Planning for the worst
The integration and interconnection of building operating systems over an IP network provides building managers with significant benefits but they can also expose businesses to greater cyber security risks if they don’t have a fall back plan says an anonymous CIBSE expert, working in the security industry.
The 17 June was an important date for building owners and operators. On that day in 2010 the Stuxnet malware (malicious software) was identified. Unlike conventional malware, which wreaks damage in the virtual world, Stuxnet targeted the software controlling pumps, valves, lifts, lighting and machinery. It was the first computer virus with the potential to cause real-world damage.
Stuxnet was designed to specifically target programmable logic controllers running Siemens software through vulnerability in the Windows operating platform. The internet is awash with theories as to where the virus originated. The most popular is that the US government introduced the virus to target the centrifuges used by Iran in its Natanz nuclear enrichment facility, the output of which was ostensibly for the county’s nuclear power stations but which could also be used for nuclear weapons.
The malware, which is now supposedly patched, shows how building systems can be compromised and highlights the damage that can be done by viruses infecting process controllers and even building management systems (BMS). It is a threat that is likely to increase with the greater integration and interconnection of building controls and other systems because the BMS is often networked with data centres, remote access servers and even utility providers through open protocols.
Imagine the impact on an organisation if hackers were to take over control of the lifts in its headquarters, or turned off the fire alarms and lights and turned up the heating. The building would be unusable and normal business operations would have to halt.
In the past the cyber attacks on building systems was less of a risk because each building service had its own dedicated cabling system and controls protocol. Over time, however, these systems have migrated onto a common internet protocol (IP) based cabling system. A single IP communications cable (such as a Cat 6) might now carry everything from business systems such as voice, data and video, security, energy management, access control, lighting, lift controls, HVAC and fire and life safety systems.
The big advantage of this convergence is that it enables increased interaction between systems to maximise energy efficiency and to providing real-time information on how buildings are being used, often with the ability to access and manage multiple buildings remotely.
The downside of having an external access facility is that it can be exploited by cyber criminals. This was the case with Target stores in the USA. In November 2013, attackers gained admittance to Target’s IT network by stealing access details from the company’s HVAC contractor, which was authorised to access the system to enable it to monitor energy consumption and temperatures in the firm’s stores. Once in the system, the attackers then went on to steal payment card details for the retailer’s customers. According to BSRIA research, over 90% of all larger buildings (those above 50,000m2) in the USA “have some kind of BACS and many are to some degree at risk”.
While the attack on Target was confined to a single business, the government is concerned that vulnerability to cyberattacks can extend outside of buildings and into the electricity network. The Government’s Science and Technology Committee describe the threat as “significant” in its report Resilience of the Electricity System. It is a threat that is likely to increase as the grid becomes smarter and ever more dependent on ICT and two-way communication between buildings, their management systems and the grid.
Until the Stuxnet attack the security of building management systems was not considered a high priority. While security protection of computers and servers was considered, much less attention was given to the protection of HVAC equipment and lighting controls, for example. This is no longer the case; experts now warn that if a device is on a building’s network it can be discovered and used as a launch pad to infiltrate other devices and systems.
It is not simply newer buildings with fully integrated building systems that are under threat, older buildings running legacy BMS systems, which are based on older operating software, are perhaps even more susceptible to attack. This is because the system’s vulnerabilities are well known to hackers and the software provider may have stopped updating the system with security patches, providing an open back door for malicious attacks on a building.
For businesses, developing, testing and deploying security measures in their buildings should be an ongoing process. To help prevent cyber attacks building operators should assess the vulnerabilities of every building system and determine: what its loss will mean to the ongoing operation of the building; its impact on the occupants; and its impact on the business. This will allow measures appropriate to the threat to be implemented.
Even with comprehensive security measures in place, experts are warning that building occupiers should still assume that all the preventative measures will fail. As a consequence, they should design the building services to operate for this worst case scenario. This is far from straightforward: if there was a power failure in a building and the standby generators’ firmware had been hacked, which meant the control system failed to recognise a power failure, how easy would it be for a business to manually override these controls and start the generators manually?
David Fisk, Professor of Systems Engineering & Innovation at Imperial College London and a past president of CIBSE says it is critical for building services to have some basic hardwired ‘black-start’ functionality to allow manual operation as a fall-back. “An identified minimum level of service and hardware hardwired that can provide it is thus essential,” he says in his paper Cyber Security and Building Services. “The very existence of such a plan may not make the reward of a targeted attack worthwhile”.
The 17 June was an important date for building owners and operators. On that day in 2010 the Stuxnet malware (malicious software) was identified. Unlike conventional malware, which wreaks damage in the virtual world, Stuxnet targeted the software controlling pumps, valves, lifts, lighting and machinery. It was the first computer virus with the potential to cause real-world damage.
Stuxnet was designed to specifically target programmable logic controllers running Siemens software through vulnerability in the Windows operating platform. The internet is awash with theories as to where the virus originated. The most popular is that the US government introduced the virus to target the centrifuges used by Iran in its Natanz nuclear enrichment facility, the output of which was ostensibly for the county’s nuclear power stations but which could also be used for nuclear weapons.
The Stuxnet virus was one of the first to cause real-world damage |
Imagine the impact on an organisation if hackers were to take over control of the lifts in its headquarters, or turned off the fire alarms and lights and turned up the heating. The building would be unusable and normal business operations would have to halt.
In the past the cyber attacks on building systems was less of a risk because each building service had its own dedicated cabling system and controls protocol. Over time, however, these systems have migrated onto a common internet protocol (IP) based cabling system. A single IP communications cable (such as a Cat 6) might now carry everything from business systems such as voice, data and video, security, energy management, access control, lighting, lift controls, HVAC and fire and life safety systems.
Many functions can now be carried by one set of cables |
The big advantage of this convergence is that it enables increased interaction between systems to maximise energy efficiency and to providing real-time information on how buildings are being used, often with the ability to access and manage multiple buildings remotely.
The downside of having an external access facility is that it can be exploited by cyber criminals. This was the case with Target stores in the USA. In November 2013, attackers gained admittance to Target’s IT network by stealing access details from the company’s HVAC contractor, which was authorised to access the system to enable it to monitor energy consumption and temperatures in the firm’s stores. Once in the system, the attackers then went on to steal payment card details for the retailer’s customers. According to BSRIA research, over 90% of all larger buildings (those above 50,000m2) in the USA “have some kind of BACS and many are to some degree at risk”.
While the attack on Target was confined to a single business, the government is concerned that vulnerability to cyberattacks can extend outside of buildings and into the electricity network. The Government’s Science and Technology Committee describe the threat as “significant” in its report Resilience of the Electricity System. It is a threat that is likely to increase as the grid becomes smarter and ever more dependent on ICT and two-way communication between buildings, their management systems and the grid.
Until the Stuxnet attack the security of building management systems was not considered a high priority. While security protection of computers and servers was considered, much less attention was given to the protection of HVAC equipment and lighting controls, for example. This is no longer the case; experts now warn that if a device is on a building’s network it can be discovered and used as a launch pad to infiltrate other devices and systems.
It is not simply newer buildings with fully integrated building systems that are under threat, older buildings running legacy BMS systems, which are based on older operating software, are perhaps even more susceptible to attack. This is because the system’s vulnerabilities are well known to hackers and the software provider may have stopped updating the system with security patches, providing an open back door for malicious attacks on a building.
Older equipment can be a gateway into a building's other systems |
Even with comprehensive security measures in place, experts are warning that building occupiers should still assume that all the preventative measures will fail. As a consequence, they should design the building services to operate for this worst case scenario. This is far from straightforward: if there was a power failure in a building and the standby generators’ firmware had been hacked, which meant the control system failed to recognise a power failure, how easy would it be for a business to manually override these controls and start the generators manually?
David Fisk, Professor of Systems Engineering & Innovation at Imperial College London and a past president of CIBSE says it is critical for building services to have some basic hardwired ‘black-start’ functionality to allow manual operation as a fall-back. “An identified minimum level of service and hardware hardwired that can provide it is thus essential,” he says in his paper Cyber Security and Building Services. “The very existence of such a plan may not make the reward of a targeted attack worthwhile”.
Spelling "Steel" = Steal!
ReplyDeleteThanks for the spot Dave, we've fixed it!
DeleteSurely this highlights other risks to our ever increasingly "smart" buildings. Are they not also at risk from transient voltages, switching surges, induced voltages and lightning electromagnetic pulses? As we include more and more intelligence and connectivity into our structures should we not think more about how to ensure they are safe and to ensure continuity of use?
ReplyDeleteBy using a cabled weather stations with multiple sensors you can gather data and forecast weather reports siting at home. You also can avoid something unusual and harmful weather effects.
ReplyDelete