Target Breach Revisited… Again… As leaders in the industry, it is incumbent upon us to understand what the risks are and be able to protect ourselves and our stakeholders from potential attacks.

Keith Bishop Director of Analytics Hepta Control Systems

So, why almost three years later am I bringing up the Target breach?  I don’t think people understand what happened, how the systems were penetrated or what changes can be made to help today.  Listen, this cost Target around $145 million and financial institutions hundreds of millions of dollars as well.   The total cost of this breach is estimated north of a billion dollars.  Shouldn’t we learn from their expense?  If you don’t understand what happened, you can’t prevent a similar attack.

Let’s start with one fact:  THE TARGET NETWORK WAS NOT ATTACKED THROUGH AN HVAC SYSTEM!  I bring this up because this is a common misconception.  I have heard this misstated recently in conference key-note speeches and now, it has even been incorrectly expressed on an information security website’s current article.  The statement from the HVAC mechanical company completely contradicts all of these less-formal sources.  If you haven’t understood this concept, don’t feel bad.  It is a very common belief, but it is still wrong.

So if they didn’t get in through the HVAC systems, what happened?  Most informed experts agree that this all started with a general phishing attack.  You know, those strange emails that appear to be from a foreign prince or even the head of your IT department, but actually contain a link that causes a malicious result.  This is where the attack appears to have originated:  an employee of a contractor clicked on an email that they shouldn’t have.  This gave the hackers access to the employee’s computer where they found credentials for accessing Target’s electronic billing, contract submission and project management systems.

Now that the hackers were on the Target contractor portal, they started to explore.  This is where they found documentation describing the complete network architecture.  The hackers simply used this documentation to traverse over to the Point-Of-Sale (POS) systems and accumulated information on tens of millions of credit card users.  This entire attack happened over a period of months and Target was completely unaware.

[an error occurred while processing this directive]Now that we know what happened, let’s look at what we can do to prevent similar attacks:

• Passwords should expire.  The credentials used were good throughout this entire attack.  There are many recommendations of password lifespans, but this decision should take into account the required security level of the system.  It doesn’t matter how good your security is, if you hang the keys by the door and never change the locks.
• Segment your networks.  Why were the POS systems and contractor portal connected to the same network?  The security of confidential information should not be sacrificed for convenience.  If you have highly sensitive information on your network, you should probably investigate moving the less sensitive systems off.  Generally using multiple networks can greatly reduce the attacks vectors on your important data.
• Monitor the activity on your network.  You need to know if a detrimental event is on your audit logs.   You should look into next generation firewalls that can help inform you when anything is out of the ordinary.  You need to be able to know immediately if an unauthorized intrusion occurred and what was compromised.  This doesn’t just apply to activity entering and leaving your network, but internal traffic as well.
• Have your systems evaluated by a third-party.  Everyone has seen the commercials where Xerox says “Let us take care of the printing so that you can take care of …”.  The same concept holds true in the realm of network security.   There are experts out there who can tell you exactly where your vulnerabilities are and how to mitigate them.  Use them.

This is not meant to be a complete list of steps that you should take to secure your networks, but these are some things that I’m sure the CIO of Target wished he had employed.

It is important to point out that I’m not saying that building automation systems are impossible to hack through.  This is a very real, but yet still theoretical, possibility.  Building automation systems contain at least the same potential for intrusion as ANY other device on the network.  There are certain inherent qualities in these systems that can make them easier or harder for hackers to access depending on the implementation, but that is a different topic.

We operate in a world that is becoming ever more connected.  As leaders in the industry, it is incumbent upon us to understand what the risks are and be able to protect ourselves and our stakeholders from potential attacks.

About the Author

Keith Bishop is the Director of Analytics for Hepta Control Systems, headquartered in Detroit, MI.  Keith’s 15+ years of experience in both energy production and management provides a unique perspective for tackling industry problems.  Recognized as a national leader in analytics development, Keith has helped drive sustainability solutions for a wide array of building types.  His innovative analytical applications have supported data acquisition and diagnostic solutions for over 30 million sqft of buildings.