Could your Building Catch a Virus?

Transcription

1 Could your Building Catch a Virus? Measuring the Impact of Cyber Security Threats on Building Management Systems 3rd Interna(onal Conference ENERGY in BUILDINGS 2014 Konstan(nos Karagiannis 1 kk@getechgr Co- authors: Deeph Chana 2, David Fisk 1 1 Laing O Rourke Centre for Systems Engineering & Innova(on, Department of Civil and Environmental Engineering, Imperial College London 2 Ins(tute for Security Science and Technology, Imperial College London 15 November 2014

2 Presenta(on Structure Background Part I: From ICS to CPS,IoT,BMS and cyber incidents that affected the industry Methodology & Analysis Part II: - Iden(fica(on of Threats & Vulnerabili(es - Using Shodan to find exposed BMSs on the Internet Discussion & Conclusions Part III: - BMS & Literature - Case study Assessment - Cyber Security in BMS: IT vs OT

3 Part I From ICS to CPS and the IoT ICS: consists of combina(ons of control components (eg, electrical, mechanical, hydraulic, pneuma(c) that act together to achieve an industrial objec(ve (eg, manufacturing, transporta(on of ma`er or energy) Cyber Security? CPS: is a system of systems, in which the cyber technologies and the physical processes are highly integrated, in order to add new capabili(es into physical system IoT: the interconnec(on of uniquely iden(fiable embedded compu(ng- like devices within the exis(ng Internet infrastructure

4 From ICS to CPS and the IoT Part I BMS Source:(Edward A Lee,UC Berkeley)

5 Part I Classifica(on of ICS Hybrid: nowadays modern control system components allow integra(on at a level where SCADA and DCS may be combined, depending on the applica(on SCADA: systems that are implemented for data acquisi(on and control, on dispersed geographical sites in large distances (WAN) SCADA DCS: systems used in sites located in the same neighbourhood especially for process control in manufacturing (LAN) DCS ICS Source:(ICS- CERT, 2013)

6 Part I Where do BMS stand in rela(on to ICS? Ø BMS can be considered more as DCS than SCADA However, due to customisa(on in many instances they adopt SCADA features Ø BMS mostly use DDC (Direct Digital Control) as control system components and hardly PLCs Ø BMS controllers are pre- engineered and preconfigured in order to achieve cost reduc(on and execute less complex func(ons that building services require Ø BMS use regularly different standards and protocols especially designed for building automa(on (ex BACnet), where high- bandwidth and low- latency are not as crucial as in cri(cal and industrial environments Ø BMS are designed to be easy to configure, space and cost efficient and incorporate energy management func(ons that are not requested in industrial control systems yet

7 Part I What BMS actually do? BMS use hardware, sogware and communica(on networks to control and monitor the MEP (Mechanical, Electrical and Plumbing) systems of a building Source:(Hermann Merz, 2009)

8 Part I BMS Architecture & Benefits Improved indoor condi9ons and staff produc9vity Increased plant reliability and life Opera9ng costs reduc9on Increased security and safety BMS or BEMS are a key element in the con9nuous improvement of Buildings Energy Efficiency and can easily adapt into new Building Opera9ons Strategies

9 Part I History of Building Automa(on Standalone, Different technologies First centralised computerised control system Microprocess ors, HMI, Energy management func(ons Lower Hardware cost, DDC, proprietary sogware and protocols Open protocols, remote access, internet, touch panels BEMS, COTS,IP, Wireless, smartphones 1940 s 1960 s 1970 s 1980 s 1990 s 2000 s 2010 s Current and future trends Ex(nc(on of proprietary protocols Web- enabled controllers instead of SCADA sogware BMS will serve more as an umbrella for other subsystems BMS will move to the cloud BMS will be integrated into the Smart Grid

10 Part I History of Building Automa(on Integra(on Source:(Harrison, 1998)

11 Part I Cyber incidents in ICS There is a drama(c increase of 782% cyber incidents, reported from 2006 to 2012 according to the US Computer Emergency Readiness Team (CERT) Source:Fernandez Ivan, 2013 In 2013, ICS- CERT responded to 256 incidents reported either directly from asset owners or through other trusted partners Source:(ICS- CERT, 2011) Source:(ICS- CERT, 2013)

12 Part I Cyber incidents & examples in BMS Super Bowl XLVII Blackout 2012: Play was interrupted for 34 minutes because of a 22- minute par(al power outage Even though the incident was limited to mechanical failure, cyber security experts say the Super Bowl blackout is the closest public example of the consequences of when control systems fail, or even worse, fall into the wrong hands (Source : Korber Sabrina,2013) US Business : In 2012, unauthorized IP addresses accessed the ICS network of a New Jersey air condi(oning company, US Business 1 The intruders were able to access a backdoor into the ICS system that allowed access to the HVAC control system US Business 1 was using a system, which has been widely reported in the media to contain mul(ple vulnerabili(es that could allow an a`acker to remotely control the system (Source : FBI, 2012) The Carrell Clinic 2009: The leader of a malicious hacker collec(ve gain unauthorized access to the HVAC system of The Carrell Clinic in Dallas pos(ng images that showed the HVAC control window for the hospital's surgery unit A test alarm seqng was turned to inac(ve (Source : Goodin Dan, 2009)

13 Part I Cyber incidents & examples in BMS Google Wharf 7 Building 2013: Cyber security researchers from Cylance had successfully gained access to Google's Wharf 7 building s BMS in Sydney The researchers later posted about it on their blog It showed floor and roof blueprints, as well as water and HVAC systems Later they said If Google can fall vic(m to an ICS a`ack, anyone can (Source : Rios Billy, 2013) North Shore Private Hospital 2013: The Hospital's BMS is overseen by an Australian building automa(on firm, and was secured using the user name "admin" and password "anyonesguess (Source : Grubb Ben, 2013) Target 2014: In the Target incident earlier this year, phishers got access to the enterprise network of Target and stole card creden(als of millions of customers and it is believed although there is no clear evidence yet that it was through the HVAC control and monitoring system that was remotely managed by a third- party vendor (Source : Krebs Brian, 2014)

14 Part II Iden(fica(on of Threats & Vulnerabili(es Threats Vulnerabili9es using Threat agents exploit known or unknown vulnerabili9es of the BMS to damage assets and create risk to asset owners require Countermeasures to minimize to Risk Assets Source:(ISA , 2013)

15 Part II Iden(fica(on of Threats The ISO/IEC FIDIS 27005:2008 defines threat as any poten(al cause of incident that can have nega(ve consequences in a system or an organiza(on Threats are related to other terms as threat sources and threat events or incidents Inten(onal Internal Cyber Threats Threat Sources a study (EJ Byres; J Lowe, 2004) regarding cyber- a`acks in control systems showed that incidents: : 31% external : 70% external Uninten(onal External

16 Part II Internal& External Threat Sources Internal threat sources External threat sources Disgruntled employees Maintenance staff Facility management staff Vendors and third- party Suppliers Contractors and System Integrators Terrorists Na(on- State Hackers Compe(tors and Industrial spies Non- professional hackers and script kiddies Criminal groups and malware/spyware hackers Ethical hacking

17 Part II Iden(fica(on of Vulnerabili(es System vulnerabili(es can be defined as weaknesses of the system that can be exploited by poten(al a`ackers Vulnerabili(es policy and procedure Hardware Configura(on Network & Communica(ons Sogware

18 Part II Policy and Procedure & Configura(on Vulnerabili(es Vulnerabili(es Policy and Procedure Lack of security standards and guidelines Lack of training and awareness Poor or no commissioning Poor or no security policy in design Inadequate maintenance Inappropriate personnel Lack of organiza(on s security policy Configura(on No or inadequate access control Weak passwords

19 Part II Hardware, Sogware, Network & Communica(ons Vulnerabili(es Hardware Inadequate tes(ng and cer(fica(on Unauthorised physical access to equipment No backup power Sogware Buffer overflow Denial of service (DoS) SQL Injec(on Lack of security sogware Unpatched systems Network and communica(ons No security perimeter No network segmenta(on Lack of encryp(on and authen(ca(on No or misconfigured firewalls Wireless communica(ons

20 Part II Live example: Using Shodan to iden(fy BMS vulnerabili(es Shodan: a computer search engine launced in 2009 by John Matherly that iden(fies specific computer devices connected to the internet like servers, routers, industrial controllers etc Ø interrogates ports to receive the returning banners Banners can be defined as metadata that the client receives from the server Ø Uses filter op(ons to narrow searches (country, hostname, IP, OS, port) Ø In 2011, a two- year study (LevereQ E,2011) indicated 7,500 of industrial control devices including BMS were exposed on the internet Ø Re- evalua(on in 2013 showed that devices increased to 57,409

21 Part II Live example: Using Shodan to iden(fy BMS vulnerabili(es Step 1 BMS query: 1,054 devices found Step 2 Bacnet query: 5,534 Bacnet devices iden9fied

22 Part II Live example: Case study of Bacnet controller in Shodan Controller X: Released recently programmable DDC controller Bacnet /IP Embedded web- server integrated func(ons such as (me schedules, calendar, data and alarm historian Designed for energy efficiency In Shodan: 208 results 12 cases the domain name was an academic ins9tu9on controllers were added in the Shodan database in 2014 In 3 months 59% increase Device ID revealed Name of the Hotel revealed Firmware and Sobware versions revealed Model type revealed IP internal and external revealed Vendor s Y name revealed Equipment controlled and its loca9on revealed

23 Part II Live example: Case study of Bacnet controller in Shodan A controller X was connected to the internet in order to assess the capability of Shodan to iden(fy BMS devices Controller X: q did not control any real plant equipment q was configured with a sogware tool in order to allow communica(on with the Bacnet/IP network q The router s firewall was disabled to allow requested ports to operate q IP was assigned to controller X q the web- interface of the controller was accessed by inser(ng the assigned IP address to a web browser q A search was performed in Shodan using the country filter op(on Results: The controller X was iden(fied by Shodan search engine aber 19 days The informa(on in Shodan disclosed the ISP name, controller s X public IP and geoloca(on, vendor s ID, applica(on sogware version, firmware version, device ID, model name and the dummy plant equipment the controller is assigned to control in the descrip(on field

24 Part III Conclusion 1: Clarifica(on of BMS The research in literature concerning BMS has shown that there is no clear classifica(on of BMS as ICS Buildings are not regarded as cri(cal environments nor require the accuracy and safety of industrial processes In ICS (me is cri(cal and system failure can have severe consequences No clear dis(nc(on between BMS and ICS in cyber security literature Lack of specific guidelines and ambiguity in literature, create a vulnerability for BMS in terms of cyber security

25 Part III Conclusion 2: Case study results Shodan is a useful tool for penetra(on tes(ng whilst a dangerous tool for poten(al a`ackers Shodan does not reveal informa(on that is not already there Shodan does not provide real- (me data Shodan randomly selects IP addresses and then randomly interrogates ports If Shodan have never visited the desired network, it will not index the device requested Ø BMS devices iden9fied in Shodan may not be s9ll exposed Ø A greater number of BMS devices may be exposed that Shodan have not indexed yet

26 Part III BMS Cyber Security: IT vs OT Why IT solu(ons are not enough? IT Life(me 3 to 5 years OT Life(me of almost 10 years Confiden(ality, Integrity, Availability Availability, Integrity, Confiden(ality Delays ogen acceptable Delays may be safety- cri(cal Systems follow usually same structure More complex systems require deep knowledge of the controlled equipment

27 Part III BMS Cyber Security: What is the answer? BMS : Small market compared to other markets of building construc(on Has shown a sharp increase the last 10 years Higher integra(on in the future (Smart Grid, Smart Ci(es) The establishment of a mature and robust BMS Cyber Security program requires the a`en(on of people, the implementa(on of processes and the effec(ve use of technology Process BMS Cyber Security Technology People

28 Part III Summary and Future Work Ø The integral part of cyber security in Building Management Systems is neglected significantly by the industry Ø The con(nuous incorpora(on of commercial- off- the shelf products has resulted in increasing the vulnerabili(es in BMS Ø The immediate need for security guidelines and policies tailored specifically for building automa(on is crucial to defend the BMS from poten(al cyber- a`acks Ø It is very important to assess available tools like Shodan in future work how can contribute in iden(fying vulnerabili(es in BMSs Ø A defence- in- depth strategy requires the involvement of a BMS cyber security expert that will act as the bridge between Opera(on and Informa(on Technology

29 Could your Building Catch a Virus? Measuring the Impact of Cyber Security Threats on Building Management Systems Konstan(nos Karagiannis kk@getechgr