworks that you can implement. Specifically, we talked about the NIST 800 framework. And you know, that's kind of the preferred framework for implementing risk assessments and implementing controls. Alright, with all that being said, let's talk about the most common attack methods that folks are going to utilize when they are targeting building automation systems. So right, the attackers have gone through the reconnaissance phase, they've decided that your building automation system or your customers building automation system, is an attack an attackable asset that they want to go after. So they're going to pursue this asset, how can they attack it? Well, it depends on what they want to achieve. If they want to compromise the building automation system and use it as a launching point for other attacks to other systems, then you're going to see two primary attacks. One is going to be the phishing attack, which takes advantage of humans, and basically, can do this over the phone can do it via email, can do it via false websites, etc. And then there's malware. So phishing, phishing is there's kind of two forms of phishing, there's bulk phishing, which is you know, a mass email gets sent out. And then using that mass email, hopefully someone takes action on it and gets compromised. There is another attack format, which is called spear phishing, where people research the individual and then make specific attacks based on that individual. You know, we've seen that in our organization where people have contacted some of my employees, and have asked them to, you know, hey, I'm on a call with the customer. Can you send some gift cards to someone they have, you know, went and researched me, research can how I communicate and formatted their communications in a specific format that would be more likely to accomplish the attack. So it can be things as simple as, hey, can you purchase gift cards or do this or you know, hey, you owe taxes or whatever, all the way to trying to get someone to click on a link and download malware, which will be our next attack they'll talk through or something like, Hey, can you give me your username and password? That way I can log in and verify. I've seen that attack actually happen more often than you'd believe, with owners who get contacted by their controls rep. And their controls rep asked
for their username and password because they need to check on something that's abnormal with the building automation system. And so that's how they get attacked. Alright, so how do you deal with phishing attacks, it's primarily training. If someone is contacting you over the phone, then you'll want them to actually verify and what you can do is you can hang up and actually call their office back and see if that person is actually real. Additionally, if they're requesting information, you can ask people to mail you that information. You can go to their website and actually see if they're a legitimate organization. So phishing is a common attack method. And the only way to really counter it is to train your employees to be aware of common phishing techniques so that they can deal with them. If in doubt, escalate and verify. Malware is the next attack vector. And this one is becoming increasingly more common. There's two forms of malware, malware being malicious software. Now malware can be utilized to take advantage of vulnerabilities and control systems. As I mentioned before, if you go and look at ICS cert, and you google your manufacturer, you will see any vulnerabilities that exist for that manufacturer software, by the version, any vulnerabilities that have been discovered. People can use those vulnerabilities, you know, variety of different ways, encryption vulnerabilities, software vulnerabilities, authentication vulnerabilities, etc. And they can use those to compromise machines and introduce malware. Now malware, malicious software can be used to take advantage of the machine on which your BAS is running. And then they can use that to remotely connect in and attack business networks, or to just compromise the building automation hour. Typically, I don't see people compromise the building automation network in order to take advantage of that outside of ransomware, which we'll talk about in just a second. But you do see people compromise building automation software. In order to make pivot points to business software and business networks. You do need to be aware of this. How can you address this patching for one, make sure your building automation software is patched and up to date, especially if the patch is in response to a building automation software vulnerability. So always be checking ICS cert at least once a quarter, making sure your building automation software is up to date so that you are not being taken advantage of and malware is not able to be implemented. Additionally, implement standard controls like intrusion detection, intrusion prevention, firewalls, anti virus etc. And finally, don't download files that you don't understand why don't use the building automation server as a web browser. Don't go and download video games or software for your you know, fantasy football league, etc. Those are all ways to get malicious software. And a third method that I've seen people utilize to defend against malicious software is scanning any USB device that is plugged in and sanitizing it prior to allowing it to be used. This is common with more advanced anti virus software that it will scan, USB drives, etc. So we talked about phishing, and we talked about malware, we'll talk about ransomware in just a second. But I want to talk about DDoS you don't see a ton of DDoS attacks, which is a distributed denial of service attack. Basically what happens is a bunch of people's PCs personal computers get compromised by malware, malicious software. And those computers then submit ping requests or various message requests against your building automation web server, which then takes it down. Right, because the server can't keep up with the traffic requests and crashes. You may have recalled last year, there was a tack where like Yahoo, and eBay and all these people went down. It was because their domain name services servers were DDoS. And so even though if you knew the IP address of Yahoo or eBay, you could contact their servers directly. Because the domain name servers were brought down, the IP address could not be resolved from the domain name. So like you type in yahoo.com. The DNS server actually resolves it to an IP address so your messages can be sent. Well, since those were taken down by DDoS attacks, you couldn't go and connect to the servers. Alright, so DDoS, while not a common attack vector against building automation systems,
it is one that is difficult to defend against with building automation systems, because most manufacturers are not expecting 1000 different messages to hit their web server at the same time. That being said, if you are going to externally face your building automation service, meaning like you want to make your web server externally accessible to the internet, not only should you implement, you know, firewalls and access control lists and intrusion protection into that and detection systems, which we'll talk about in just a little bit. But you should also go and make sure that you're using things like proxies, things like traffic balancers. You know Cloudflare is one that comes to mind that can be used to regulate the flow of traffic to a server, you know, it's something we implement at our company to regulate the flow of traffic to our web servers. So that way, you know, if someone starts sending a ton of requests, the provider like CloudFlare, should be able to detect and should be able to go and see what is going on. And Kai's Aster, I see your question, I'll get to it towards the end. But as I was saying, DDoS is an attack that if implemented against building automation systems, there's not a lot of counters to because people don't implement counters. Most of the counters that are implemented, most of the controls that are implemented in the building automation world, have to do with confidentiality and integrity, and integrity, but not availability. So confidentiality, making sure that the data between the web server and the server are confidential, encrypted, and integrity, validating that the data between is not you know, being hit by a man in the middle attack, who is, you know, changing the chiller? setpoint. I mean, that's how the whole what was it Stuxnet virus in the Iranian reactors went down, was that they basically made the reactors think that they were spinning slower than they were until they spun out control and destroyed themselves. Alright, so with all these attack methods, what can we do? Well, I'm always gonna point you to NIST 853. Rev for at the time of this recording, now, if you go, excuse me, sorry, I'm still suffering with this dryer, folks, no matter what I do, how much water I drink, it just it does not go away. Alright, so if you go to NIST 853, rev four, you are going to see and you go to PDF, you are going to see a list of security controls that you can implement. Now, the nice thing about this is there are a ton of security controls. The downside about this are that there are a ton of security controls. So really kind of figuring out what security control you are going to implement is going to be something that you're going to make based on the assessment of risk that you decide on for your building automation system. Alright, oh, man, sharing screen RNA, huh, I didn't realize that. I let me give me one second here. Let me
turn that capture off. There we go. Alright, so let's continue here. As I was saying, NIST 853. If you're taking a look at it, there are several different categories for NIST 853. And each category is associated with different things, everything from media protection to Information Assurance, to access control, etc. Authentication, auditing. So when you are looking, and you're trying to figure out what you're trying to protect against, you want to take that into account, there's also training etc. So the thing I point out repeatedly, whenever I'm implementing controls are that there are three categories of controls. There's administrative controls, these are gonna be things like training, policy, etc. There are technical controls, these are going to be things like firewalls, intrusion, protection, etc. Right. And then you have physical controls, these are going to be things like UPS, backups, isolation of your control system, you know, locking doors, so that people can't physically access it, etc, etc. So when I am thinking about those controls, and I'm thinking about, how can I implement them? I'm going to talk through, Alright, first, we have to assess our risk. Now, if you are hospital, your DoD training facility, you're a data center, completely different risk profile than, you know, three story office building. I've said this time and time again. Once you've assessed that risk, then you need to look at your level of influence if you're a contractor, what level of security controls can you provide and which level security controls should you provide? Well, you know, if you're implementing remote access to a building automation system, you should probably implement security controls related to authentication related to encryption related to data integrity. If you are simply facility operator, and this is just like an office building, you may want to have physical backups, right? You may want to have a UPS backup so the system can stay online, but you did not need to implement integrity controls, or authentication controls. So you have to take that into mind. Alright, going through looking at administrative controls, administrative controls are related to training. As I mentioned phishing training, training people and phishing, training people having an acceptable use policy on what websites, you can go to what you can access on the building automation server, what you can't access, etc. Now, realize that for almost all administrative controls, you can implement technical controls, to basically enforce the administrative controls. So for example, if you don't want people going to certain websites, you can whitelist or blacklist websites, using your router, or using a data filter, or a protocol filter or something like that. And or a proxy server. And by going and keeping people from accessing certain things, you can do that from a technical perspective. And this is really important, because so many people think, well, I can't get people to, you know, change their passwords, well, you can implement a technical solution to a password policy, which forces password resets, or forces complexity of passwords. So for almost all administrative problems, outside of training, there is a technical solution. So just be cognizant of that if you're having trouble implementing password policies, you're having trouble finding out who's you know, logging in in the middle of the night and changing set points. You can implement auditing, you can implement password policies, you can implement timeouts, session timeout, you can implement session limits, how many people can log in at the same time with the same username. So there's a variety of things you can do from a technical perspective. And the good thing is, the majority of building automation systems should support these technical controls. Now, physical controls, this is something that's often overlooked, quite often overlooked. And it's kind of to my dismay, that it's overlooked. You see, when you have a building automation system, it does not cost a terrible amount of money for your main supervisory panels, and for your server, to connect to existing em power emergency power, and to put a UPS in place, so that you have the building automation system stay online. And then it stays online from the transition to normal power to em power. But something that's often forgotten, when people implement controls like that, like a physical control, like keeping the system up and running, is they may be putting ups on the supervisory device, but not on the switch that powers the network. So if you're going to implement a strategy like that on a supervisory device to keep it up and running, you want to do the same thing on the switch because the Switch isn't gonna run, then you're gonna have no network traffic between supervisory devices and servers. So you got to think through these things logically, like, Okay, what am I trying to accomplish here, I'm trying to keep my building automation system up and running from normal power to em power switch over? Well, I can keep my supervisory devices and servers up. But if I keep them up, and the switches aren't up, they're gonna stop communicating, there's gonna be issues, there could potentially be interlocked logic that fails, so you didn't achieve your objective. So you got to think through these kinds of things. Additionally, with physical controls, things like locking doors, things like access control, things like changing the default locks on your panels, because you know, you have a key for a Hoffman panel, you have a key for almost all Hoffman panels. So just be cognizant of that they may have changed that recently. But last I checked, if you had one panel key, you had a panel key for pretty much all panel keys. So just be cognizant of that and think about how you physically protect your devices. Okay, so administrative and physical controls. Logical controls are more difficult to implement, because you're limited as to what you're building automation company and provider supports. So do they support TLS 1.2 or above? Do they support HTTPS and certificate thing? Do they support auditing of their systems? Do they support you know, LDAP so, you know, Active Directory linking to usernames so that you can automatically decommission a user account if they leave. These are things you need to be asking yourself, and these are things you'll see in that NIST 800. Special Publication 53 Rev. Four, you will see different controls like that. So be cognizant. Additionally, things that aren't thought about from a cybersecurity perspective, are things like virtualization. If you virtualize a server and you keep a server image and you keep that image off site, then if that site is compromised with ransomware, which we didn't talk about yet, I realize but and ransomware is simply malware. That takes advantage of machine locks it down, and you need to send them money,
excuse me, usually in the form of Bitcoin, or some sort of untraceable currency in order to get a password to unlock your machine. Now, the problem with ransomware is the machines locked unless you pay the ransom. But if you have snapshots regularly being sent off site, then you potentially could have secure versions, safe clean versions of your building automation software that you can roll back to, rather than paying, you know, 10s to hundreds of 1000s of dollars for ransomware. So it's something to be cognizant of virtualization also enables you if a physical machine fails to roll back right to that physical machine on a different physical machine. So there are a lot of benefits of virtualization and creating images of your machines. These are all things that I want you to be thinking about. These are things that you can definitely message us about. And we would love to discuss with you either in the forums, oh, wait, you're not in our courses. I'm never mind in the discussion areas of YouTube, LinkedIn, Facebook, wherever you're watching us. Now I do have a series of questions. I got one that came live through chat. And I got a series that have been sent to us after the fact. So I will go and answer those the first question, how do I recommend folks interested to try to get into the BAS industry? Well, shamelessly we have had a good bit of success with our workforce development program. Not to belabor the point, but you can find out more information about that at our website, at smart buildings academy.com. So feel free to go check that out. I don't want to turn and I always try. Any of you all have followed us for any amount of time, you know, I try to avoid turning our YouTube or any of our free content into commercials for our products. So if any of you are interested in our solutions, go to smart buildings Academy calm. And that's where I will leave that. Okay, so someone messaged me the other day. And they said to me, how Phil, do I understand how much risk is at my site? And this is probably not, it's not probably it is the most difficult problem to solve. Like, figuring once you know, the level of risk exposure, once you know, like, Okay, I've got 40% likelihood to have this attack hit, then you can say, Okay, if someone hit me with a ransomware attack and took down my building automation system for my hospital for two weeks, and I couldn't, you know, run surgeries, you can directly establish a cost against that. You can say, okay, the operating room makes this much revenue a day, we have 10 operating rooms, 10 times that, you know, for two weeks, so times 14 times 40%. So times point four, that is our risk exposure. And thus, you could say, okay, you know, maybe that comes out to be like $80,000, just, you know, throwing numbers out there, we can say we can spend up to $80,000 on cybersecurity controls, because that is our risk. Now, this is the challenge. There is so little data on building automation attacks, that creating that risk profile, and figuring out what your likelihood of risk exposure is, is very hard. So what I tend to tell people is take whatever vertical market you're in hospitals, airports, data centers, whatever, Google the cybersecurity risks for different attacks for those vertical markets. Okay, so for, you know, hospital, excuse me, what is the ransomware likelihood for hospital, and maybe it's 20%. So you got 20% Now understand that a building automation system is even less likely to get targeted, okay. So you can reduce that even lower. So you went from 20%, maybe just 10%. Now, you've got a building automation system that is not connected to any public network. So there's no way for it to access the internet, you can reduce it even more from there. So you can go from maybe 10% to maybe 2% Because there is that still slight possibility that someone brings in a USB drive that has ransomware on it, that's from a another compromised machine. And so then I say, okay, ransomware how likely would this be 2%? How likely How long would we be down? Let's say two weeks. What would that cost us?
You know, like I said, cost us $80,000 times point 02. And that gives you your cost of exposure. Then you can go back and say this is how much we should spend on cybersecurity controls, and or training, or consulting, whatever, based on this percent is not a scientific method. But unfortunately, there is just not a ton of data around building automation hacks. So, that is the method I have used in quite a few consultative engagements to go and analyze cyber risk. That's a very simplified approach. But that's basically how the risk management framework works is you establish your risk, you implement your controls, you test your controls, you monitor your controls. Alright, I want to say controls. I'm talking about cybersecurity controls. Okay, what are my thoughts on implementing BACnet? Secure connect? So I will tell you, I did an entire episode on BACnet, secure connect my opinions of BACnet, secure connect, still stand to this day. With that episode, I still think it is a solution looking for a problem, I still think that there are things that are off the shelf, standard protocols that can be implemented. That being said, I do realize that there are a lot of untrained folks in the world of cybersecurity and it I mean, we still have an industry that by and large struggles to get IP addresses struggles to understand routing struggles to understand lands and VLANs. So with that being said, embedding a secure protocol into a building automation system solution kind of crashing the pill into the applesauce is not a bad approach. I just think we are band aiding a solution or band aiding a problem, instead of creating a solution, which would be to recognize that our systems are primarily going IP recognize that we're moving towards more data centric systems, and training people appropriately. That would be the ideal solution, I do realize that that is expensive and doesn't happen overnight. So back nets secure Connect does seek to address that. That being said BACnet, secure Connect is being largely promoted as a solution for the entire building automation system. In actuality, the compromise of MSTP devices, I've never seen that actually happening. I know in theory, it can happen. But that would be a very extensive hack to pull off, you'd have to get in the ceiling, take down a controller impro M, interrupt the MSTP bus, take that interrupted MSTP bus, and then somehow form messages that exist within the BACnet framework that can be processed by a building automation device to compromise that device. So BACnet, secure connect, I would implement it at the IP level, but I don't see the benefit of implementing it at the philebus level. Additionally, you see that it is proposed that it solves the BBM D BDT. Issues. Once again, I've talked about this at length BBM, ds and Bdts are issues because people don't understand routing, they don't understand broadcast domains. They don't understand basic it concepts, they are not that difficult. I've dealt with campuses that have huge broadcast domains. And the reason that they get slow, and the reason that they are issues, has less to do with broadcast has less to do with BBM, ds and Bdts sending a bunch of traffic. They're usually running them on antiquated networks that they haven't updated. And they haven't managed their broadcast domains. So that being said, if you want to know more about BACnet SC definitely go and look at our BACnet SC podcast. I will share that at podcast smart buildings academy.com forward slash 321 You can check out my thoughts on BACnet sc there. All right. What level of IoT training? Do I need to understand cybersecurity? Well, therein lies the rub. So it depends on what you
do. If you're going to be implementing networks, which very few of you are going to be doing, then understanding things like secure access control, Port Access Control, things like properly, implementing access control lists, etc. are going to be important for you to understand. But the reality remains that for the majority of you, you're still not going to be able to log into someone's Cisco switch or someone's Cisco router, or even go and set up someone's network security profiles for their Active Directory domains, etc. Because of this understanding the terminology, understanding what you can and cannot support an implement in your BAS device. Those are the areas I would focus on, I would not go and try to learn how do I implement, you know, secure tunneling on a switch or on a router? How do I go and implement port based access control? Because the reality is, most of you are not going to do that. I would go and understand what are certificates? How do I create a certificate? How do I go to a certificate authority and create a certificate? What's the difference between TLS 1.0 and 1.2? Was HTTPS. What is the importance of having auditing on my building automation system? Why would I want unique usernames and passwords? Why would I want strong passwords? Why would I want auto timeout on logged in accounts? Those are the areas I would focus in on. And they arguably do not have huge IT requirements. Now, if you're going in implementing integrations, if you're going in implementing analytics, if you're going into implementing remote access, this is where having some it understanding would become important. But the level of it understanding that you need for our industry still remains at layer three and layer four, which is the OSI model, which basically says at the IP layer, and at the MAC address layer. That's where most of our magic gets worked. That's where most of our IT knowledge needs to exist. Now, there's definitely stuff on the database side. There's definitely stuff on the web server side on the server side. And that's important. But most of the time, if you follow the manufacturer's hardening guides, you should be just fine. All right. So there we have it. Those are the questions. Thank you so much for those of you who sent in the questions. And by the way, thank you, for those of you who went on iTunes and give us five star reviews recently, I see that I appreciate that that really does help boost the eyeballs. And those of you who hit like on the YouTube videos, like and subscribe and you push the bell, that helps a lot as well. There's not a lot of us out there producing building automation content. And so definitely you all supporting us is much appreciated. The times once again, for this our changing our workforce development program is exploding, we are having so much interest in it now that we are having to shift around times so that I can support those students. That being said, that means that our podcasts are going to be moving towards the afternoons 2pm Arizona time, which depending on where you're at, is going to ebb and flow because Arizona doesn't have daylight savings time. So just keep an eye on the YouTube channel. I try to keep these on week ahead so you can see where they're at. Obviously, I have not done that yet this week. But definitely keep an eye on the channel. And because you'll see Wednesday and Fridays, links rolling out shortly. We're going to be shifting, we're going to be talking about workforce development. We're going to be talking about training, we're gonna be talking about learning. I've seen so many folks lately, reaching out on the controls and building automation Facebook page on our YouTube page on our LinkedIn directly through our chat asking how they can learn building automation, how they get a career in building automation. So I'm going to focus a lot on that. I'm gonna take what we've learned taking people from knowing nothing to being able to install and commission building automation systems. So I'm gonna start sharing that with you. Thanks a ton for being here. Everything will be available at podcasts at smart buildings academy.com Ford slash 321. And I will have this up on the website shortly. If you're listening to this. Thanks so much. And if you are watching, definitely leave questions and comments and we will address those in future episodes. Thanks so much, everybody. Take care and have a great rest of your week.
