Building Control Systems Can be Pathway to Target-Like Attack
Companies should review carefully the network access given to third-party engineers monitoring building control systems to avoid a Target-like attack, experts say.
Fri, February 07, 2014
CSO — Companies should review carefully the network access given to third-party engineers monitoring building control systems to avoid a Target-like attack, experts say.
Security related to providers of building automation and control systems was in the spotlight this week after the security blog KrebsonSecurity reported that credentials stolen from Fazio Mechanical Services, based in Sharpsburg, Penn, were used by hackers who snatched late last year 40 million debit- and credit-card numbers from Target's electronic cash registers, called point-of-sale (POS) systems.
The blog initially identified Fazio as a provider of refrigeration and heating, ventilation and air conditioning (HVAC) systems. The report sparked a discussion in security circles on how such a subcontractor's credentials could provide access to areas of the retailer's network Fazio would not need.
On Thursday, Fazio released a statement saying it does not monitor or control Target's HVAC systems, according to KrebsonSecurity. Instead it remotely handles "electronic billing, contract submission and project management," for the retailer.
In light of its work, Fazio having access to Target business applications that could be tied to POS systems is certainly possible. However, interviews with experts before Fazio's clarification found that subcontractors monitoring and maintaining HVAC and other building systems remotely often have too much access to corporate networks.
"Generally what happens is some new business service needs network access, so, if there's time pressure, it may be placed on an existing network, (without) thinking through all the security implications," Dwayne Melancon, chief technology officer for data security company Tripwire, said.
Most building systems, such as HVAC, are Internet-enabled so maintenance companies can monitor them remotely. Use of the Shodan search engine for Internet-enabled devices can reveal thousands of systems ranging from building automation to crematoriums with weak login credentials, researchers have found.
Using homegrown technology, Billy Rios, director of threat intelligence for vulnerability management company Qualys, found on the Internet a building control system for Target's Minneapolis-based headquarters.
While the system is connected to an internal network, Rios could not determine whether it's a corporate network without hacking the system, which would be illegal.
"We know that we could probably exploit it, but what we don't know is what purpose it's serving," he said. "It could control energy, it could control HVAC, it could control lighting or it could be for access control. We're not sure."
If the Web interface of such systems is on a corporate network, then some important security measures need to be taken.
All data traffic moving to and from the server should be closely monitored. To do their job, building engineers need to access only a few systems. Monitoring software should flag traffic going anywhere else immediately.