SlideShare uma empresa Scribd logo

How Secure Is Your Building Automation System?

Forescout Technologies Inc
Forescout Technologies Inc

Explore common vulnerabilities in building automation systems (BAS), how these vulnerabilities could be exploited, and steps that organizations can take to improve the cybersecurity of their BAS.

Tecnologia
1 de 24
Baixar para ler offline
1 KNOW YOUR SECURITY RISK How Secure Is Your Building Automation System (BAS)? The Forescout Building Automation Risk Report explores the common systems that make organizations vulnerable to cyberattacks and how these systems could be exploited.
2 Evolution of BAS (1/3) 1980 1990 2000 2010 2020 2030 BMS ELEVATOR LIGHTING HVAC Yesterday’s BAS Buildings offered very basic services, consisting of only a central building management system (BMS) and one or two subsystems, such as HVAC, elevators or lighting systems, that were isolated from each other and outside networks.
3 Evolution of BAS (2/3) LIGHTING LOCAL BMS CENTRAL BMSREMOTE CONTROL CCTV HVAC SOLAR PANEL ELEVATOR ACCESS CONTROL LIGHTING LOCAL BMS CCTV HVAC SOLAR PANEL ELEVATOR ACCESS CONTROL Today’s BAS Today’s buildings are smart buildings, with a central BMS that can integrate with the local BMS of multiple buildings within its network. Each local BMS connects to many different subsystems, including HVAC, surveillance, access control, and energy systems.
4 Evolution of BAS (3/3) LIGHTING LOCAL BMS CCTV HVAC SOLAR PANEL ELEVATOR ACCESS CONTROL Tomorrow’s BAS Smart cities are the inevitable next step in this evolution of BAS. Smart buildings’ local BMS will soon be able to integrate with any other building’s local BMS, as well as the industrial infrastructure around them.
5 BAS Explosion The number of identified vulnerabilities in BAS has increased over 500% in the past three years. [2] By 2026, there will be over 56 million new BAS devices. [1] [1] ABI Research, 2019, BAS Wireless Field Equipment Shipments [2] https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2016/07/07190426/KL_REPORT_ICS_Statistic_vulnerabilities.pdf 5
6 39.3% of publicly reachable BAS devices are vulnerable [1] Devices publicly reachable and vulnerable to the 0-days discovered in our research Total devices publicly reachable* 39.3%* 22,902 devices 9,103 devices * Of the models used in our research [1] Forescout, The Current State of Smart Building Cybersecurity, 2019: https://www.forescout.com/securing-building-automation-systems-bas/ Vulnerable devices include: HVAC PLCs, Access Control PLCs, Protocol Gateways
7 Research Overview Forescout BAS Risk Report Industry attention has recognized the threat of commonly known Internet of Things (IoT) devices. What may go unnoticed is the potential safety and business risks to building automation systems (BAS). Research into three key areas of BAS: Surveillance HVAC Access Control revealed that their core technologies, fundamental development methods and legacy implementations make implementing proper security an often overlooked, but critical, task.
8 Key Findings Discovered and responsibly disclosed previously unknown vulnerabilities in building automation devices, ranging from controllers to gateways. Debunked the myth that malware for cyber-physical systems must be created by actors that are sponsored by nation-states and have almost unlimited resources. Developed a proof-of-concept malware that persists on devices at the automation level, as opposed to persisting at the management level as most OT malware does. Concluded that improved device visibility into vulnerable BAS networks is one of the best ways to reduce risk. 8
9 Where Do The Vulnerabilities Lie? EXPLORING THREE POTENTIAL ENTRY POINTS OF BAS 9
10 IP-Cameras publicly reachable and vulnerable to exploits used in our research Total IP-Cameras publicly reachable* 91.5% Area 1: Surveillance 11,269 devices 10,312 devices Malicious actors can leverage this channel to move laterally and: • Gain control of other subsystems at the automation level. • Gain control of the management level to orchestrate a larger, coordinated attack. Attacker Initial Access Lateral Movement 1 Lateral Movement 2 IP Camera Workstation HVAC PLC Protocol Gateway Access Control PLC * Of the models used in our research
11 Area 2: HVAC Malicious actors can use HVAC systems to bypass “air gaps” via a covert thermal channel [1] and move laterally to: • Raise the temperature setpoint in a data center to cause business disruption. • Gain access to the management network to orchestrate a larger, coordinated attack. Attacker Command & Control Internet Central A/C management unit A/C end unit Public domain Airgapped domain Targeted hosts [1] Y. Mirsky, M. Guri and Y. Elovici, “HVACKer: Bridging the Air-Gap by Attacking the Air Conditioning System,” 2017. [Online]. Available: https://arxiv.org/abs/1703.10454.
12 Area 3: Access Control Malicious actors can use access control systems comprised of access badges, badge readers, controllers, and databases that store user credentials to: • Control the doors and gain access to forbidden areas. • Lock building occupants in and demand ransom. • Gain access to the management network to orchestrate a larger, coordinated attack. Attacker Initial Access Lateral Movement 1 Lateral Movement 2 IP Camera Workstation HVAC PLC Protocol Gateway Access Control PLC
13 Proof-of-Concept Malware Development THE METHODS USED 13
14 Methodology Cyber Attack Lifecycle (Mandiant) RECON RESEARCH WEAPONIZE COMPROMISE PERSISTENCE • Gather information on the target • Research networks & technologies • Find access means • Procure existing exploits • Find 0-days • Plan a stealth attack • Develop • Compromise • Move laterally • Execute • Persist after reboots • Clean traces 14
15 Potential Attack Paths IoT Device Subsystem 1 Management Subsystem 2...n Workstation Internet Physical Building Subsystems Attacker PLC Sensor Actuator 1. Publicly reachable PLCs: Using this path, the malware can enter directly from the Internet and exploit the programmable logic controllers (PLCs) controlling the sensors and actuators at the field level, so there is no need to perform any lateral movement from other devices. 2. Publicly reachable workstations: Using this path, the malware can enter a workstation from the Internet at the management level and move laterally to the PLCs. 3. Publicly reachable IoT devices: Using this path, the malware can enter an IoT device, such as an IP camera or a WiFi router, from the Internet and use that entry point to gain access to the internal network, usually moving to the management level first and then to other subsystems. 4. Air gapped network: Using this path, the attacker must have physical access to the building network (which could be accomplished via the HVAC system) and move laterally to reach the PLCs.
16 Attack Path Goals # Step Goal Possible Target 1 2 3 4 5 Initial Access Lateral Movement 1 Lateral Movement 2 Execution Persistence Establish an initial foothold in the network Move to the management level Move to another subsystem in the BAS Disrupt the normal functioning of the PLCs Persist in the infected automation level devices PLCs (path 1) Workstations (path 2) IoT devices (path 3) Workstations or networking equipment PLCs or IoT devices PLCs PLCs 16 Possible steps of an attack on building automation networks
17 The Attack Plan Attacker 1. Initial Access 2. Lateral Movement 1 3. Lateral Movement 2 5. Persistence 4. Execution IP Camera Workstation Access Control PLC Step 1 – Initial Access The IP Camera can be exploited using a combination of CVE-2018-10660 [1] , CVE-2018-10661 [2] , and CVE-2018-10662 [3] . The vulnerabilities and our exploit are based on the work of Or Peles [4] and the available Metasploit module [5] . STEP 2 - Lateral Movement 1 Once on the camera, the malware cleans its tracks by editing the files /var/volatile/log/{auth,info}.log, calls netstat to find the workstation connected to it (used for network video recording) and moves from the camera to the workstation by exploiting the misconfigured MS-SQL server. Step 3 – Lateral Movement 2 While running on the workstation, the malware looks for an instance of the Access Control PLC workbench and reads its configurations files to find the devices connected to and being managed by that workstation. Step 4 – Execution After being dropped on the target device, the first goal of the final payload is to disrupt the normal behavior of the PLC by adding a new user and a new badge to the database, giving access to an otherwise unauthorized person. Step 5 – Persistence After the final payload has been executed, the malware has to persist on the device after reboots. [1] “CVE-2018-10660,” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2018-10660 [2] “CVE-2018-10661,” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2018-10661. [3] “CVE-2018-10662,” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2018-10662. [4] O. Peles, “VDOO Discovers Significant Vulnerabilities in Axis Cameras,” 2018. [Online]. Available: https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities- in-axis-cameras/. [5] Rapid7, “Axis Network Camera .srv to parhand RCE,” [Online]. Available: https://www.rapid7.com/db/modules/exploit/linux/http/axis_srv_parhand_rce.
18 Vulnerabilities Discovered (1/2) # Product Vulnerability Type Notes 1 Protocol Gateway XSS 0-day patched by the vendor and CVE assigned 2 Protocol Gateway Path traversal 0-day patched by the vendor and CVE assigned 3 Protocol Gateway Arbitrary file deletion 0-day patched by the vendor and CVE assigned 4 HVAC PLC XSS 0-day patched by the vendor and CVE assigned 5 HVAC PLC Authentication bypass 0-day patched by the vendor and CVE assigned 6 Access Control PLC XSS 0-day patched by the vendor and CVE assigned 7 Access Control PLC Hardcoded secret Not 0-day, the vulnerability was known and patched by the vendor, but never disclosed. 8 Access Control PLC Buffer overflow Not 0-day, the vulnerability was known and patched by the vendor, but never disclosed.
19 Vulnerabilities Discovered (2/2) • XSS vulnerabilities allow an attacker to inject malicious scripts into trusted web interfaces running on the vulnerable devices, which may be executed by the browser of an unsuspecting user to access cookies, session tokens, or other sensitive information, as well as to perform malicious actions on behalf of the user. • Path traversal and file deletion vulnerabilities allow an attacker to manipulate path references and access or delete files and directories (including critical system files) that are stored outside the root folder of the web application running on the device. • Authentication bypass vulnerability allows an attacker to steal the credential information of application users, including plaintext passwords, by manipulating the session identifier sent in a request. The most severe vulnerabilities are issues #7 and #8, which allow a remote attacker to execute arbitrary code on the target device and gain complete control of it. • Hardcoded secret: The Java framework used on the Access Control PLC and on its control software stores system configurations in a file called daemon.properties and application configurations in a file called config.bog, which is a compressed xml. These files contain usernames and passwords, among other information. The passwords are hashed or encrypted depending on the version of the framework. • Buffer overflow: There is a binary daemon running on the Access Control PLC that exposes multiple HTTP endpoints that remote users can access to manage the device. “A myriad of these affected BAS devices are available online and can still be exploited because they are unpatched.”
20 How to Reduce Risk for BAS Networks Implement security solutions that offer: • Passively and automatically establishes asset inventory with full device fingerprinting • Documents the network baseline of normal communications • Automatically assesses common vulnerabilities & exposures (CVEs) for BAS devices • Continuously monitors the network for changes in behavior • Automatically checks device behavior against threat indicators and protocol compliance standards • Alerts in real time with interactive visualizations of threats and risks • Monitors both IT and OT networks from a single screen • Offers extensive, cross- functional automation capabilities • Is agentless and infrastructure-agnostic Complete Device Visibility Real-Time Threat Detection Converged IT-OT Security
21 Conclusion Building automation systems (BAS) may be as critical as industrial control systems (ICS) in terms of safety and security, yet receive much less attention from the security community. Enhancing BAS cybersecurity programs with device visibility and network monitoring can give organizations a thorough understanding of the environment and its connections, making it easier to design effective security architectures, identify attack vectors, and locate blind spots. 21
22 About the Researchers Daniel dos Santos holds a PhD in Computer Science from the University of Trento and has experience in security consulting and research. He is a researcher at Forescout, focusing on vulnerability research and the development of innovative features for Forescout OT products. Clément Speybrouck holds a post-master degree in Security in Computer Systems and Communication from EURECOM and worked as an intern at Forescout during the development of this research project. Elisa Costante holds a PhD in Computer Science from the Eindhoven University of Technology. She is an expert in IT and OT security and privacy. As Head of Industrial and OT Research at Forescout, she manages the internal and external research activities. Her responsibilities include the management of national and international projects, the planning of research strategy and the supervision of prototype development activities for innovative features to be added to Forescout OT products. Acknowledgement: the authors would like to thank Andrés Castellanos-Páez and Jos Wetzels for their help in discovering and exploiting the buffer overflow vulnerability.
23 Download the full research report to learn more about the current state of smart building cybersecurity DOWNLOAD
24 About Forescout Connect with us Forescout Technologies is the leader in device visibility and control. Our unified security platform enables enterprises and government agencies to gain complete situational awareness of their extended enterprise environments and orchestrate actions to reduce cyber and operational risk. Forescout products deploy quickly with agentless, real-time discovery and classification, as well as continuous posture assessment. www.forescout.com @Forescout Forescout Technologies

Recomendados

Transforming Smart Building Cybersecurity Strategy for the Age of IoT
Transforming Smart Building Cybersecurity Strategy for the Age of IoTTransforming Smart Building Cybersecurity Strategy for the Age of IoT
Transforming Smart Building Cybersecurity Strategy for the Age of IoT
Forescout Technologies Inc
 
ForeScout IoT Enterprise Risk Report
ForeScout IoT Enterprise Risk ReportForeScout IoT Enterprise Risk Report
ForeScout IoT Enterprise Risk Report
Forescout Technologies Inc
 
Network Access Control (NAC)
Network Access Control (NAC)Network Access Control (NAC)
Network Access Control (NAC)
Forescout Technologies Inc
 
Symantec and ForeScout Delivering a Unified Cyber Security Solution
Symantec and ForeScout Delivering a Unified Cyber Security SolutionSymantec and ForeScout Delivering a Unified Cyber Security Solution
Symantec and ForeScout Delivering a Unified Cyber Security Solution
DLT Solutions
 
SC Magazine & ForeScout Survey Results
SC Magazine & ForeScout Survey ResultsSC Magazine & ForeScout Survey Results
SC Magazine & ForeScout Survey Results
ForeScout Technologies
 
The Internet of Things Isn't Coming, It's Here
The Internet of Things Isn't Coming, It's HereThe Internet of Things Isn't Coming, It's Here
The Internet of Things Isn't Coming, It's Here
Forescout Technologies Inc
 
Shining a Light on Shadow Devices
Shining a Light on Shadow DevicesShining a Light on Shadow Devices
Shining a Light on Shadow Devices
Forescout Technologies Inc
 
Solution: Block Armour Secure Remote Access for WFH
Solution: Block Armour Secure Remote Access for WFHSolution: Block Armour Secure Remote Access for WFH
Solution: Block Armour Secure Remote Access for WFH
Block Armour
 

Recomendados

Transforming Smart Building Cybersecurity Strategy for the Age of IoT
Transforming Smart Building Cybersecurity Strategy for the Age of IoTTransforming Smart Building Cybersecurity Strategy for the Age of IoT
Transforming Smart Building Cybersecurity Strategy for the Age of IoT
Forescout Technologies Inc
 
ForeScout IoT Enterprise Risk Report
ForeScout IoT Enterprise Risk ReportForeScout IoT Enterprise Risk Report
ForeScout IoT Enterprise Risk Report
Forescout Technologies Inc
 
Network Access Control (NAC)
Network Access Control (NAC)Network Access Control (NAC)
Network Access Control (NAC)
Forescout Technologies Inc
 
Symantec and ForeScout Delivering a Unified Cyber Security Solution
Symantec and ForeScout Delivering a Unified Cyber Security SolutionSymantec and ForeScout Delivering a Unified Cyber Security Solution
Symantec and ForeScout Delivering a Unified Cyber Security Solution
DLT Solutions
 
SC Magazine & ForeScout Survey Results
SC Magazine & ForeScout Survey ResultsSC Magazine & ForeScout Survey Results
SC Magazine & ForeScout Survey Results
ForeScout Technologies
 
The Internet of Things Isn't Coming, It's Here
The Internet of Things Isn't Coming, It's HereThe Internet of Things Isn't Coming, It's Here
The Internet of Things Isn't Coming, It's Here
Forescout Technologies Inc
 
Shining a Light on Shadow Devices
Shining a Light on Shadow DevicesShining a Light on Shadow Devices
Shining a Light on Shadow Devices
Forescout Technologies Inc
 
Solution: Block Armour Secure Remote Access for WFH
Solution: Block Armour Secure Remote Access for WFHSolution: Block Armour Secure Remote Access for WFH
Solution: Block Armour Secure Remote Access for WFH
Block Armour
 
Frost & Sullivan Report
Frost & Sullivan ReportFrost & Sullivan Report
Frost & Sullivan Report
Forescout Technologies Inc
 
DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)
DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)
DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)
Andris Soroka
 
Next-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space AgeNext-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space Age
Block Armour
 
Physical/Network Access Control
Physical/Network Access ControlPhysical/Network Access Control
Physical/Network Access Control
jwpiccininni
 
Throughwave Day 2015 - ForeScout Automated Security Control
Throughwave Day 2015 - ForeScout Automated Security ControlThroughwave Day 2015 - ForeScout Automated Security Control
Throughwave Day 2015 - ForeScout Automated Security Control
Aruj Thirawat
 
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
Block Armour
 
IoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 finalIoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 final
Frank Siepmann
 
Securing Smart Cities with Blockchain-enabled Zero Trust Cybersecuity
Securing Smart Cities with Blockchain-enabled Zero Trust CybersecuitySecuring Smart Cities with Blockchain-enabled Zero Trust Cybersecuity
Securing Smart Cities with Blockchain-enabled Zero Trust Cybersecuity
Block Armour
 
IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9
Arvind Tiwary
 
Iot(security)
Iot(security)Iot(security)
Iot(security)
Shreya Pohekar
 
Nozomi networks-solution brief
Nozomi networks-solution briefNozomi networks-solution brief
Nozomi networks-solution brief
Nozomi Networks
 
Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud
Block Armour
 
Top 7 Security Measures for IoT Systems
Top 7 Security Measures for IoT Systems Top 7 Security Measures for IoT Systems
Top 7 Security Measures for IoT Systems
Zoe Gilbert
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks
 
IOT Security
IOT SecurityIOT Security
IOT Security
Sylvain Martinez
 
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...
PROFIBUS and PROFINET InternationaI - PI UK
 
Block Armour Unified Secure Access Solution (based on Zero Trust principles)
Block Armour Unified Secure Access Solution (based on Zero Trust principles)Block Armour Unified Secure Access Solution (based on Zero Trust principles)
Block Armour Unified Secure Access Solution (based on Zero Trust principles)
Block Armour
 
Internet of Things Security Patterns
Internet of Things Security PatternsInternet of Things Security Patterns
Internet of Things Security Patterns
Mark Benson
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai Revisited
Clare Nelson, CISSP, CIPP-E
 
Part3- Offline traffic monitoring In this part will use a PCAP file to.docx
Part3- Offline traffic monitoring In this part will use a PCAP file to.docxPart3- Offline traffic monitoring In this part will use a PCAP file to.docx
Part3- Offline traffic monitoring In this part will use a PCAP file to.docx
farrahkur54
 
I Own Your Building (Management System)
I Own Your Building (Management System)I Own Your Building (Management System)
I Own Your Building (Management System)
Zero Science Lab
 

Mais conteúdo relacionado

Mais procurados

Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks
 
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...
PROFIBUS and PROFINET InternationaI - PI UK
 
Block Armour Unified Secure Access Solution (based on Zero Trust principles)
Block Armour Unified Secure Access Solution (based on Zero Trust principles)Block Armour Unified Secure Access Solution (based on Zero Trust principles)
Block Armour Unified Secure Access Solution (based on Zero Trust principles)
Block Armour
 
Internet of Things Security Patterns
Internet of Things Security PatternsInternet of Things Security Patterns
Internet of Things Security Patterns
Mark Benson
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
Lancope, Inc.
 

Mais procurados (20)

Frost & Sullivan Report
Frost & Sullivan ReportFrost & Sullivan Report
Frost & Sullivan Report
 
DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)
DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)
DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)
 
Next-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space AgeNext-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space Age
 
Physical/Network Access Control
Physical/Network Access ControlPhysical/Network Access Control
Physical/Network Access Control
 
Throughwave Day 2015 - ForeScout Automated Security Control
Throughwave Day 2015 - ForeScout Automated Security ControlThroughwave Day 2015 - ForeScout Automated Security Control
Throughwave Day 2015 - ForeScout Automated Security Control
 
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
 
IoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 finalIoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 final
 
Securing Smart Cities with Blockchain-enabled Zero Trust Cybersecuity
Securing Smart Cities with Blockchain-enabled Zero Trust CybersecuitySecuring Smart Cities with Blockchain-enabled Zero Trust Cybersecuity
Securing Smart Cities with Blockchain-enabled Zero Trust Cybersecuity
 
IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9
 
Iot(security)
Iot(security)Iot(security)
Iot(security)
 
Nozomi networks-solution brief
Nozomi networks-solution briefNozomi networks-solution brief
Nozomi networks-solution brief
 
Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud
 
Top 7 Security Measures for IoT Systems
Top 7 Security Measures for IoT Systems Top 7 Security Measures for IoT Systems
Top 7 Security Measures for IoT Systems
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company Introduction
 
IOT Security
IOT SecurityIOT Security
IOT Security
 
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...
 
Block Armour Unified Secure Access Solution (based on Zero Trust principles)
Block Armour Unified Secure Access Solution (based on Zero Trust principles)Block Armour Unified Secure Access Solution (based on Zero Trust principles)
Block Armour Unified Secure Access Solution (based on Zero Trust principles)
 
Internet of Things Security Patterns
Internet of Things Security PatternsInternet of Things Security Patterns
Internet of Things Security Patterns
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai Revisited
 

Semelhante a How Secure Is Your Building Automation System?

Part3- Offline traffic monitoring In this part will use a PCAP file to.docx
Part3- Offline traffic monitoring In this part will use a PCAP file to.docxPart3- Offline traffic monitoring In this part will use a PCAP file to.docx
Part3- Offline traffic monitoring In this part will use a PCAP file to.docx
farrahkur54
 
I Own Your Building (Management System)
I Own Your Building (Management System)I Own Your Building (Management System)
I Own Your Building (Management System)
Zero Science Lab
 
SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA Presentation
Eric Favetta
 
CISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSCISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICS
Muhammad FAHAD
 
AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones u...
AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones u...AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones u...
AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones u...
mordechaiguri
 
169
169169
169
vivatechijri
 
Analysis of exposed ICS//SCADA/IoT systems in Europe
Analysis of exposed ICS//SCADA/IoT systems in EuropeAnalysis of exposed ICS//SCADA/IoT systems in Europe
Analysis of exposed ICS//SCADA/IoT systems in Europe
Francesco Faenzi
 

Semelhante a How Secure Is Your Building Automation System? (20)

Part3- Offline traffic monitoring In this part will use a PCAP file to.docx
Part3- Offline traffic monitoring In this part will use a PCAP file to.docxPart3- Offline traffic monitoring In this part will use a PCAP file to.docx
Part3- Offline traffic monitoring In this part will use a PCAP file to.docx
 
I Own Your Building (Management System)
I Own Your Building (Management System)I Own Your Building (Management System)
I Own Your Building (Management System)
 
SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA Presentation
 
Backdoor Entry to a Windows Computer
Backdoor Entry to a Windows ComputerBackdoor Entry to a Windows Computer
Backdoor Entry to a Windows Computer
 
Cybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesCybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practises
 
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing Suite
 
CISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSCISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICS
 
Defending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackDefending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From Cyberattack
 
Defending industrial control systems from cyber attack
Defending industrial control systems from cyber attackDefending industrial control systems from cyber attack
Defending industrial control systems from cyber attack
 
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control SystemsNCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
 
Defending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackDefending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From Cyberattack
 
Seven recommendations for bolstering industrial control system cyber security
Seven recommendations for bolstering industrial control system cyber securitySeven recommendations for bolstering industrial control system cyber security
Seven recommendations for bolstering industrial control system cyber security
 
Operational Technology Security Solution for Utilities
Operational Technology Security Solution for UtilitiesOperational Technology Security Solution for Utilities
Operational Technology Security Solution for Utilities
 
AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones u...
AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones u...AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones u...
AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones u...
 
169
169169
169
 
IoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIoT Security Challenges and Solutions
IoT Security Challenges and Solutions
 
chile-2015 (2)
chile-2015 (2)chile-2015 (2)
chile-2015 (2)
 
Training manual on scada
Training manual on scadaTraining manual on scada
Training manual on scada
 
Analysis of exposed ICS//SCADA/IoT systems in Europe
Analysis of exposed ICS//SCADA/IoT systems in EuropeAnalysis of exposed ICS//SCADA/IoT systems in Europe
Analysis of exposed ICS//SCADA/IoT systems in Europe
 
APT - Project
APT - Project APT - Project
APT - Project
 

Último

Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Angeliki Cooney
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Último (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 

How Secure Is Your Building Automation System?

  • 1. 1 KNOW YOUR SECURITY RISK How Secure Is Your Building Automation System (BAS)? The Forescout Building Automation Risk Report explores the common systems that make organizations vulnerable to cyberattacks and how these systems could be exploited.
  • 2. 2 Evolution of BAS (1/3) 1980 1990 2000 2010 2020 2030 BMS ELEVATOR LIGHTING HVAC Yesterday’s BAS Buildings offered very basic services, consisting of only a central building management system (BMS) and one or two subsystems, such as HVAC, elevators or lighting systems, that were isolated from each other and outside networks.
  • 3. 3 Evolution of BAS (2/3) LIGHTING LOCAL BMS CENTRAL BMSREMOTE CONTROL CCTV HVAC SOLAR PANEL ELEVATOR ACCESS CONTROL LIGHTING LOCAL BMS CCTV HVAC SOLAR PANEL ELEVATOR ACCESS CONTROL Today’s BAS Today’s buildings are smart buildings, with a central BMS that can integrate with the local BMS of multiple buildings within its network. Each local BMS connects to many different subsystems, including HVAC, surveillance, access control, and energy systems.
  • 4. 4 Evolution of BAS (3/3) LIGHTING LOCAL BMS CCTV HVAC SOLAR PANEL ELEVATOR ACCESS CONTROL Tomorrow’s BAS Smart cities are the inevitable next step in this evolution of BAS. Smart buildings’ local BMS will soon be able to integrate with any other building’s local BMS, as well as the industrial infrastructure around them.
  • 5. 5 BAS Explosion The number of identified vulnerabilities in BAS has increased over 500% in the past three years. [2] By 2026, there will be over 56 million new BAS devices. [1] [1] ABI Research, 2019, BAS Wireless Field Equipment Shipments [2] https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2016/07/07190426/KL_REPORT_ICS_Statistic_vulnerabilities.pdf 5
  • 6. 6 39.3% of publicly reachable BAS devices are vulnerable [1] Devices publicly reachable and vulnerable to the 0-days discovered in our research Total devices publicly reachable* 39.3%* 22,902 devices 9,103 devices * Of the models used in our research [1] Forescout, The Current State of Smart Building Cybersecurity, 2019: https://www.forescout.com/securing-building-automation-systems-bas/ Vulnerable devices include: HVAC PLCs, Access Control PLCs, Protocol Gateways
  • 7. 7 Research Overview Forescout BAS Risk Report Industry attention has recognized the threat of commonly known Internet of Things (IoT) devices. What may go unnoticed is the potential safety and business risks to building automation systems (BAS). Research into three key areas of BAS: Surveillance HVAC Access Control revealed that their core technologies, fundamental development methods and legacy implementations make implementing proper security an often overlooked, but critical, task.
  • 8. 8 Key Findings Discovered and responsibly disclosed previously unknown vulnerabilities in building automation devices, ranging from controllers to gateways. Debunked the myth that malware for cyber-physical systems must be created by actors that are sponsored by nation-states and have almost unlimited resources. Developed a proof-of-concept malware that persists on devices at the automation level, as opposed to persisting at the management level as most OT malware does. Concluded that improved device visibility into vulnerable BAS networks is one of the best ways to reduce risk. 8
  • 9. 9 Where Do The Vulnerabilities Lie? EXPLORING THREE POTENTIAL ENTRY POINTS OF BAS 9
  • 10. 10 IP-Cameras publicly reachable and vulnerable to exploits used in our research Total IP-Cameras publicly reachable* 91.5% Area 1: Surveillance 11,269 devices 10,312 devices Malicious actors can leverage this channel to move laterally and: • Gain control of other subsystems at the automation level. • Gain control of the management level to orchestrate a larger, coordinated attack. Attacker Initial Access Lateral Movement 1 Lateral Movement 2 IP Camera Workstation HVAC PLC Protocol Gateway Access Control PLC * Of the models used in our research
  • 11. 11 Area 2: HVAC Malicious actors can use HVAC systems to bypass “air gaps” via a covert thermal channel [1] and move laterally to: • Raise the temperature setpoint in a data center to cause business disruption. • Gain access to the management network to orchestrate a larger, coordinated attack. Attacker Command & Control Internet Central A/C management unit A/C end unit Public domain Airgapped domain Targeted hosts [1] Y. Mirsky, M. Guri and Y. Elovici, “HVACKer: Bridging the Air-Gap by Attacking the Air Conditioning System,” 2017. [Online]. Available: https://arxiv.org/abs/1703.10454.
  • 12. 12 Area 3: Access Control Malicious actors can use access control systems comprised of access badges, badge readers, controllers, and databases that store user credentials to: • Control the doors and gain access to forbidden areas. • Lock building occupants in and demand ransom. • Gain access to the management network to orchestrate a larger, coordinated attack. Attacker Initial Access Lateral Movement 1 Lateral Movement 2 IP Camera Workstation HVAC PLC Protocol Gateway Access Control PLC
  • 14. 14 Methodology Cyber Attack Lifecycle (Mandiant) RECON RESEARCH WEAPONIZE COMPROMISE PERSISTENCE • Gather information on the target • Research networks & technologies • Find access means • Procure existing exploits • Find 0-days • Plan a stealth attack • Develop • Compromise • Move laterally • Execute • Persist after reboots • Clean traces 14
  • 15. 15 Potential Attack Paths IoT Device Subsystem 1 Management Subsystem 2...n Workstation Internet Physical Building Subsystems Attacker PLC Sensor Actuator 1. Publicly reachable PLCs: Using this path, the malware can enter directly from the Internet and exploit the programmable logic controllers (PLCs) controlling the sensors and actuators at the field level, so there is no need to perform any lateral movement from other devices. 2. Publicly reachable workstations: Using this path, the malware can enter a workstation from the Internet at the management level and move laterally to the PLCs. 3. Publicly reachable IoT devices: Using this path, the malware can enter an IoT device, such as an IP camera or a WiFi router, from the Internet and use that entry point to gain access to the internal network, usually moving to the management level first and then to other subsystems. 4. Air gapped network: Using this path, the attacker must have physical access to the building network (which could be accomplished via the HVAC system) and move laterally to reach the PLCs.
  • 16. 16 Attack Path Goals # Step Goal Possible Target 1 2 3 4 5 Initial Access Lateral Movement 1 Lateral Movement 2 Execution Persistence Establish an initial foothold in the network Move to the management level Move to another subsystem in the BAS Disrupt the normal functioning of the PLCs Persist in the infected automation level devices PLCs (path 1) Workstations (path 2) IoT devices (path 3) Workstations or networking equipment PLCs or IoT devices PLCs PLCs 16 Possible steps of an attack on building automation networks
  • 17. 17 The Attack Plan Attacker 1. Initial Access 2. Lateral Movement 1 3. Lateral Movement 2 5. Persistence 4. Execution IP Camera Workstation Access Control PLC Step 1 – Initial Access The IP Camera can be exploited using a combination of CVE-2018-10660 [1] , CVE-2018-10661 [2] , and CVE-2018-10662 [3] . The vulnerabilities and our exploit are based on the work of Or Peles [4] and the available Metasploit module [5] . STEP 2 - Lateral Movement 1 Once on the camera, the malware cleans its tracks by editing the files /var/volatile/log/{auth,info}.log, calls netstat to find the workstation connected to it (used for network video recording) and moves from the camera to the workstation by exploiting the misconfigured MS-SQL server. Step 3 – Lateral Movement 2 While running on the workstation, the malware looks for an instance of the Access Control PLC workbench and reads its configurations files to find the devices connected to and being managed by that workstation. Step 4 – Execution After being dropped on the target device, the first goal of the final payload is to disrupt the normal behavior of the PLC by adding a new user and a new badge to the database, giving access to an otherwise unauthorized person. Step 5 – Persistence After the final payload has been executed, the malware has to persist on the device after reboots. [1] “CVE-2018-10660,” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2018-10660 [2] “CVE-2018-10661,” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2018-10661. [3] “CVE-2018-10662,” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2018-10662. [4] O. Peles, “VDOO Discovers Significant Vulnerabilities in Axis Cameras,” 2018. [Online]. Available: https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities- in-axis-cameras/. [5] Rapid7, “Axis Network Camera .srv to parhand RCE,” [Online]. Available: https://www.rapid7.com/db/modules/exploit/linux/http/axis_srv_parhand_rce.
  • 18. 18 Vulnerabilities Discovered (1/2) # Product Vulnerability Type Notes 1 Protocol Gateway XSS 0-day patched by the vendor and CVE assigned 2 Protocol Gateway Path traversal 0-day patched by the vendor and CVE assigned 3 Protocol Gateway Arbitrary file deletion 0-day patched by the vendor and CVE assigned 4 HVAC PLC XSS 0-day patched by the vendor and CVE assigned 5 HVAC PLC Authentication bypass 0-day patched by the vendor and CVE assigned 6 Access Control PLC XSS 0-day patched by the vendor and CVE assigned 7 Access Control PLC Hardcoded secret Not 0-day, the vulnerability was known and patched by the vendor, but never disclosed. 8 Access Control PLC Buffer overflow Not 0-day, the vulnerability was known and patched by the vendor, but never disclosed.
  • 19. 19 Vulnerabilities Discovered (2/2) • XSS vulnerabilities allow an attacker to inject malicious scripts into trusted web interfaces running on the vulnerable devices, which may be executed by the browser of an unsuspecting user to access cookies, session tokens, or other sensitive information, as well as to perform malicious actions on behalf of the user. • Path traversal and file deletion vulnerabilities allow an attacker to manipulate path references and access or delete files and directories (including critical system files) that are stored outside the root folder of the web application running on the device. • Authentication bypass vulnerability allows an attacker to steal the credential information of application users, including plaintext passwords, by manipulating the session identifier sent in a request. The most severe vulnerabilities are issues #7 and #8, which allow a remote attacker to execute arbitrary code on the target device and gain complete control of it. • Hardcoded secret: The Java framework used on the Access Control PLC and on its control software stores system configurations in a file called daemon.properties and application configurations in a file called config.bog, which is a compressed xml. These files contain usernames and passwords, among other information. The passwords are hashed or encrypted depending on the version of the framework. • Buffer overflow: There is a binary daemon running on the Access Control PLC that exposes multiple HTTP endpoints that remote users can access to manage the device. “A myriad of these affected BAS devices are available online and can still be exploited because they are unpatched.”
  • 20. 20 How to Reduce Risk for BAS Networks Implement security solutions that offer: • Passively and automatically establishes asset inventory with full device fingerprinting • Documents the network baseline of normal communications • Automatically assesses common vulnerabilities & exposures (CVEs) for BAS devices • Continuously monitors the network for changes in behavior • Automatically checks device behavior against threat indicators and protocol compliance standards • Alerts in real time with interactive visualizations of threats and risks • Monitors both IT and OT networks from a single screen • Offers extensive, cross- functional automation capabilities • Is agentless and infrastructure-agnostic Complete Device Visibility Real-Time Threat Detection Converged IT-OT Security
  • 21. 21 Conclusion Building automation systems (BAS) may be as critical as industrial control systems (ICS) in terms of safety and security, yet receive much less attention from the security community. Enhancing BAS cybersecurity programs with device visibility and network monitoring can give organizations a thorough understanding of the environment and its connections, making it easier to design effective security architectures, identify attack vectors, and locate blind spots. 21
  • 22. 22 About the Researchers Daniel dos Santos holds a PhD in Computer Science from the University of Trento and has experience in security consulting and research. He is a researcher at Forescout, focusing on vulnerability research and the development of innovative features for Forescout OT products. Clément Speybrouck holds a post-master degree in Security in Computer Systems and Communication from EURECOM and worked as an intern at Forescout during the development of this research project. Elisa Costante holds a PhD in Computer Science from the Eindhoven University of Technology. She is an expert in IT and OT security and privacy. As Head of Industrial and OT Research at Forescout, she manages the internal and external research activities. Her responsibilities include the management of national and international projects, the planning of research strategy and the supervision of prototype development activities for innovative features to be added to Forescout OT products. Acknowledgement: the authors would like to thank Andrés Castellanos-Páez and Jos Wetzels for their help in discovering and exploiting the buffer overflow vulnerability.
  • 23. 23 Download the full research report to learn more about the current state of smart building cybersecurity DOWNLOAD
  • 24. 24 About Forescout Connect with us Forescout Technologies is the leader in device visibility and control. Our unified security platform enables enterprises and government agencies to gain complete situational awareness of their extended enterprise environments and orchestrate actions to reduce cyber and operational risk. Forescout products deploy quickly with agentless, real-time discovery and classification, as well as continuous posture assessment. www.forescout.com @Forescout Forescout Technologies