Building Management Systems – Be afraid, be very afraid

As the CEO of Red Fish, Justin Clacherty works with clients, deploying building automation solutions. He spoke at AusCERT 2016 about the security and privacy challenges facing commercial and residential building automation. And he painted a very grim picture.

“It’s primarily used for reducing energy consumption,” says Clacherty. “It controls things like blinds and air-conditioning”.

As the data for multiple buildings is often managed by a single entity, it can travel into cloud systems and other applications that are used by managers. There are many different standards in play for commercial building automation such as ModBus, BACNet, KNX, C-Bus, Lonworls and DALI.

Clacherty’s company mainly works with KNX, which is covered by ISO standard 14543. It’s used extensively in the EU and Middle East with Red Fish working to establish it in Australia.

When these systems are installed, the people involved in the deployment are typically electricians whose expertise centres on wiring and physical installation. Integration is often done by electricians who have moved on to different roles. However, security is rarely a discipline that these parties have great expertise in.

Building management systems, says Clacherty, are not built with internet connectivity and security on mind. Many of the devices have IP interfaces and installers often enable internet access with little consideration for the security implications.

The key issues, according to Clacherty, are security, multiple standards and the expertise of installers.

Embedded development challenges

Clacherty says developers of embedded systems aren’t usually security experts and security rarely even rates an afterthought. Many of the systems they use are outdated and systems are rarely updated when vulnerabilities are detected.

For example, a hardware developer might choose to use a processor technology that comes with an older Linux distribution. That hardware is integrated with the solution and sold with little consideration given to how that software will be updated.

With some many different automation standards, the challenge is that different standards are used in different parts of the world. That makes things challenging for developers.

Authentication and encryption

Looking at KNX, and Flaherty says he believes these issues are common to other building automation standards, KNX communications, called telegrams, are not authenticated or encrypted. While this may only have limited impact on lighting controls, the same systems can be used for physical security, intercom systems and security cameras.

But the lack of understanding of network security by installers has resulted in many of these systems being deployed, fully exposed to the internet. While some use VPNs, this is not universally deployed.

The big problem

According to Clacherty, almost 27,000 building management systems across the world, using different protocols, are exposed to the internet.

Clacherty sounded a significant warning - no one seems to be particularly worried. System access is trivial and, once in the system, it’s relatively easy to pivot to other systems on the internal network.

Developers need to be educated so that security is baked into systems. But Clacherty says he is looking for effective ways to do this.

A road forward

The good news is that, although things aren't great today, there’s an acceptance by the managers of KNX that there is a problem. As a result, the standard is looking to implement security.

Other protocols are looking at using APIs that support better security for application developers.

However, many of the installers are not technical experts. Their skill set is focussed on deploying equipment and making it work. But concepts such as network segregation and encryption are not yet seen as important.

The result is that building management systems can be a pathway to data centre breach. Once a management system is breached, it’s possible for an attacker to enter data centre systems where the management system data is aggregated and distributed.

Join the CSO newsletter!

Error: Please check your email address.

Tags DALIJustin ClachertyKNXbuilding management systemsAusCERT2016IP Interfacesdata protectionBACNetISO StandardAusCERT conference

More about EUISOKNXLinux

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Anthony Caruana

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place