All hell could break loose if the wrong people gain access to your BMS, warns Ken Munro. So make sure it's safe.
Internet protocol (IP) is already used for voice calls and now it's in the walls. Building management systems (BMSs) are increasingly helping facilities managers do their job. HVAC (heating, ventilating and air-conditioning), the system that manages the very air we breathe, can be run over IP. Water supplies and certain locks can all be controlled via this route.
The benefits of using IP BMS are similar to other “over internet protocol” advantages: for example lower cabling costs, ease of (centralised) administration and lower total cost of ownership. One benefit of IP BMS that stands out is the reduced requirement for physical access to specific areas. As IP can support a complex set of commands, it is possible to control vents, windows, water, gas and power supplies from a single point.
The technology itself is not revolutionary, but the sophistication and creativity in its implementation is. One vendor has assisted with IP BMS installations at Gatwick and Heathrow airports, where the systems are used to control and monitor the power to the aircraft while it is standing by at the terminal. Part of the power management and billing process involves the connection and disconnection of electricity to a waiting plane.
Yet, attacking the IP BMS system and cutting power to waiting planes could result in real disruption. You can just imagine it: “We are sorry to announce that due to a flat battery your flight will delayed until further notice.”
An IP BMS box itself consists of a set of switches. In an IT context, it is a network component, but in a facilities management context it is seen as “electrics”, and is treated accordingly, physically located for ease of maintenance. IP BMS boxes are often accessible from behind push-fit panels so that routine checks take as little time as possible. This makes direct access very easy.
A snip here and the box is rendered useless, a crude but effective IP BMS denial-of-service attack. Also, once located, an attacker can plug straight into the box. In a quiet location, an attacker with a PDA or laptop could sit undisturbed meddling with the system.
The direct access issue can be easily remedied with a decent lock and sensible location. Network access, however, is a different matter. IP BMS is often managed via a browser. Once discovered, the application makes it possible to brute-force passwords. This can be a slow process, so sniffing high UDP ports for passwords, sent in plaintext, speeds things up nicely.
IP BMS can be made less accessible through delivery over a virtual local area network (VLAN). This hardening means that anyone wishing to access the BMS has to be authenticated for network access first.
However, although this adds further security layers, it is still possible to get onto a VLAN from the parent network. And if you can get onto one VLAN you can hop to another that uses the same switch.
If an attacker did not have a specific objective, they could simply reset the BMS to default. Depending on the factory settings and the environment for which the system has been configured, this could produce some fascinating results. Heating could be switched off in the depths of winter, or reset to exceed the maximum tolerance of the server room; or revocation of all access cards could bar access to the building. And, because of design flaws and misconfiguration, it is often possible to add users locally.
IP BMS enables easy facilities management but, once compromised, it can turn the most complex building into a remote-controlled dolls' house. All it takes is for that control to fall into the wrong hands to jeopardise staff and the ability of the business to function. A thought that may well send shivers down your spine.