As the CEO of Red Fish, Justin Clacherty works with clients, deploying building automation solutions. He spoke at AusCERT 2016 about the security and privacy challenges facing commercial and residential building automation. And he painted a very grim picture.
“It’s primarily used for reducing energy consumption,” says Clacherty. “It controls things like blinds and air-conditioning”.
As the data for multiple buildings is often managed by a single entity, it can travel into cloud systems and other applications that are used by managers. There are many different standards in play for commercial building automation such as ModBus, BACNet, KNX, C-Bus, Lonworls and DALI.
Clacherty’s company mainly works with KNX, which is covered by ISO standard 14543. It’s used extensively in the EU and Middle East with Red Fish working to establish it in Australia.
When these systems are installed, the people involved in the deployment are typically electricians whose expertise centres on wiring and physical installation. Integration is often done by electricians who have moved on to different roles. However, security is rarely a discipline that these parties have great expertise in.
Building management systems, says Clacherty, are not built with internet connectivity and security on mind. Many of the devices have IP interfaces and installers often enable internet access with little consideration for the security implications.
The key issues, according to Clacherty, are security, multiple standards and the expertise of installers.
Embedded development challenges
Clacherty says developers of embedded systems aren’t usually security experts and security rarely even rates an afterthought. Many of the systems they use are outdated and systems are rarely updated when vulnerabilities are detected.
For example, a hardware developer might choose to use a processor technology that comes with an older Linux distribution. That hardware is integrated with the solution and sold with little consideration given to how that software will be updated.
With some many different automation standards, the challenge is that different standards are used in different parts of the world. That makes things challenging for developers.
Authentication and encryption
Looking at KNX, and Flaherty says he believes these issues are common to other building automation standards, KNX communications, called telegrams, are not authenticated or encrypted. While this may only have limited impact on lighting controls, the same systems can be used for physical security, intercom systems and security cameras.
But the lack of understanding of network security by installers has resulted in many of these systems being deployed, fully exposed to the internet. While some use VPNs, this is not universally deployed.
The big problem
According to Clacherty, almost 27,000 building management systems across the world, using different protocols, are exposed to the internet.
Clacherty sounded a significant warning - no one seems to be particularly worried. System access is trivial and, once in the system, it’s relatively easy to pivot to other systems on the internal network.
Developers need to be educated so that security is baked into systems. But Clacherty says he is looking for effective ways to do this.
A road forward
The good news is that, although things aren't great today, there’s an acceptance by the managers of KNX that there is a problem. As a result, the standard is looking to implement security.
Other protocols are looking at using APIs that support better security for application developers.
However, many of the installers are not technical experts. Their skill set is focussed on deploying equipment and making it work. But concepts such as network segregation and encryption are not yet seen as important.
The result is that building management systems can be a pathway to data centre breach. Once a management system is breached, it’s possible for an attacker to enter data centre systems where the management system data is aggregated and distributed.