International. The results of a research project conducted by Memoori Research have revealed more than 100 flaws in building management and access control systems of some of the popular vendors investigated.
In response, U.S. Homeland Security has delivered a "perfect score" of 10.0, implying the most severe risk to the worst vulnerabilities identified by the research. Fixes and patches have been released, but the compelling results have underscored the widespread cybersecurity flaws that still exist in all smart buildings.
Just over a year ago, Gjoko Krstic, a researcher at industrial cybersecurity company Applied Risk, began analyzing building management systems (BMS), building automation systems (BAS) and access control products from four vendors; Optergy, Nortek, Prima Systems and Computrols. Krstic focused its testing on specific products, Computrols CBAS-Web, Optergy Proton/Enterprise, Prima FlexAir and two Nortek Linear eMerge products.
In response, U.S. Homeland Security labeled Optergy's Proton with maximum severity in the industry-standard common vulnerability scoring system. A score of 10.0 is a relatively rare event on this influential measure that got a quick response from the company. Although the notice pointed out several other serious errors, one of which was rated with a score of 9.9.
Krstic noted that many of the worst flaws required a "low level" of hacking capability to exploit and could infiltrate the deeper levels from a remote, presumably hidden location. "By exploiting the vulnerability, it is possible to close a building with a single click," he said during a presentation in Amsterdam at the Hack In The Box event in May. Adding, in a recent interview with TechCrunch, that Optergy's worst mistake was "very, very bad" and "easy to exploit."
Optergy seemed to be aware of the problem when Krstic approached him and soon released patches to fix the problem. The company's president, Steve Guzelimian, said the company fixed the problems but would not confirm how many devices were affected, the latest figures suggest the company serves more than 1,800 facilities. "We fixed everything that caught our attention and do our own regular tests," Guzelimian said. The other providers were also notified by Applied Risk, with the exception of Nortek, due to its "notorious reporting process."
Krstic summarized his overall findings at SecurityWeek's ICS Cyber Security Conference in Singapore, noting that an attacker could take advantage of these weaknesses to trigger alarms, lock or unlock doors and gates, control elevator access, intercept video surveillance streams, manipulate HVAC systems and lights, disrupt operations, and steal personal information. Highlighting that the failures reveal that 10 million people and 30,000 doors in 200 facilities are already at the highest levels of cyber attack risk, based only on the products investigated.
The ease of attack shown in Krstic's research means that the attackers could be anyone, from a secret government-funded organization to a bored teenager, making numerous and frequent attacks, and against the biggest and smallest targets.
Krstic's research tells us nothing fundamentally new. No one in the smart building industry is betting their money on a 100% secure smart building management system. Maybe we should never expect to be 100% safe for cyber in our smart buildings. After all, the PC market has managed to thrive despite comparable cyber-vulnerabilities.
However, our buildings are not just cyberspaces, where only our valuable data is at risk. The smart building is a cyber-physical human space where virtual attacks can cause very real and potentially harmful effects on the health and safety of occupants.
The current cybersecurity standard in smart building systems is not enough to justify the risk. That risk grows exponentially as IoT adoption increases. Whether technological, political or educational, a solution must be found to this problem of growing vulnerability to avoid turning buildings, our historic "safe places" into cyber-physical disasters.
Source: Memoori Research.
Leave your comment