IP for BMS raises security issues
A building-management system based on IP could provide control of much more than the services. Ken Munro explores the risk.
Moving from an analogue to an IP-based building-management system may seem like a no-brainer. Migrating heating, ventilation, door-entry systems, fire alarms, CCTV and perimeter detection systems over a single network brings clear cost benefits. All these systems can communicate using the existing LAN or WAN, saving cabling costs. They can also be controlled centrally or remotely over the web and are easier to extend. However, with this ease-of-use comes a new set of dangers. Easy access
IP BMS boxes are often accessible from behind push-to-fit panels so that checks take as little time as possible, making access easy. Placing water, ventilation, gas and power supplies over the most heavily attacked network protocol in the world makes a building incredibly vulnerable to attack. A hacker’s intentions can range from the mischievous, such as causing disruption, to the malicious, such as corporate sabotage or extortion. A hacker could literally take control of the building, compromising the viability of the business and the physical safety of staff. The main benefit of IP for BMSs is that systems can be controlled from anywhere via a web browser. However, it can be easy for a hacker to attack that web application using a hacking tool to try many password combinations until the access password is discovered. Some passwords are not encrypted so an attacker can monitor the network traffic and ‘sniff’ for passwords while they are being used. In addition to causing havoc remotely, a hacker could also use the systems to smuggle his co-conspirators into the building. Many door-entry systems operate using a proximity-card reader that uses a single-time challenge/response mechanism. In most cases RFID (radio-frequency identification) systems have been abandoned because of their susceptibility to cloning. A hacker could override this system, instructing the door to open or to accept new named users. Should the proximity reader have a dedicated IP connection, the hacker need not even access the system remotely. He could physically remove the access control panel and hook-up a PDA or laptop to allow him to meddle with the system. Having found the RJ45 connection, a hacker can do far more than simply open the door, for this connection can be used to access the company LAN or even the server. Housing such a reader outside the building means that a network connection might exist outside the physical walls of the organisation. Fire-alarm systems can be hacked into to trigger false alarms, again over-riding the door-entry card system to provide an intruder with access — and there is the cost of the call-out to consider. Heating and ventilation systems could also be tampered with. Given that organisations are required to keep a minimum temperature in offices of 16°C, a hacker could alter the air conditioning to a low setting or simply turn off the heating in winter — forcing the organisation to close the building. An attacker without a specific objective may simply reset the BMS to its default factory settings, which could affect networked components in unpredictable ways. Would vents stay open? Would access controls freeze? Would the air conditioning shut down? One of the main problems with securing IP BMS is that it falls between the jurisdiction of the IT and facilities-management departments. An IP BMS box itself is a set of switches. In an IT context it is a network component. However, in a facilities-management context such a box is seen as electrics and is treated similarly, physically located for ease of maintenance. All too often, it can be deployed without buy-in from both departments, with embedded web servers running various BMS devices without the knowledge of the IT department. It is essential that all affected departments are consulted and a cohesive IT and FM security policy devised. To prevent direct access, simply relocating CCTV equipment or door entry boxes to a more prominent location and fitting them with locks can be an effective deterrent. Network access, however, is a different matter. Segmented
Ideally, the IP BMS service should be physically segmented from the data network, but the next best thing is using a virtual LAN (VLAN). Placing IP BMS over a VLAN means that authenticated network access has to be achieved before the BMS can be accessed. While technically difficult, it is still possible, to get onto a VLAN from the parent network, and it is then possible to hop from that VLAN to another that uses the same switch. There is little way of knowing if an IP BMS has been hacked, and few organisations would admit they had been compromised. Yet the question is surely not if but when? Otherwise that investment in IP BMS could well turn-out to be an expensive mistake. Ken Munro is with SecureTest Ltd, Eastern Bypass, Thame, Oxon OX9 3FF.