Tweet

August 2016
Article
AutomatedBuildings.com

Easy VRF & DSS Integration Solutions for BACnet, Modbus, Wifi
Intesis Software SLU

(Click Message to Learn More)


Target Breach Revisited… Again…

As leaders in the industry, it is incumbent upon us to understand what the risks are and be able to protect ourselves and our stakeholders from potential attacks.
Keith Bishop

Keith Bishop
Director of Analytics
Hepta Control Systems


Articles
Interviews
Releases
New Products
Reviews
Control Solutions, Inc
Editorial
Events
Sponsors
Site Search
Newsletters
Blue Ridge Technologies
Archives
Past Issues
Home
Editors
eDucation
Cube
Training
Links
Software
Subscribe
Belimo

So, why almost three years later am I bringing up the Target breach?  I don’t think people understand what happened, how the systems were penetrated or what changes can be made to help today.  Listen, this cost Target around $145 million and financial institutions hundreds of millions of dollars as well.   The total cost of this breach is estimated north of a billion dollars.  Shouldn’t we learn from their expense?  If you don’t understand what happened, you can’t prevent a similar attack.

Let’s start with one fact:  THE TARGET NETWORK WAS NOT ATTACKED THROUGH AN HVAC SYSTEM!  I bring this up because this is a common misconception.  I have heard this misstated recently in conference key-note speeches and now, it has even been incorrectly expressed on an information security website’s current article.  The statement from the HVAC mechanical company completely contradicts all of these less-formal sources.  If you haven’t understood this concept, don’t feel bad.  It is a very common belief, but it is still wrong.

So if they didn’t get in through the HVAC systems, what happened?  Most informed experts agree that this all started with a general phishing attack.  You know, those strange emails that appear to be from a foreign prince or even the head of your IT department, but actually contain a link that causes a malicious result.  This is where the attack appears to have originated:  an employee of a contractor clicked on an email that they shouldn’t have.  This gave the hackers access to the employee’s computer where they found credentials for accessing Target’s electronic billing, contract submission and project management systems.

Now that the hackers were on the Target contractor portal, they started to explore.  This is where they found documentation describing the complete network architecture.  The hackers simply used this documentation to traverse over to the Point-Of-Sale (POS) systems and accumulated information on tens of millions of credit card users.  This entire attack happened over a period of months and Target was completely unaware.

Reliable ControlsNow that we know what happened, let’s look at what we can do to prevent similar attacks:

This is not meant to be a complete list of steps that you should take to secure your networks, but these are some things that I’m sure the CIO of Target wished he had employed.

It is important to point out that I’m not saying that building automation systems are impossible to hack through.  This is a very real, but yet still theoretical, possibility.  Building automation systems contain at least the same potential for intrusion as ANY other device on the network.  There are certain inherent qualities in these systems that can make them easier or harder for hackers to access depending on the implementation, but that is a different topic.

We operate in a world that is becoming ever more connected.  As leaders in the industry, it is incumbent upon us to understand what the risks are and be able to protect ourselves and our stakeholders from potential attacks.


About the Author

Keith Bishop is the Director of Analytics for Hepta Control Systems, headquartered in Detroit, MI.  Keith’s 15+ years of experience in both energy production and management provides a unique perspective for tackling industry problems.  Recognized as a national leader in analytics development, Keith has helped drive sustainability solutions for a wide array of building types.  His innovative analytical applications have supported data acquisition and diagnostic solutions for over 30 million sqft of buildings.




footer

Cimetrics
[Click Banner To Learn More]

[Home Page]  [The Automator]  [About]  [Subscribe ]  [Contact Us]

Events

Want Ads

Our Sponsors

Resources