Cyber Attack! Cyber Attack! BAS CYBER ATTACK!!!!!!!!!!!!! Imagine… you’re a controls contractor. You get a call from a customer saying their corporate business server has been hacked, and that they got in through your BAS server. The FBI wants to talk to you...

Scott Cochrane, President and CEO Cochrane Supply & Engineering Contributing Editor

Imagine… you’re a controls contractor. You get a call from a customer saying their corporate business server has been hacked, and that they got in through your BAS server. The FBI wants to talk to you...   

THE BACKGROUND

• 50,000 sqft. factory-type facility; approximately 50% office space, 50% warehouse.
  

• Facility is owner-occupied.
  

• Fully functioning BAS system comprised of all of the mechanical systems and some lighting controls.
  

• The system consisted of 485 devices back to a single IP gateway, which was connected to a server with BAS software over the owner’s network. 

• The server operating system and BAS software were essentially up-to-date.

THE ATTACK!

The building owner approached the controls contractor with some news… 

The owner’s IT department noticed one of their servers had become encrypted and received an email stating that they’ve been attacked by malware placed on their server. The malware went through their hard drive to encrypt the data, affecting approximately 18GB worth of data that was being held ransom. The owner was told that if they wanted to get their data back, they’d have to pay 7 Bitcoin, or approximately $55,515.  

The attack was on a business server that was on the same network as the BAS server, which was used as the entry point into the network. The BAS server had a remote IP address exposed on the internet, which was given to the controls contractor for remote access. The contractor simply had to enter their BAS software credentials and log in—they did not have to log in to a VPN first. The hacker found the exposed IP address of the BAS server, incorporated the malware onto the server that used the server operating system to give it access to the rest of the network. It’s here where the hacker found the business server it had been hoping to find. Their network was a flat topology, so once they got into one server, they had the keys to the city. The BAS software itself was not hacked into, nor was there any damage done to the BAS system.  

The owner’s IT department fortunately had recent backups of the affected server and was able to perform a rebuild within four hours of the malware attack. This mitigated paying the ransom or any significant damage to business operations.
 
THE REMEDIATION 

The contractor, owner and FBI got together to evaluate what had happened and how to mitigate it going forward. The BAS software was rebuilt on a completely different physical server, was set up with a VPN, and all remote access going forward would be done via remote desktop and the VPN. The FBI recommended a new server for the BAS system because malware, while IT experts can get most of it out of the server, there’s no way to know it’s all out. And you don’t want to risk leaving any of it in there—the only way to know for sure it’s removed is to rebuild it from scratch.  

All operating system software and BAS software was brought to the current standards and the contractor used backups from their local host—not from the building’s machines as they didn’t want to sneak something in there inadvertently. Backups were then setup on a timely basis in case a rebuild would have to take place again.  

According to the FBI, you’d be amazed how many companies cannot enforce diligent backups and don’t do so regularly as a result. They might do it once a week or once a month or it’s just sporadic and they do it when they have time. When those companies get held ransom, they’ll pay it. The downside of this is that you’ll get a ransom for $40,000, they’ll un-encrypt part of your data to prove they can do it, and then demand more money again. You’re dealing with crooks. So good luck.  

[an error occurred while processing this directive]The function of the business server that got encrypted was their day-to-day operations of all of their engineering and accounting. The FBI was very adamant that you need to compartmentalize this data. Keep your engineering separate from your accounting, separate from you customer lists, separate from outside sales. Keep all these departments on software separate from one another so people can’t see entire businesses if they get into one system. They might get a piece of it, but that’s all they know. 

The FBI’s main interest was trying to figure out where the malware was coming from. The contractor gave them their BAS server to dismantle it and collect the information needed to assist their efforts. They stated most malware now is coming from Russia or China and they are working to track patterns of such attacks.   

SUMMARY
 
If you have remote access to a site through a simple IP address with no VPN or security gateway, you are setting yourself up for disaster.  Owners need to take the right steps to make sure that remote access is either being done with a VPN or with other cyber security measures that are monitored and maintained. Contractors should recognize that if they are logging in remotely via just an IP address, that BAS server is now a beacon on the internet asking hackers to come in and create a problem for the contractor, owner and anyone who relies on the network being hacked.  

We see this scenario happening in buildings every day—it’s a BAS industry epidemic. But…IT’S AVOIDABLE! We need to be aware, understand what it looks like and how to fix it.
  
“I thought I was playing it safe… I thought we were protected. I was wrong...”                    
-Controls Contractor