Robert Miller, Security Consultant
4 mins read
Through measurement of various environmental factors, it is possible to improve the efficiency of some BAS Heating Ventilation and Air Conditioning (HVAC) systems. Google have recently announced that they have used such methods to reduce their "data center cooling bill by 40%". Many BAS vendors now offer "smart" BAS systems, allowing remote administration and detailed metrics. BAS has come a long way from the simple thermostat. So has security moved with it?
Maybe the first question that should be answered is "Should we be concerned about BAS security?". Clearly, we should take some measures, but how much is enough? What threats should we be protecting against? The first step is to understand what assets the BAS solution could impact, and what goals an attacker has that could be accomplished through security weaknesses in BAS.
For many systems, the BAS does not represent a target in itself. Certainly for Mr. Robot, the ability to damage computer systems through the HVAC system made it a valid target, and our building access control systems keep the burglars out. But for many solutions they are simply managing benign systems and would unlikely be the end target of a deliberate cyber attack
BAS have one issue that is often overlooked. Connectivity.
In 2008, two years before Stuxnet emerged, a pressure build up led to an oil pipeline exploding in Turkey. An investigation led to a sobering conclusion: The attackers had penetrated the pipeline's control systems through their IP security cameras. Weaknesses in the camera's software enabled the attacker to connect to a camera, exploit the camera's servers and from there move deeper into the internal network.
BAS often fall into the gap between engineers and IT teams. As a result they can be overlooked during security assessments, and missed when it comes to applying security policies. It is critical that they follow the security practices applied elsewhere in our businesses. Simple segregation may not be possible for modern BAS solutions requiring Internet access for cloud management. Instead each system should be reviewed to understand requirements for communications, what patching is possible from the vendor, and how they should be configured to maximize the devices' security.
Many BAS will work over multiple interfaces, not just Ethernet. It is important to include all of these routes when mapping potential paths an attacker could take and make sure that both ingress and egress of data is restricted to an allow list. Many modern systems will use RF for transmissions. Although a more technically difficult attack vector, they should still be considered for the impact of man in the middle, injection or denial of service attacks. Any interface that is not needed should be disabled.
If cloud or other external access is featured, then this should be reviewed to understand what the risk is if the remote end point was to be compromised. For many, cloud management is a nice to have, but outweighed by the risks and disabled.
Many users will need to have access to these systems, including, in some cases, the vendors themselves. It is important that only users that need access can access these systems, and that when employees leave the company, a process is in place to remove their access.
A common issue for BAS and other embedded systems is the presence of hardcoded or default credentials. Where possible these should be changed. Other configuration settings may be available such as the enforcing of HTTPS instead of HTTP. Request information from the manufacturer for hardening guides.
Building Automation Systems are increasingly valuable to an attacker as they become more connected and feature-rich. It is important that they are included in security controls, or may end up being the hidden weakness that undermine our controls.