A bug in the BMS?

BMS, Controls, Stuxnet, Cyber security
A threat to building-services systems? — David Fisk (Photo: Jan Chlebik)

David Fisk wonders if viruses and worms might infect building-management systems — especially those using operating systems that are no longer supported.

PC users are only too familiar with computer viruses and invest $2 billion each year in protection software. Viruses exist because manufacturers need software flexibility and because machines being amoral, cannot tell good instructions from bad. But hold on — isn’t your building-management system (BMS) down in the basement using a PC?

The original 1970’s BMS was a dedicated hard-wired machine. But once data-communication protocols were available it became plausible to adopt the same software platforms that were being used by the enterprise’s own network. That enabled satellite outstations with real computing power and the capability for outstations to receive instructions that changed or loaded programs as well implementing them. But while everyone worried about malicious software getting access to corporate data, no-one spoke about the possibility that a virus might be used to cause malfunctions in hardware.

Then there was Stuxnet

In 2010 a PC in Iran began to repeatedly reboot itself. Sounds familiar?

What was not familiar was that the virus, now labelled Stuxnet, turned out to be enormous — around 15 000 lines of code. The other odd thing about it was that it only sought to communicate on a Windows network with other devices that were running Step7, the Siemens systems used in programmable logic controllers.

Siemens is, of course, one of the world’s largest manufacturers of controls and control systems, and its devices are everywhere. The company dominates much of the smart-grid market.

Industrial controllers are not themselves usually connected to the Internet, to keep them quarantined. But Stuxnet had another feature. It installed itself on any USB drive inserted into the infected system and then spread wherever the drive went next. Let us hope that conference data projector you last used was clean!

But what was Stuxnet supposed to do? Unfortunately staring at 15 000 lines of code you can only tell what it will do when it does it. The suspicion is that it stopped the Iran uranium-enrichment programme for a while in 2009, which hints who might have produced it. We civilians will never know.

Stuxnet has now been patched. But the idea is out — viruses can infect plant controllers. The current big threat is the smart grid. ‘Smart’ is the ‘new dumb’ as they would say in Vogue.

Power engineers have already had one dire warning about software in their hardware. In 2003 an unexceptional line fault initiated a blackout across NE America. Regional controllers had no idea what was happening because a software fault meant screens were refreshing more slowly than lines were tripping. Smart grids are now being rapidly rolled out to meet the kind of fluffy targets we have learnt to expect in EC Ministerial declarations. True, it is a technology that promises us real demand-side management, with the BMS eventually dealing directly with the power network’s software. But the US estimate that the business for cyber security on the smart grid is around $21 billion over the next five years. ASHRAE is already involved in some of the standards, so it is time to sit up.

Stuxtet got through a vulnerability in the Windows platform. That has been fixed. But support for Windows XP SP2 ended last July if that is what is steaming your old BMS. Don’t even mention Vista release to manufacturing.

ICT departments upgrade their systems every day. But is this true for BMS? Because high-profile hardware hacking has gone for high-profile targets (including a nuclear power station!) building services have hardly had a mention. But the coin is beginning to drop. Enthusiasm for connecting all things digital (there is even a dedicated acronym CAFM — computer-aided facilities management) is opening up heavily serviced buildings to the hazard of cyber attack. There is a lot of good geek advice on the Web for putting firewalls here and there, though they are not necessarily for those faint-hearted facilities managers who rely on their kids to reboot the home computer.

Managing the risk

The engineering truth is that we cannot rely on the computer industry to ever solve the problem of viruses, though we can rely on it to charge us for trying. There are also a lot of buildings occupied by high-profile or not very popular businesses.

So what to do about the BMS threat beyond paying for more software?

Aircraft carriers have very sophisticated computer-GPS positioning systems. But the captain also has a sextant in a drawer in his cabin — just in case the enemy work out how to jam the signal.

BMS, Controls, Stuxnet, Cyber security

Maybe we need to audit our systems to understand how many have minimal just-in-case manual over-ride functionality?

The data centre might be firewall protected, but can its air-conditioning system be hard-wired restarted if its firmware has been corrupted?

The standby generator may have tripped in because the smart grid has just tripped out — but just how did it do that, and were there virtual keystrokes on the BMS that would have turned it straight off again?

What floor area and, particularly, key circulation spaces are naturally lit when the emergency lighting refuses to acknowledge there is an emergency?

Don’t let us even mention the lift controllers.

Yet even in ‘The Italian Job’, when Michael Caine has disabled the entire Milan traffic-signals system, there were at least traffic cops around to try to do something — not very effectively, but at least they had a whistle.

Cyber security of hardware is a hazard, but how big a threat? For major infrastructure the threat is real, and Governments are committed to doing something about it. Rather unnerving for services engineers, it is the Foreign Office, not DECC or DCLG, which has made the most running in the UK.

No wonder it is an issue for the Foreign & Commonwealth Office. The entire water supply to Kuwait City in the first Gulf War was knocked out within the first hours of hostilities by a single smart bomb that took out the waterworks control room. The rest of the site remained pristinely intact. Now it seems you would not even need to have to cause that amount of damage to get that amount of effect. You just turn it off from a remote location several thousand miles away. With such an ‘advance’ we must surely assume that, out of our control, the techniques to implement hardware attacks through software are going to become ever-more refined and prevalent.

There is a modern habit of spending days ranking threats rather than just deploying quietly the good old explorer’s adage of hope for the best. After all, modern supervisory control and acquisition (SCADA) systems are brilliant, but plan for the worst. They can just die, it seems, so what then is still working? Building services are much easier to assess than many process plant or grids, so maybe we should just get on with it.

Conclusion

Stuxnet is disabled, but the war is not over. In 2008 a virus now called Conficker began to infect computer systems. Within 18 months it had spread to eight million computers worldwide. Maybe that includes yours, because to date no one knows what it will do, and you are unlikely to know you have it.

Like good old Windows updates, but in reverse, the virus (actually a ‘worm’) receives patches from ‘out there’ that close vulnerabilities to the anti-malware programs you have bought — all while it sits quietly on your hard drive. Not that this neat feature matters all that much on those machines where it has already disabled Windows automatic update without the owner noticing!

Tomorrow Conficker might wake up. Will your lights go out, or just flash on and off — a Xmas tree for all to see? Where, come to mention it, was the CEO when it happened? In the lift?

This article is based on a working paper ‘Cyber security and business management systems’ from the Laing O’Rourke Centre for Systems Engineering & Innovation at Imperial College, London. David Fisk is director of the centre.

Related links:
Related articles:



modbs tv logo

New Sustainability Director for Wates Group

Wates Group, a family-owned development, building and property maintenance company, has appointed Cressida Curtis as its new Group Sustainability Director.

Domus Ventilation appoints new contractor sales managers

Ventilation systems manufacturer Domus Ventilation has announced the arrival of three new Contractor Sales Managers.