Thursday, March 1, 2018
Building management systems still ripe for hacking
This article is referring to UK systems, but please do not think for a second that US building management systems are any safer. Having done vulnerability assessments of thousands of businesses, government facilities, and electrical power systems, it is true that the vast majority of them are vulnerable. The US government developed its critical infrastructure protection program after 9/11, and mandatory assessments where conducted of many of these facilities. Fixes where put in place that, within months were overridden by the staff, and or vendors, in attempts to make it easier to do their business. Ease of use is probably the most common reason to bypass security.There are more companies out there developing more security systems for SCADA as well as BMS, but all require that the users do not compromise the security systems available. So far this has not been the case. As the article states the staff and vendors involved in maintaining the systems are not security oriented staff, but operationally oriented, and as such do not realize the security needs of the systems. Much like CCTV systems that are attached to companies computer networks, the security of the cameras is a hassle, and many times is left unsecured by vendors and sometimes staff. What most do not realize is that any compromise to the cameras being used by the companies network, directly allows compromise to the companies computer systems. In most major security designs the cameras are put on a separate network so any comprise of them will not affect any other network. In most homes and small businesses they are put on the same network as the operations of the company. This in itself is a huge security vulnerability.