Building Management Systems vulnerable?

Next story
Olivia Storey

Could entire buildings be vulnerable to hacking?

Building Management Systems (BMS) are a central controlling system that spreads throughout a building, linking and interfacing different systems together. Smart building controllers manage door access, heating, ventilation, air conditioning, and more.

Although some BMS have improved their security systems, some problems still remain – with large numbers of systems installed on public internet, unprotected and with complete authentication bypasses. As you find systems like this in place in military bases, schools, government buildings, businesses, and large retailers, the fact a security issue remains, is very worrying.

Mark James, ESET IT Security Specialist, looks into how IT security teams could protect the infrastructure and BMS from being hacked, and what can be done to educate customers and installers about adequate security.

“The biggest risk has to be from outside the ‘protected’ network.

“Potentially critical internal systems should be just that, internal, no means should exist to bridge the gap if you want to stay safe.

“Anything that is public facing should be either on a segregated network, or protected using multiple-layers to ensure that compromise is extremely difficult.

“If these controllers do become compromised the damage could be extreme.

“Even seemingly simple operations like setting off fire alarms or altering heating systems could be used for subterfuge to cover the tracks in a much bigger operation.

“One of the concerns here should be ensuring your installation processes are secure and locked down

“There’s no point having all the processes in place to stop an attack from the internet or public network if your internal policies are lapse, or you have no real control over the very people that install, maintain or update the very system’s that control your building.

“We tend to be a little too trusting to someone looking smart who can talk the talk, and holds a clipboard, or has an official looking badge, but these are the very people we should be most cautious of.

“They are often left to ‘do their thing’ and potentially could have access to core areas of your infrastructure.

“Review your hardware choices.

“Sadly we need to get away from the old adage ‘if it aint broke, don’t fix it’ and should now have a new one along the lines of ‘if it aint been updated in the last 6 months, should we get a new one’.

“In some cases the answer will be no, but it may prompt you to fill a huge security hole in your presumed secure perimeter.”

Do you have policies in place to protect your buildings digital infrastructure? Let us know on Twitter @ESETUK.