This article explores the nature of the vulnerabilities of building management systems and concludes with the cardinal rules for ensuring that the optimal security precautions are employed.

Known under many names and acronyms, Building Management Systems (BMS), Factory Automation Systems (FAS), Building Automation Systems (BAS), and Digital Control Systems (DCS) are all part of a large family of applications called System Control and Data Acquisition (SCADA). SCADA systems are designed for integrated monitoring and control of equipment, generally in a building, factory or plant environment, and enable users to gather pertinent information about systems and then make appropriate operational control changes.

SCADA is everywhere. In all, there are approximately three million of these systems that exist in the world, of which 80% are privately owned. From dams to data centers to food processing plants to fueling stations, SCADA is pervasive and has quietly grown without much attention from most corporate IT staffs…until now.

Most SCADA system architectures were designed over 30 years ago and were built for local operational monitoring and control. Over the last five years, most SCADA vendors have met the market demand for remote, distributed operations, driven by the internetworking of the world, by adding either dial-up modem or Web interfaces. In the process, what used to be separate and distinct SCADA and IT networks have become intertwined, which can potentially compromise the security of both systems. This recent change has largely gone unnoticed by many MIS departments as most companies still operate under a well-defined separation of Facilities and IT staffs. With the recent rash of warnings from United States officials about evidence of rising terrorist interest in SCADA as well as some incidences of remote intrusion and devious control, the facilities management teams should be on notice. Beware the controls system on the Internet…

The Internet as the Change Agent

The commercial networking of the world has driven companies to rely more heavily on electronic equipment for their operation and, at the same time, distribute that equipment across greater geographies than just 10 years ago. The advent of distributed information technology has moved the corporate infrastructure from a few large, central computing plants to hundreds of "edge networks" that put traditional Building Management Systems to the test.

A simple example of this change is that of a large brokerage corporation. Ten years ago, most trades from branch offices and scattered trading offices were transacted via the phone with a backup paper trail. The brokerage would have a limited number of "critical" facility operations: the call center(s), the processing data center and the corporate headquarters. Critical facility operations are places that maintain electronic equipment necessary for the survival of the company. These centralized facilities were manned 7/24 with facility machinery monitored and controlled locally by the round-the-clock staff.

The internetworking of the world has brought a change in this facility model. Local brokerage offices transact electronically bringing great efficiency to the company and the markets alike. The efficiency of this shift in trading models is reflected, in part, in the precipitous fall in price per trade for investors throughout the 1990's. The call centers are still there, but for external purposes - servicing the investor customers. As a result, they too have been distributed along with the electronic trading machinery in the local brokerage offices. Call centers distributed across different time zones is not uncommon now since the technical possibility and cost of internetworking far under weighs the benefits.

For corporate facilities departments, this means that critical facility operations have become pervasive throughout the footprint of the corporation. The 6' by 6' computing closet at a remote brokerage office will now hold equipment required to process millions of dollars per day. The servers, routers and storage equipment critical to the company are not necessarily in only a few sites anymore, but rather are scattered across hundreds of local offices. Call centers, still critical to the company in the new model, may number in the dozens.

There simply is not an economical way for corporate facilities to man these large and small, distributed critical operations around the clock anymore. This was the impetus for the metamorphosis of building management systems from local, integrated, closed systems to remote, distributed, accessible networks. The vendors had to change the capabilities of the systems for the Internet age while maintaining the large base of legacy equipment. Along came the Internet Protocol (IP) converters, the web front ends and the dial-up interfaces. These new features, though useful, have quietly added a slew of security problems that have recently been noticed by people on both sides of the problem.

Appealing Targets for a Variety of Attackers

Though the recent FBI warnings to owners of remote building control systems have been motivated by concerns about terrorism, networked systems can also come under attack by hackers, disgruntled current and former employees, competitors, criminals, and even spies. A hacker may just want to make his or her mark and show off, or may quietly hijack computer and network resources for other purposes. Disgruntled employees simply want to damage the company. Competitors, criminals, and spies will look for information they can use for their own economic or political profit.

Disgruntled employees, with revenge to effect against a company can and have brought havoc to a company's control system. The most famous recent occurrence was an Australian man who gained control of a sewage release control system.

Hackers are often Internet joy riders that cause harm as a side effect of demonstrating their own skill. It is the challenge of breaking into a system that drives the mind of the hacker. The greatest satisfaction is achieved by making the success public, perhaps by causing a problem that will make news. (See sidebar article on FAA Tower attack.)

An unethical competitor has an incentive to snoop and perhaps inflict harm. In 1998, a company that operated both an online e-commerce site and an internet service provider (ISP) set up the ISP computers to automatically intercept all email from a competing e-commerce site. The emails were used to compile a database of information about the other company's customers and suppliers to gain a competitive advantage. ["Internet Service Provider Charged With Intercepting Customer Communications and Possessing Unauthorized Password Files" http://www.cybercrime.gov/alibris.htm US Dept. of Justice 1999. Accessed 7/29/2002.]

Recent federal warnings about possible terrorist sabotage do not view the electronic attack as the primary act of terror, but rather part of a highly orchestrated plan to cause harm on a larger scale than a building or factory. For example, a terrorist would not be causing too much direct harm if he were to gain control of a building management system at a Telco's remote office, though the equipment inside is at peril; however, if the attack temporarily disabled 911 in the region, he may gain significant time for the execution of more devastating assaults. Attacks on financial institutions, telecommunication centers, and public utilities are not only possible but likely as part of a larger plot according to new federal reports. ["U.S. infrastructure information found on al Qaeda computers" CNN Washington Bureau, June 27, 2002]

Assessing the Vulnerabilities

These new remote management capabilities opened up areas of vulnerabilities for Building Management Systems. According to Joe Weiss, a control systems security expert at KEMA Consulting, "firewalls and intrusion-detection systems have been designed to protect against known IT exploits. That has nothing to do with industrial control systems." Three areas of vulnerabilities warrant closer examination: Access Control, IP Spoofing, and Denial of Service Attacks.

Ensuring Modern Safety Standards for Monitoring Your Critical Infrastructure

A good electronic security model for SCADA, and all corporate systems for that matter, incorporates three main principles:

• Confidentiality

• Integrity

• Availability

Ensuring confidentiality protects sensitive company and user information from unauthorized personnel. Protecting integrity keeps the system operational and prevents corruption of the data. Maintaining high availability is the primary purpose for using network architecture in the first place.

Access Control: Confidentiality

The obvious first step to support all three principles is setting up effective access control. The need to control access is in direct conflict with the need to make the system readily available to remote users. The most common answer for this problem is to use passwords.

Password security is strongly dependent on administrative issues outside the control of any system. Unchanged default passwords, easily guessed passwords, written password records, and "social engineering" attacks to trick users into revealing their passwords, are all common human flaws introduced into any password-protected system. Disgruntled employees may already have password access, and former employees may not get removed from the system in a timely manner.

A fractured access control system makes administration even more difficult. Because BMS systems are more localized in original design and operation, typically a user will need to dial in via modem or use a browser to visit multiple independent sites to understand what is happening across the entire enterprise. To simplify management, a company may resort to a single common user name and password for all users at all sites, or worse leaves the manufacturer's default values in place. For example, Chris Wysopal, director of research and development for digital security firm @Stake commented, "We found a power plant where all the control systems had their administrative systems set to the same password." It is also less likely that old users who are no longer authorized will be effectively purged from the entire system.

Even with good administrative practices in place, passwords alone do not guarantee effective access control. Systems on the Internet that use insecure protocols such as Telnet for logins, FTP for file transfers, or HTTP for Web access, expose passwords to anyone with a network packet sniffer. As information passes over a network, a sniffer can directly view the transmitted data. For instance, if a user types "John Galt" into the user name field and "Atlas Shrugged" into the password field, those values are transmitted as clear text across every network between the user and the target system, unless the network connection is encrypted. Software to sniff data packets is freely available on the Internet, but it is still rare to find a BMS that is using end-to-end encryption.

A good way to tell if encryption is being used in a Web interface is if the user must type "https" versus just "http" for the Web address. Browsers also generally have an icon that indicates if a page being viewed is secure or not. Any data sent over an unencrypted Web connection should be considered publicly broadcast, and passwords should be protected as carefully as credit card numbers submitted to e-commerce sites.

Password sniffing is an example of a case in which the network can compromise the security of the SCADA system. Access control problems can also be introduced into a network by a SCADA system. When a SCADA system that has relied on dial-up modem access in the past is integrated into a network, it can result in reduced security for both systems. (See sidebar article on FAA Tower attack next page.) The legacy access system is often left in as a backup or to ease user transition. From an IT perspective, however, modems are an excellent way to perform an end-run around corporate firewalls, and IT personnel may not be aware of the potential Trojan Horse they have placed on their network.

IP Spoofing: Integrity and Confidentiality

Another problem introduced by connecting to the Internet is the difficulty of verifying the source of the connection. When the user is dialing into a computer via modem, an attacker who wishes to intercept the call and "impersonate" the computer must insert hardware into the connection or compromise the telephone company's switches. On the Internet, it is much easier to convince the network that one computer is replacing another.

This can be done through a process known as "IP Spoofing." An attacker may assign their computer the same IP address as the machine they wish to replace. If, by some mechanism, they can temporarily disable the original machine or otherwise block network traffic to and from that machine, they can effectively take that machine's place on the network. Simple network protocols have no way to detect the change.

This is an intentional design feature of the Internet architecture, allowing a computer to be replaced without impacting the applications running on other computers; however, it presents a significant security problem. Obviously, the data being provided to the spoofed computer is compromised, and any data received from the impersonator is almost certainly faked.

As with access control, encryption can help ensure communication integrity. Built into the standard encrypted protocols is an authentication stage, in which the two parties verify their identities to each other. This immediately renders IP spoofing ineffective, because the disguise is exposed immediately.

Denial of Service Attacks: Availability

System availability is also a concern for any critical system. The utility of any system is significantly reduced, if not eliminated, if users cannot access it. This is the primary argument for placing a SCADA system on the network in the first place. Even so, it is possible to get the Internet equivalent of a busy signal if either the network or the computer itself is overloaded. When such overloading is initiated maliciously, it is referred to as a denial-of-service attack.

Denial-of-service attacks on the Internet are most often targeted at popular web gateway sites such as Yahoo, AOL, or Microsoft, but can be directed at any web server or other network service. Proprietary network interfaces, such as custom-built Web servers, should be carefully tested for their ability to handle large network loads, even if they are only designed for a handful of users.

Ironically, SCADA systems while attempting to scale themselves have actually created a denial of service problem for themselves, without outside influence. As stated by Joe Wiess in a July 24, 2002 hearing before the Subcommittee on Government Efficiency, Financial Management and Intergovernmental Relations, "…There have been several cases where control systems (SCADA and DCS) have had denial of service events because of their lack of control system robustness. Procedures on how to utilize these systems in an appropriate manner are often lacking. As a result, there have been several cases of denial of service on control systems, including in a nuclear facility, because of inadequate procedures." (http://reform.house.gov/gefmir/hearings/2002hearings/0724_cyberterrorism/weiss_testimony.htm )

Cardinal Rules To Ensure Your Company's Safety

It must be emphasized that if a system, any system, is attached to a network it will be vulnerable to attack by anyone able to connect to that network regardless of the electronic barriers put in place. With this fact in mind, we recommend the following precautions to reduce the likelihood of attack and minimize the damage that an attack can cause should it occur. To ensure maximum security as defined by the three principles of confidentiality, integrity and confidentiality, businesses need to evaluate their Building Management System against the following checklist:

• Have monitoring and control functionality been separated in the system, or into two separate systems altogether, so that control can be kept a local function, inaccessible from the outside while monitoring functionality uses the networks, public and private? 

• Is the data hitting any part of a network fully encrypted with 128-bit encryption? 

• Can the system gather or amalgamate data from multiple sites without the need to puncture through a firewall to summon the information? In other words the information is "pushed" to the user, not "pulled." 

• Are there "keep alive" packets with some frequency between the data gathering devices and the main server(s) to that a node can't be sabotaged without someone being notified? 

• Can the servers with notification and data history responsibility be geographically separate and yet mirror each other in real time so that a single point of failure is not possible? 

• Have modems or other "back doors" for access to the SCADA system been eliminated? 

• Has the Internet interface been load tested in order to avert denial of service attacks or self-generated problems? 

• Is the browser interface using 128-bit Secure Socket Layer?

• Is the server using Secure Shell? 

• Can user names and passwords be managed across all facilities from one administrative location?

• Can log on conventions limit user rights to read-only and limit equipment and locations for a user?

With SCADA and control-system security making headlines today, facilities managers need to be aware of similar security vulnerability that may exist across their building infrastructure. As Building Management Systems move away from stand-alone, localized technology to become more connected to corporate systems and to the public networks, there are increasingly security risks. Only by rigorously examining their vulnerabilities and by testing against confidentiality, integrity, and availability can they be assured that the optimal security precautions are employed.

About the authors: 
Jonathan Buckley is the VP, Marketing and Business Development for NetBrowser Communications. Before NetBrowser, Jonathan has had responsibility of managing widely distributed, mission-critical facilities for a large telecommunications company.

Jay H. Hartley, Ph.D. is a Senior Software Engineer for NetBrowser Communications. Previously, Jay has worked with data acquisition and control systems as a physicist at Lawrence Livermore National Laboratory.

NetBrowser Communications has pioneered and patented an enterprise monitoring software suite, e-Guardian®, for what it calls The Zero Layer™, or the facility foundations layer upon which critical IT systems depend.

[Click Banner To Learn More]

[Home Page]  [The Automator]  [About]  [Subscribe ]  [Contact Us]