Google

Search the Web
Search TFM

Home > Articles By Issue > Technology > Article June 2003

There's A Hacker In The HVAC

By Michael Endrizzi, Security Evolution, Inc.

As facility managers are given more IT responsibilities (or at the very least, have some contact with the IT department), they should be aware of a potentially dangerous security situation. With the advent of building automation and the synergy of managing necessary building systems comes the threat of hackers breaking into these systems. Once in the system, a hacker can not only infiltrate the HVAC system and compromise energy control, but can also attack the company's Web browser.

Anatomy Of An Attack

An attack on any digital system goes through various phases. The following list defines the outline of a generic hacker attack.

Inventory of the targets. Hackers identify the possible attack targets inside a network system.

Assess the vulnerability. Once they identify the targets, hackers will attempt to determine if the company has any vulnerability.

Estimate exploits against the vulnerability. Finding vulnerability does not mean a hacker can execute an attack. The person must create an exploit that can take advantage of the vulnerability.

Establish who can attack the target. The hacker determines the company players that can either use another person or be used themselves to execute the attack. Execute attack. A hacker breaks into the system.

Cover electronic tracks. Some criminals erase all traces of their presence in order to delay forensics or make forensics more complex.

For the purposes of this explanation, the following analysis will be based on one professional hacker attacking a facility with its HVAC controlled by a Web server. The facility's Web server houses all the controls that send directions to the heating unit.

Plotting The Attack

The first task is to inventory the targets by using a tool called a portscanner. A portscanner inventories machines on a network and lists them in a report. The choice of scanners here will be the Network Mapper (NMAP) and can be found at www.insecure.org/nmap.

The goal is to use NMAP to find every HVAC component. Because HVAC components have network cards they are Transmission Control Protocol/ Internet Protocol (TCP/IP) aware; this makes it relatively easy for NMAP to find them.

The hacker can then use a combination of social engineering skills and tools to inventory targets. One example of social engineering is when a hacker, impersonating an IT person, calls the facility operations center (FOC) operator and asks, "We notice some suspicious activity on your end. Can we verify your IP address?"

With this information, the hacker can begin to identify all the HVAC components. The inventory of potential targets include the heating unit, the heating management, the Web server, the heating Web browser machine, and other essential pieces of equipment. Once the hacker has identified potential targets, the person would then assess the vulnerabilities of the targets. The most common tools for this phase is once again social engineering and NMAP along with Nessus (www.nessus.org/). These tools will drill down on each individual box and identify potential vulnerabilities.

These tools will probably find several vulnerabilities, but the easiest to crack-the username/passwords-will be the one the hacker focuses on here.

The next task is to find the tool the hacker can use to exploit the password vulnerability. A professional hacker monitors Web sites aimed at identifying these tools. The THC-Hydra password cracker can break Web site based passwords, and is a good example for this exercise. While most large Web sites such as Etrade or Amazon have failure limits on the number of passwords one can try before a timeout occurs, an HVAC Web system will mostly likely allow the hacker to try as many passwords as possible without causing the system to time out or notify an administrator.

The Attack

A hacker will first compromise an internal machine-either with physical actions or remote actions. Once this initial attack is launched, the hacker will make it appear as if the incident was an inside job.

The motivation for the first part of a two pronged attack is to discover the HVAC system's passwords and send the username passwords back out to the hacker. Upon the retrieval of the passwords, the hacker can re-enter the Web site and perform whatever malicious deed the attacker wishes using the Web browser.

After the second more destructive attack is executed, the hacker will often cover his/her tracks by deleting the software and any audit data to complicate forensics.

Investigating Common Preventive Measures

For security controls, most facilities have firewalls. Unfortunately, this type of measure is usually nothing more than an electronic speed bump. For example, some facilities are forced-by the nature of their businesses-to open their firewalls to allow for various kinds of traffic. So the bad traffic sneaks in with the good traffic, and the firewall cannot differentiate between the two.

Another common security measure is a username/password identification. As illustrated in the aforementioned scenario, this approach is fairly lax in its implementation and maintenance.

Ensuring Security

Perhaps the most important security control that every organization has at its disposal, and doesn't use effectively, is company policy. For example, companies should prohibit the installation of any software by personnel that could compromise data. By strictly enforcing this policy, the company is preventing a key hackers' strategy.

Another area that could help facilitate more successful protection of building automation systems, is the installation of a firewall that has exclusive access between the remote HVAC and the Web server only.

Passwords, both external and internal, should be considered as well. The former of the two is needed when personnel-outside the FOC-have access to the building automation systems. This measure requires using a card that generates a one-time only password.

Internal passwords are always necessary. Password alerts are sent to operators when password failures are detected. These alerts should be tied to pagers, simple network management protocol (SNMP) messages, or other various communication devices, so facility professionals will be immediately aware of any problems.

Other Security Suggestions

Listed below are some additional security measures that can help in thwarting a potential hacker.

1. Audit. A third party IT auditor may find problems hidden by internal staff.

2. Organization. Facility professionals need to be part of internal security committees in order to protect critical infrastructure.

3. Human Resources. Access rights must be canceled as soon as personnel give notice or are terminated. This should be a regular procedure.

4. Training. Operators and help desk staff should be trained to detect suspicious phone calls from people. Tell tale signs include asking for sensitive or critical information.

Facility managers and IT staff need to be diligent about fighting attacks on building automation systems. It only takes one hacker to create this type of insidious attack on a whole company's IT infrastructure to bring everything crashing down.

The greatest defense against hackers is knowledge and awareness. In this age of TCP/IP based digital controls, it pays to be a pioneer in understanding how to defend against high tech attacks.

Please feel free to link to any page on TodaysFacilityManager.com. However, you are not permitted to copy any article in its entirety and republish it—either in print or online. It is acceptable to use the first paragraph of the piece or create your own summary and link back to the full article posted at TodaysFacilityManager.com.

FacilityCityBusiness FacilitiesBFLiveXchange Today's Facility ManagerThe TFM Show®TFM ForumGroup C

©2006-2009 Group C Communications, Inc.. All Rights Reserved.
44 Apple Street, Suite #3, Tinton Falls, NJ 07724 Tel:732.842.7433 • Fax:732.758.6634
Contact UsTerms Of UsePrivacy Policy