By William Hughes
Building automation systems (BASs) have become popular in recent decades as a tool for building owners and facility management to better coordinate the performance of building systems that otherwise would operate independently. These systems can also be a pathway for hackers to wreak mischief similar to what was seen at the Colonial Pipeline. A recent study by security firm Phobos Group found over 38,000 BASs in the U.S. that are open to the internet without so much as a default password for protection.
Where To Find Unsecured BASs In The Continental U.S.
The following heat map shows the concentrations of unprotected BASs in the US. Every state in the continental U.S. except Idaho has at least some BASs that are vulnerable. The brightest spots on the map tend to be in population centers, which corresponds with concentrations of commercial buildings.
Unauthorized access to a BAS can be an annoyance, such as cases where the hacker randomly changes temperature settings. At the other end of the spectrum, it can be a matter of life and death. For example, many BASs connect to the fire safety and security systems within a building. A hacker with access to the BAS could potentially disable these systems.
Between these extremes, hackers can take actions that have significant financial implications. With administrator access, the intruder could take over all building systems and shut out all other users until they are paid a ransom. Many (but not all) building systems also connect to the corporate IT network and provide access to internal servers. Illicit access to the BAS network can lead to sensitive corporate information if the hacker is skilled enough to maneuver through the network and access confidential data. Unauthorized access to these systems is never a good thing.
Where You Won’t Find Unsecured BASs In The Continental U.S.
This avenue of attack may be one reason why the city of Las Vegas shows no vulnerable BASs. Back in 2017, The Washington Post reported that the identities of the top customers from a casino were stolen by a hacker who accessed the company database though an internet-connected thermostat.
While technically not a BAS, this device was used for facility management as it monitored conditions in the lobby fish tanks. Facilities staff arranged for the device to connect to the internet through the secure Wi-Fi network at the casino so that it could reliably send status data to the company managing the fish tanks. While the Wi-Fi was secure, the thermostat device was not, and it became the point of entry for the hacker to enter the casino’s IT network. The same scenario could apply to unprotected BASs. One cannot know for sure whether this incident is the only reason that the casinos and their subcontractors made certain that all building systems are secure, but if it did, all buildings in the Las Vegas metropolitan area have benefited.
How Can This Happen In This Day And Age?
There are several reasons why BASs, along with the data networks built to connect the various building systems, can fall through cybersecurity cracks. One common error is to assume that BASs are hard to find. While Google finds websites, the search engine Shodan looks for internet-connected devices. BAS technology falls into this category. Without an account on Shodan, you can get the location for up to 10 BASs. This includes the brand and model of the BAS software, the IP address, the active ports, and the internet service provider. If 10 is not enough, you can invest in a monthly subscription for $59 and increase the number of results to one million.
If you think Shodan is a shadowy service used only by criminals on the dark web, the Shodan homepage claims that 81% of the Fortune 100 use its service. Also, Shodan’s capabilities have been widely reported in the popular media. For example, Forbes ran an article on “The Crazy Things a Savvy Shodan Searcher Can Find Exposed on the Internet” in 2013. This article reported that an ethical hacking firm found “1,819 building management systems on the internet that require no username or password.” The data from the Forbes article and the more recent information from the Phobos Group suggests that the number of unprotected systems has exploded in the last eight years since 2013.
The next reason why this kind of situation can occur is that facilities staff are not cybersecurity experts. Similarly, IT staff are not BAS experts. The facilities staff could assume that the BAS is secure if it is behind a firewall and on a secure network. The IT team may simply ask the facilities staff if the BAS server is secure with the assumption that anyone who can operate computerized building systems and calculate enthalpy would know the importance of a password.
How Does the Building Technology Industry Fix This?
The manufacturers of BASs are aware that cybersecurity is an issue and are taking steps to address building system vulnerabilities. For example, Honeywell Building Technologies consults with clients on cybersecurity issues. Like many other BAS manufacturers, it offers its cybersecurity expertise on building technology to clients. Many clients take Honeywell up on its offer while others do not.
Another approach that many organizations pursue is to work with consultants to ensure IT cybersecurity. Many (but not all) of these consultants subscribe to Shodan or one of the other comparable services. It is possible that some IT consultants are no more comfortable with BASs than the staff in the IT department.
New Alternative To Address The Problem
There is a growing field of companies that offer an alternative to the BAS manufacturers and IT cybersecurity specialists. These companies have expertise in all three areas of BAS, data networking, and cybersecurity. Intelligent Riser, a division of Montgomery Technologies, is an example of a company that has expertise in each of these areas. Its services include the design and installation of secure data networks specifically for building systems and 24/7 monitoring of these networks. The company shared some startling statistics about audits it made of the data networks installed within buildings. For BASs, the majority of customers (59%) had no firewall installed. In installations where a firewall was present, most were left unmanaged.
Guidehouse Insights forecasts that the market for BASs will grow 19% in 2021 and 16% in 2022. With this kind of growth and the increasing likelihood of the BASs being connected to the internet, companies such as Intelligent Riser and Honeywell will likely continue to be very busy, although perhaps less so in Las Vegas and Idaho.
Hughes is principal research analyst, building automation and control for Guidehouse Insights. An experienced executive, consultant, and industry analyst, he brings over three decades of experience in technology marketing and strategy business planning with expertise in drawing insights from a variety of data sources, building valuation models, and preparing business plans and justifications. Hughes has held strategic marketing roles at IBM, GE, Motorola, and US West, and led marketing and business development initiatives at Advanced Radio Telecom, Zetron, and TeleCommunication Systems. A former adjunct professor, Hughes has taught business marketing to MBA students at Northwestern University.
Read more stories on Cybersecurity and Facilities here and here.