Cybersecurity in Building Automation Systems (BAS)
ICIT CERTIFIED: In this paper, the OT Research Team at Forescout, an ICIT Fellow Program Member, performed an exercise in vulnerability and malware research for devices commonly used in building automation system (BAS). It has been reviewed by ICIT researchers and is certified as an educational document. ICIT encourages stakeholders to read this paper and distribute it widely to share its contents.
Vulnerabilities in smart buildings are very dangerous because they open these buildings up to the possibility of large-scale cyberattacks. Although we haven’t yet seen malware specifically crafted for smart buildings, malware for ICS have seen enormous growth in the past decade and are getting increasingly common (see Stuxnet, Industroyer, TRITON, and the more recent GreyEnergy). These attacks can be devastating, and we believe that malware targeting smart buildings is an inevitable next step.
To anticipate this threat, the OT Research Team at Forescout has conducted in depth analysis and research of vulnerabilities and malware unique to BAS. There were three key objectives:
Understand the level of risk for building automation systems. Entailing the differences between ICS and BAS in terms of security and safety concerns, and whether there is risk posed by exposed IoT and BAS connected devices
Demonstrate how a group of researchers could uncover and exploit dangerous vulnerabilities in popular BAS devices
Demonstrate the detection capabilities of SilentDefense, a leading network monitoring and threat detection tool for OT
The results are grouped in four key areas:
Analysis of the security landscape for building automation systems and networks.
Discovery and responsible disclosure of previously unknown vulnerabilities in building automation devices, ranging
from controllers to gateways.
Development of a proof-of-concept malware that persists on devices at the automation level, as opposed to persisting
at the management level as most OT malware and also debunking the myth that malware for cyber-physical systems
must be created by actors that are sponsored by nation-states and have almost unlimited resources.
Discussion on how network monitoring tools can help protect building automation systems by promptly detecting threats