New York City Agency Pushes Plan to Prevent Cyberattacks on Elevators, Boilers
A Imagine what would happen if an attacker broke into the network for the industrial control systems for New York City's elevators and boiler systems and decided to disrupt them, imperiling the lives of hundreds of thousands of residents relying on them. Think it could never happen? Think again.
Thu, May 10, 2012
Network World — SAVANNAH, GA. --A Imagine what would happen if an attacker broke into the network for the industrial control systems for New York City's elevators and boiler systems and decided to disrupt them, imperiling the lives of hundreds of thousands of residents relying on them. Think it could never happen? Think again.
"You could increase the speed of how elevators go up or down," says Steve Ramirez, business analyst, analysis and communications in the Office of the CIO of the New York City Housing Authority (NYCHA), which provides public housing for low- to moderate-income families in the five boroughs of the city. And if attackers ever successfully penetrated the network-based industrial control systems (ICS) for the boilers, they could raise the heat levels for municipal boilers, causing them to explode.
These types of attack have never happened, but in the age of ever-mounting cyber exploits, NYCHA, which is responsible for over a thousand buildings in the city, wants to take every precaution, though it could get expensive. To that end, NYCHA has had the various city-operated elevator and boiler systems subject to network penetration testing, using the services of Cary, N.C.-based neuroFuzz, which did find a few holes.
But in the end, it's not just a question of fixing a few holes, but of coming up with a cyberdefense approach that effectively creates a guard over the industrial controls for the elevators and boilers.
The security firm, which has expertise in not just Web protocols but the specialized industrial control system (ICS) protocols such as Modbus, worked with the city to come up with a prototype plan for cyber defense. This prototype has been tested in a lab environment -- it's not feasible to test it directly on the city's operating elevators and boilers -- and would need to implemented in production hardware and software by information technology contractors, such as systems integrators, working under the city's guidance.
To that end, the city put out a request-for-proposal for an opening phase of the project with bids coming in for review just this month. The fate of the project is uncertain, however, since affordability could prove to be an obstacle. But the city will push hard for its cyberdefense ideas.
According to Andres Andreu, chief technology officer at neuroFuzz, the basic concept in the cyberdefense prototype is a reverse proxy that looks at traffic going to the industrial control systems for the New York City elevator and boilers, inspecting traffic to determine if the commands are authorized and do not violate technical restrictions on how elevators or boilers should normally work.