SlideShare a Scribd company logo

How Secure Is Your Building Automation System?

Forescout Technologies Inc
Forescout Technologies Inc

Explore common vulnerabilities in building automation systems (BAS), how these vulnerabilities could be exploited, and steps that organizations can take to improve the cybersecurity of their BAS.

Technology
1 of 24
Download to read offline
1 KNOW YOUR SECURITY RISK How Secure Is Your Building Automation System (BAS)? The Forescout Building Automation Risk Report explores the common systems that make organizations vulnerable to cyberattacks and how these systems could be exploited.
2 Evolution of BAS (1/3) 1980 1990 2000 2010 2020 2030 BMS ELEVATOR LIGHTING HVAC Yesterday’s BAS Buildings offered very basic services, consisting of only a central building management system (BMS) and one or two subsystems, such as HVAC, elevators or lighting systems, that were isolated from each other and outside networks.
3 Evolution of BAS (2/3) LIGHTING LOCAL BMS CENTRAL BMSREMOTE CONTROL CCTV HVAC SOLAR PANEL ELEVATOR ACCESS CONTROL LIGHTING LOCAL BMS CCTV HVAC SOLAR PANEL ELEVATOR ACCESS CONTROL Today’s BAS Today’s buildings are smart buildings, with a central BMS that can integrate with the local BMS of multiple buildings within its network. Each local BMS connects to many different subsystems, including HVAC, surveillance, access control, and energy systems.
4 Evolution of BAS (3/3) LIGHTING LOCAL BMS CCTV HVAC SOLAR PANEL ELEVATOR ACCESS CONTROL Tomorrow’s BAS Smart cities are the inevitable next step in this evolution of BAS. Smart buildings’ local BMS will soon be able to integrate with any other building’s local BMS, as well as the industrial infrastructure around them.
5 BAS Explosion The number of identified vulnerabilities in BAS has increased over 500% in the past three years. [2] By 2026, there will be over 56 million new BAS devices. [1] [1] ABI Research, 2019, BAS Wireless Field Equipment Shipments [2] https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2016/07/07190426/KL_REPORT_ICS_Statistic_vulnerabilities.pdf 5
6 39.3% of publicly reachable BAS devices are vulnerable [1] Devices publicly reachable and vulnerable to the 0-days discovered in our research Total devices publicly reachable* 39.3%* 22,902 devices 9,103 devices * Of the models used in our research [1] Forescout, The Current State of Smart Building Cybersecurity, 2019: https://www.forescout.com/securing-building-automation-systems-bas/ Vulnerable devices include: HVAC PLCs, Access Control PLCs, Protocol Gateways
7 Research Overview Forescout BAS Risk Report Industry attention has recognized the threat of commonly known Internet of Things (IoT) devices. What may go unnoticed is the potential safety and business risks to building automation systems (BAS). Research into three key areas of BAS: Surveillance HVAC Access Control revealed that their core technologies, fundamental development methods and legacy implementations make implementing proper security an often overlooked, but critical, task.
8 Key Findings Discovered and responsibly disclosed previously unknown vulnerabilities in building automation devices, ranging from controllers to gateways. Debunked the myth that malware for cyber-physical systems must be created by actors that are sponsored by nation-states and have almost unlimited resources. Developed a proof-of-concept malware that persists on devices at the automation level, as opposed to persisting at the management level as most OT malware does. Concluded that improved device visibility into vulnerable BAS networks is one of the best ways to reduce risk. 8
9 Where Do The Vulnerabilities Lie? EXPLORING THREE POTENTIAL ENTRY POINTS OF BAS 9
10 IP-Cameras publicly reachable and vulnerable to exploits used in our research Total IP-Cameras publicly reachable* 91.5% Area 1: Surveillance 11,269 devices 10,312 devices Malicious actors can leverage this channel to move laterally and: • Gain control of other subsystems at the automation level. • Gain control of the management level to orchestrate a larger, coordinated attack. Attacker Initial Access Lateral Movement 1 Lateral Movement 2 IP Camera Workstation HVAC PLC Protocol Gateway Access Control PLC * Of the models used in our research
11 Area 2: HVAC Malicious actors can use HVAC systems to bypass “air gaps” via a covert thermal channel [1] and move laterally to: • Raise the temperature setpoint in a data center to cause business disruption. • Gain access to the management network to orchestrate a larger, coordinated attack. Attacker Command & Control Internet Central A/C management unit A/C end unit Public domain Airgapped domain Targeted hosts [1] Y. Mirsky, M. Guri and Y. Elovici, “HVACKer: Bridging the Air-Gap by Attacking the Air Conditioning System,” 2017. [Online]. Available: https://arxiv.org/abs/1703.10454.
12 Area 3: Access Control Malicious actors can use access control systems comprised of access badges, badge readers, controllers, and databases that store user credentials to: • Control the doors and gain access to forbidden areas. • Lock building occupants in and demand ransom. • Gain access to the management network to orchestrate a larger, coordinated attack. Attacker Initial Access Lateral Movement 1 Lateral Movement 2 IP Camera Workstation HVAC PLC Protocol Gateway Access Control PLC
13 Proof-of-Concept Malware Development THE METHODS USED 13
14 Methodology Cyber Attack Lifecycle (Mandiant) RECON RESEARCH WEAPONIZE COMPROMISE PERSISTENCE • Gather information on the target • Research networks & technologies • Find access means • Procure existing exploits • Find 0-days • Plan a stealth attack • Develop • Compromise • Move laterally • Execute • Persist after reboots • Clean traces 14
15 Potential Attack Paths IoT Device Subsystem 1 Management Subsystem 2...n Workstation Internet Physical Building Subsystems Attacker PLC Sensor Actuator 1. Publicly reachable PLCs: Using this path, the malware can enter directly from the Internet and exploit the programmable logic controllers (PLCs) controlling the sensors and actuators at the field level, so there is no need to perform any lateral movement from other devices. 2. Publicly reachable workstations: Using this path, the malware can enter a workstation from the Internet at the management level and move laterally to the PLCs. 3. Publicly reachable IoT devices: Using this path, the malware can enter an IoT device, such as an IP camera or a WiFi router, from the Internet and use that entry point to gain access to the internal network, usually moving to the management level first and then to other subsystems. 4. Air gapped network: Using this path, the attacker must have physical access to the building network (which could be accomplished via the HVAC system) and move laterally to reach the PLCs.
16 Attack Path Goals # Step Goal Possible Target 1 2 3 4 5 Initial Access Lateral Movement 1 Lateral Movement 2 Execution Persistence Establish an initial foothold in the network Move to the management level Move to another subsystem in the BAS Disrupt the normal functioning of the PLCs Persist in the infected automation level devices PLCs (path 1) Workstations (path 2) IoT devices (path 3) Workstations or networking equipment PLCs or IoT devices PLCs PLCs 16 Possible steps of an attack on building automation networks
17 The Attack Plan Attacker 1. Initial Access 2. Lateral Movement 1 3. Lateral Movement 2 5. Persistence 4. Execution IP Camera Workstation Access Control PLC Step 1 – Initial Access The IP Camera can be exploited using a combination of CVE-2018-10660 [1] , CVE-2018-10661 [2] , and CVE-2018-10662 [3] . The vulnerabilities and our exploit are based on the work of Or Peles [4] and the available Metasploit module [5] . STEP 2 - Lateral Movement 1 Once on the camera, the malware cleans its tracks by editing the files /var/volatile/log/{auth,info}.log, calls netstat to find the workstation connected to it (used for network video recording) and moves from the camera to the workstation by exploiting the misconfigured MS-SQL server. Step 3 – Lateral Movement 2 While running on the workstation, the malware looks for an instance of the Access Control PLC workbench and reads its configurations files to find the devices connected to and being managed by that workstation. Step 4 – Execution After being dropped on the target device, the first goal of the final payload is to disrupt the normal behavior of the PLC by adding a new user and a new badge to the database, giving access to an otherwise unauthorized person. Step 5 – Persistence After the final payload has been executed, the malware has to persist on the device after reboots. [1] “CVE-2018-10660,” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2018-10660 [2] “CVE-2018-10661,” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2018-10661. [3] “CVE-2018-10662,” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2018-10662. [4] O. Peles, “VDOO Discovers Significant Vulnerabilities in Axis Cameras,” 2018. [Online]. Available: https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities- in-axis-cameras/. [5] Rapid7, “Axis Network Camera .srv to parhand RCE,” [Online]. Available: https://www.rapid7.com/db/modules/exploit/linux/http/axis_srv_parhand_rce.
18 Vulnerabilities Discovered (1/2) # Product Vulnerability Type Notes 1 Protocol Gateway XSS 0-day patched by the vendor and CVE assigned 2 Protocol Gateway Path traversal 0-day patched by the vendor and CVE assigned 3 Protocol Gateway Arbitrary file deletion 0-day patched by the vendor and CVE assigned 4 HVAC PLC XSS 0-day patched by the vendor and CVE assigned 5 HVAC PLC Authentication bypass 0-day patched by the vendor and CVE assigned 6 Access Control PLC XSS 0-day patched by the vendor and CVE assigned 7 Access Control PLC Hardcoded secret Not 0-day, the vulnerability was known and patched by the vendor, but never disclosed. 8 Access Control PLC Buffer overflow Not 0-day, the vulnerability was known and patched by the vendor, but never disclosed.
19 Vulnerabilities Discovered (2/2) • XSS vulnerabilities allow an attacker to inject malicious scripts into trusted web interfaces running on the vulnerable devices, which may be executed by the browser of an unsuspecting user to access cookies, session tokens, or other sensitive information, as well as to perform malicious actions on behalf of the user. • Path traversal and file deletion vulnerabilities allow an attacker to manipulate path references and access or delete files and directories (including critical system files) that are stored outside the root folder of the web application running on the device. • Authentication bypass vulnerability allows an attacker to steal the credential information of application users, including plaintext passwords, by manipulating the session identifier sent in a request. The most severe vulnerabilities are issues #7 and #8, which allow a remote attacker to execute arbitrary code on the target device and gain complete control of it. • Hardcoded secret: The Java framework used on the Access Control PLC and on its control software stores system configurations in a file called daemon.properties and application configurations in a file called config.bog, which is a compressed xml. These files contain usernames and passwords, among other information. The passwords are hashed or encrypted depending on the version of the framework. • Buffer overflow: There is a binary daemon running on the Access Control PLC that exposes multiple HTTP endpoints that remote users can access to manage the device. “A myriad of these affected BAS devices are available online and can still be exploited because they are unpatched.”
20 How to Reduce Risk for BAS Networks Implement security solutions that offer: • Passively and automatically establishes asset inventory with full device fingerprinting • Documents the network baseline of normal communications • Automatically assesses common vulnerabilities & exposures (CVEs) for BAS devices • Continuously monitors the network for changes in behavior • Automatically checks device behavior against threat indicators and protocol compliance standards • Alerts in real time with interactive visualizations of threats and risks • Monitors both IT and OT networks from a single screen • Offers extensive, cross- functional automation capabilities • Is agentless and infrastructure-agnostic Complete Device Visibility Real-Time Threat Detection Converged IT-OT Security
21 Conclusion Building automation systems (BAS) may be as critical as industrial control systems (ICS) in terms of safety and security, yet receive much less attention from the security community. Enhancing BAS cybersecurity programs with device visibility and network monitoring can give organizations a thorough understanding of the environment and its connections, making it easier to design effective security architectures, identify attack vectors, and locate blind spots. 21
22 About the Researchers Daniel dos Santos holds a PhD in Computer Science from the University of Trento and has experience in security consulting and research. He is a researcher at Forescout, focusing on vulnerability research and the development of innovative features for Forescout OT products. Clément Speybrouck holds a post-master degree in Security in Computer Systems and Communication from EURECOM and worked as an intern at Forescout during the development of this research project. Elisa Costante holds a PhD in Computer Science from the Eindhoven University of Technology. She is an expert in IT and OT security and privacy. As Head of Industrial and OT Research at Forescout, she manages the internal and external research activities. Her responsibilities include the management of national and international projects, the planning of research strategy and the supervision of prototype development activities for innovative features to be added to Forescout OT products. Acknowledgement: the authors would like to thank Andrés Castellanos-Páez and Jos Wetzels for their help in discovering and exploiting the buffer overflow vulnerability.
23 Download the full research report to learn more about the current state of smart building cybersecurity DOWNLOAD
24 About Forescout Connect with us Forescout Technologies is the leader in device visibility and control. Our unified security platform enables enterprises and government agencies to gain complete situational awareness of their extended enterprise environments and orchestrate actions to reduce cyber and operational risk. Forescout products deploy quickly with agentless, real-time discovery and classification, as well as continuous posture assessment. www.forescout.com @Forescout Forescout Technologies

Recommended

Transforming Smart Building Cybersecurity Strategy for the Age of IoT
Transforming Smart Building Cybersecurity Strategy for the Age of IoTTransforming Smart Building Cybersecurity Strategy for the Age of IoT
Transforming Smart Building Cybersecurity Strategy for the Age of IoTForescout Technologies Inc
 
ForeScout IoT Enterprise Risk Report
ForeScout IoT Enterprise Risk ReportForeScout IoT Enterprise Risk Report
ForeScout IoT Enterprise Risk ReportForescout Technologies Inc
 
Network Access Control (NAC)
Network Access Control (NAC)Network Access Control (NAC)
Network Access Control (NAC)Forescout Technologies Inc
 
Symantec and ForeScout Delivering a Unified Cyber Security Solution
Symantec and ForeScout Delivering a Unified Cyber Security SolutionSymantec and ForeScout Delivering a Unified Cyber Security Solution
Symantec and ForeScout Delivering a Unified Cyber Security SolutionDLT Solutions
 
SC Magazine & ForeScout Survey Results
SC Magazine & ForeScout Survey ResultsSC Magazine & ForeScout Survey Results
SC Magazine & ForeScout Survey ResultsForeScout Technologies
 
The Internet of Things Isn't Coming, It's Here
The Internet of Things Isn't Coming, It's HereThe Internet of Things Isn't Coming, It's Here
The Internet of Things Isn't Coming, It's HereForescout Technologies Inc
 
Shining a Light on Shadow Devices
Shining a Light on Shadow DevicesShining a Light on Shadow Devices
Shining a Light on Shadow DevicesForescout Technologies Inc
 
Solution: Block Armour Secure Remote Access for WFH
Solution: Block Armour Secure Remote Access for WFHSolution: Block Armour Secure Remote Access for WFH
Solution: Block Armour Secure Remote Access for WFHBlock Armour
 

Recommended

Transforming Smart Building Cybersecurity Strategy for the Age of IoT
Transforming Smart Building Cybersecurity Strategy for the Age of IoTTransforming Smart Building Cybersecurity Strategy for the Age of IoT
Transforming Smart Building Cybersecurity Strategy for the Age of IoTForescout Technologies Inc
 
ForeScout IoT Enterprise Risk Report
ForeScout IoT Enterprise Risk ReportForeScout IoT Enterprise Risk Report
ForeScout IoT Enterprise Risk ReportForescout Technologies Inc
 
Network Access Control (NAC)
Network Access Control (NAC)Network Access Control (NAC)
Network Access Control (NAC)Forescout Technologies Inc
 
Symantec and ForeScout Delivering a Unified Cyber Security Solution
Symantec and ForeScout Delivering a Unified Cyber Security SolutionSymantec and ForeScout Delivering a Unified Cyber Security Solution
Symantec and ForeScout Delivering a Unified Cyber Security SolutionDLT Solutions
 
SC Magazine & ForeScout Survey Results
SC Magazine & ForeScout Survey ResultsSC Magazine & ForeScout Survey Results
SC Magazine & ForeScout Survey ResultsForeScout Technologies
 
The Internet of Things Isn't Coming, It's Here
The Internet of Things Isn't Coming, It's HereThe Internet of Things Isn't Coming, It's Here
The Internet of Things Isn't Coming, It's HereForescout Technologies Inc
 
Shining a Light on Shadow Devices
Shining a Light on Shadow DevicesShining a Light on Shadow Devices
Shining a Light on Shadow DevicesForescout Technologies Inc
 
Solution: Block Armour Secure Remote Access for WFH
Solution: Block Armour Secure Remote Access for WFHSolution: Block Armour Secure Remote Access for WFH
Solution: Block Armour Secure Remote Access for WFHBlock Armour
 
Frost & Sullivan Report
Frost & Sullivan ReportFrost & Sullivan Report
Frost & Sullivan ReportForescout Technologies Inc
 
DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)
DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)
DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)Andris Soroka
 
Next-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space AgeNext-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space AgeBlock Armour
 
Physical/Network Access Control
Physical/Network Access ControlPhysical/Network Access Control
Physical/Network Access Controljwpiccininni
 
Throughwave Day 2015 - ForeScout Automated Security Control
Throughwave Day 2015 - ForeScout Automated Security ControlThroughwave Day 2015 - ForeScout Automated Security Control
Throughwave Day 2015 - ForeScout Automated Security ControlAruj Thirawat
 
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...Block Armour
 
IoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 finalIoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 finalFrank Siepmann
 
Securing Smart Cities with Blockchain-enabled Zero Trust Cybersecuity
Securing Smart Cities with Blockchain-enabled Zero Trust CybersecuitySecuring Smart Cities with Blockchain-enabled Zero Trust Cybersecuity
Securing Smart Cities with Blockchain-enabled Zero Trust CybersecuityBlock Armour
 
IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9Arvind Tiwary
 
Iot(security)
Iot(security)Iot(security)
Iot(security)Shreya Pohekar
 
Nozomi networks-solution brief
Nozomi networks-solution briefNozomi networks-solution brief
Nozomi networks-solution briefNozomi Networks
 
Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud Block Armour
 
Top 7 Security Measures for IoT Systems
Top 7 Security Measures for IoT Systems Top 7 Security Measures for IoT Systems
Top 7 Security Measures for IoT Systems Zoe Gilbert
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks
 
IOT Security
IOT SecurityIOT Security
IOT SecuritySylvain Martinez
 
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...PROFIBUS and PROFINET InternationaI - PI UK
 
Block Armour Unified Secure Access Solution (based on Zero Trust principles)
Block Armour Unified Secure Access Solution (based on Zero Trust principles)Block Armour Unified Secure Access Solution (based on Zero Trust principles)
Block Armour Unified Secure Access Solution (based on Zero Trust principles)Block Armour
 
Internet of Things Security Patterns
Internet of Things Security PatternsInternet of Things Security Patterns
Internet of Things Security PatternsMark Benson
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai RevisitedClare Nelson, CISSP, CIPP-E
 
Part3- Offline traffic monitoring In this part will use a PCAP file to.docx
Part3- Offline traffic monitoring In this part will use a PCAP file to.docxPart3- Offline traffic monitoring In this part will use a PCAP file to.docx
Part3- Offline traffic monitoring In this part will use a PCAP file to.docxfarrahkur54
 
I Own Your Building (Management System)
I Own Your Building (Management System)I Own Your Building (Management System)
I Own Your Building (Management System)Zero Science Lab
 

More Related Content

What's hot

DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)
DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)
DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)Andris Soroka
 
Next-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space AgeNext-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space AgeBlock Armour
 
Physical/Network Access Control
Physical/Network Access ControlPhysical/Network Access Control
Physical/Network Access Controljwpiccininni
 
Throughwave Day 2015 - ForeScout Automated Security Control
Throughwave Day 2015 - ForeScout Automated Security ControlThroughwave Day 2015 - ForeScout Automated Security Control
Throughwave Day 2015 - ForeScout Automated Security ControlAruj Thirawat
 
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...Block Armour
 
IoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 finalIoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 finalFrank Siepmann
 
Securing Smart Cities with Blockchain-enabled Zero Trust Cybersecuity
Securing Smart Cities with Blockchain-enabled Zero Trust CybersecuitySecuring Smart Cities with Blockchain-enabled Zero Trust Cybersecuity
Securing Smart Cities with Blockchain-enabled Zero Trust CybersecuityBlock Armour
 
IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9Arvind Tiwary
 
Nozomi networks-solution brief
Nozomi networks-solution briefNozomi networks-solution brief
Nozomi networks-solution briefNozomi Networks
 
Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud Block Armour
 
Top 7 Security Measures for IoT Systems
Top 7 Security Measures for IoT Systems Top 7 Security Measures for IoT Systems
Top 7 Security Measures for IoT Systems Zoe Gilbert
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks
 
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...PROFIBUS and PROFINET InternationaI - PI UK
 
Block Armour Unified Secure Access Solution (based on Zero Trust principles)
Block Armour Unified Secure Access Solution (based on Zero Trust principles)Block Armour Unified Secure Access Solution (based on Zero Trust principles)
Block Armour Unified Secure Access Solution (based on Zero Trust principles)Block Armour
 
Internet of Things Security Patterns
Internet of Things Security PatternsInternet of Things Security Patterns
Internet of Things Security PatternsMark Benson
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefLancope, Inc.
 

What's hot (20)

Frost & Sullivan Report
Frost & Sullivan ReportFrost & Sullivan Report
Frost & Sullivan Report
 
DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)
DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)
DSS ITSEC Webinars 2013 - Network Access Control + Mobile Security (Forescout)
 
Next-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space AgeNext-generation Zero Trust Cybersecurity for the Space Age
Next-generation Zero Trust Cybersecurity for the Space Age
 
Physical/Network Access Control
Physical/Network Access ControlPhysical/Network Access Control
Physical/Network Access Control
 
Throughwave Day 2015 - ForeScout Automated Security Control
Throughwave Day 2015 - ForeScout Automated Security ControlThroughwave Day 2015 - ForeScout Automated Security Control
Throughwave Day 2015 - ForeScout Automated Security Control
 
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
CASE STUDY: How Block Armour enabled secure remote access to on- premise as ...
 
IoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 finalIoT Security Briefing FBI 07 23-2017 final
IoT Security Briefing FBI 07 23-2017 final
 
Securing Smart Cities with Blockchain-enabled Zero Trust Cybersecuity
Securing Smart Cities with Blockchain-enabled Zero Trust CybersecuitySecuring Smart Cities with Blockchain-enabled Zero Trust Cybersecuity
Securing Smart Cities with Blockchain-enabled Zero Trust Cybersecuity
 
IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9IoT security fresh thinking 2017 sep 9
IoT security fresh thinking 2017 sep 9
 
Iot(security)
Iot(security)Iot(security)
Iot(security)
 
Nozomi networks-solution brief
Nozomi networks-solution briefNozomi networks-solution brief
Nozomi networks-solution brief
 
Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud Zero Trust Cybersecurity for Microsoft Azure Cloud
Zero Trust Cybersecurity for Microsoft Azure Cloud
 
Top 7 Security Measures for IoT Systems
Top 7 Security Measures for IoT Systems Top 7 Security Measures for IoT Systems
Top 7 Security Measures for IoT Systems
 
Nozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company IntroductionNozomi Networks Q1_2018 Company Introduction
Nozomi Networks Q1_2018 Company Introduction
 
IOT Security
IOT SecurityIOT Security
IOT Security
 
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...
Safety & Security in OT Environments - Cliff Martin, Principal Engineer, BAE ...
 
Block Armour Unified Secure Access Solution (based on Zero Trust principles)
Block Armour Unified Secure Access Solution (based on Zero Trust principles)Block Armour Unified Secure Access Solution (based on Zero Trust principles)
Block Armour Unified Secure Access Solution (based on Zero Trust principles)
 
Internet of Things Security Patterns
Internet of Things Security PatternsInternet of Things Security Patterns
Internet of Things Security Patterns
 
SCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber GriefSCADA Security: The Five Stages of Cyber Grief
SCADA Security: The Five Stages of Cyber Grief
 
IoT Security, Mirai Revisited
IoT Security, Mirai RevisitedIoT Security, Mirai Revisited
IoT Security, Mirai Revisited
 

Similar to How Secure Is Your Building Automation System?

Part3- Offline traffic monitoring In this part will use a PCAP file to.docx
Part3- Offline traffic monitoring In this part will use a PCAP file to.docxPart3- Offline traffic monitoring In this part will use a PCAP file to.docx
Part3- Offline traffic monitoring In this part will use a PCAP file to.docxfarrahkur54
 
I Own Your Building (Management System)
I Own Your Building (Management System)I Own Your Building (Management System)
I Own Your Building (Management System)Zero Science Lab
 
SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA PresentationEric Favetta
 
Backdoor Entry to a Windows Computer
Backdoor Entry to a Windows ComputerBackdoor Entry to a Windows Computer
Backdoor Entry to a Windows ComputerIRJET Journal
 
Cybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesCybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesWAJAHAT IQBAL
 
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET Journal
 
CISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSCISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSMuhammad FAHAD
 
Defending industrial control systems from cyber attack
Defending industrial control systems from cyber attackDefending industrial control systems from cyber attack
Defending industrial control systems from cyber attackAnalynk Wireless, LLC
 
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control SystemsNCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control SystemsMiller Energy, Inc.
 
Defending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackDefending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackCTi Controltech
 
Seven recommendations for bolstering industrial control system cyber security
Seven recommendations for bolstering industrial control system cyber securitySeven recommendations for bolstering industrial control system cyber security
Seven recommendations for bolstering industrial control system cyber securityCTi Controltech
 
Operational Technology Security Solution for Utilities
Operational Technology Security Solution for UtilitiesOperational Technology Security Solution for Utilities
Operational Technology Security Solution for UtilitiesKrishna Chennareddy
 
AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones u...
AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones u...AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones u...
AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones u...mordechaiguri
 
IoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIntel® Software
 
Training manual on scada
Training manual on scadaTraining manual on scada
Training manual on scadabhavuksharma10
 
Analysis of exposed ICS//SCADA/IoT systems in Europe
Analysis of exposed ICS//SCADA/IoT systems in EuropeAnalysis of exposed ICS//SCADA/IoT systems in Europe
Analysis of exposed ICS//SCADA/IoT systems in EuropeFrancesco Faenzi
 

Similar to How Secure Is Your Building Automation System? (20)

Part3- Offline traffic monitoring In this part will use a PCAP file to.docx
Part3- Offline traffic monitoring In this part will use a PCAP file to.docxPart3- Offline traffic monitoring In this part will use a PCAP file to.docx
Part3- Offline traffic monitoring In this part will use a PCAP file to.docx
 
I Own Your Building (Management System)
I Own Your Building (Management System)I Own Your Building (Management System)
I Own Your Building (Management System)
 
SCADA Presentation
SCADA PresentationSCADA Presentation
SCADA Presentation
 
Backdoor Entry to a Windows Computer
Backdoor Entry to a Windows ComputerBackdoor Entry to a Windows Computer
Backdoor Entry to a Windows Computer
 
Cybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practisesCybersecurity concepts & Defense best practises
Cybersecurity concepts & Defense best practises
 
IRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing SuiteIRJET- Cross Platform Penetration Testing Suite
IRJET- Cross Platform Penetration Testing Suite
 
CISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICSCISA GOV - Seven Steps to Effectively Defend ICS
CISA GOV - Seven Steps to Effectively Defend ICS
 
Defending industrial control systems from cyber attack
Defending industrial control systems from cyber attackDefending industrial control systems from cyber attack
Defending industrial control systems from cyber attack
 
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control SystemsNCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
NCCIC - Seven Steps for Achieving Cybersecurity for Industrial Control Systems
 
Defending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackDefending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From Cyberattack
 
Seven recommendations for bolstering industrial control system cyber security
Seven recommendations for bolstering industrial control system cyber securitySeven recommendations for bolstering industrial control system cyber security
Seven recommendations for bolstering industrial control system cyber security
 
Defending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From CyberattackDefending Industrial Control Systems From Cyberattack
Defending Industrial Control Systems From Cyberattack
 
Operational Technology Security Solution for Utilities
Operational Technology Security Solution for UtilitiesOperational Technology Security Solution for Utilities
Operational Technology Security Solution for Utilities
 
AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones u...
AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones u...AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones u...
AirHopper: Bridging the Air-Gap between Isolated Networks and Mobile Phones u...
 
169
169169
169
 
IoT Security Challenges and Solutions
IoT Security Challenges and SolutionsIoT Security Challenges and Solutions
IoT Security Challenges and Solutions
 
chile-2015 (2)
chile-2015 (2)chile-2015 (2)
chile-2015 (2)
 
Training manual on scada
Training manual on scadaTraining manual on scada
Training manual on scada
 
Analysis of exposed ICS//SCADA/IoT systems in Europe
Analysis of exposed ICS//SCADA/IoT systems in EuropeAnalysis of exposed ICS//SCADA/IoT systems in Europe
Analysis of exposed ICS//SCADA/IoT systems in Europe
 
APT - Project
APT - Project APT - Project
APT - Project
 

Recently uploaded

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Neo4j
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsPrecisely
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 

Recently uploaded (20)

Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptxVulnerability_Management_GRC_by Sohang Sengupta.pptx
Vulnerability_Management_GRC_by Sohang Sengupta.pptx
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024Build your next Gen AI Breakthrough - April 2024
Build your next Gen AI Breakthrough - April 2024
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Unlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power SystemsUnlocking the Potential of the Cloud for IBM Power Systems
Unlocking the Potential of the Cloud for IBM Power Systems
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 

How Secure Is Your Building Automation System?

  • 1. 1 KNOW YOUR SECURITY RISK How Secure Is Your Building Automation System (BAS)? The Forescout Building Automation Risk Report explores the common systems that make organizations vulnerable to cyberattacks and how these systems could be exploited.
  • 2. 2 Evolution of BAS (1/3) 1980 1990 2000 2010 2020 2030 BMS ELEVATOR LIGHTING HVAC Yesterday’s BAS Buildings offered very basic services, consisting of only a central building management system (BMS) and one or two subsystems, such as HVAC, elevators or lighting systems, that were isolated from each other and outside networks.
  • 3. 3 Evolution of BAS (2/3) LIGHTING LOCAL BMS CENTRAL BMSREMOTE CONTROL CCTV HVAC SOLAR PANEL ELEVATOR ACCESS CONTROL LIGHTING LOCAL BMS CCTV HVAC SOLAR PANEL ELEVATOR ACCESS CONTROL Today’s BAS Today’s buildings are smart buildings, with a central BMS that can integrate with the local BMS of multiple buildings within its network. Each local BMS connects to many different subsystems, including HVAC, surveillance, access control, and energy systems.
  • 4. 4 Evolution of BAS (3/3) LIGHTING LOCAL BMS CCTV HVAC SOLAR PANEL ELEVATOR ACCESS CONTROL Tomorrow’s BAS Smart cities are the inevitable next step in this evolution of BAS. Smart buildings’ local BMS will soon be able to integrate with any other building’s local BMS, as well as the industrial infrastructure around them.
  • 5. 5 BAS Explosion The number of identified vulnerabilities in BAS has increased over 500% in the past three years. [2] By 2026, there will be over 56 million new BAS devices. [1] [1] ABI Research, 2019, BAS Wireless Field Equipment Shipments [2] https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2016/07/07190426/KL_REPORT_ICS_Statistic_vulnerabilities.pdf 5
  • 6. 6 39.3% of publicly reachable BAS devices are vulnerable [1] Devices publicly reachable and vulnerable to the 0-days discovered in our research Total devices publicly reachable* 39.3%* 22,902 devices 9,103 devices * Of the models used in our research [1] Forescout, The Current State of Smart Building Cybersecurity, 2019: https://www.forescout.com/securing-building-automation-systems-bas/ Vulnerable devices include: HVAC PLCs, Access Control PLCs, Protocol Gateways
  • 7. 7 Research Overview Forescout BAS Risk Report Industry attention has recognized the threat of commonly known Internet of Things (IoT) devices. What may go unnoticed is the potential safety and business risks to building automation systems (BAS). Research into three key areas of BAS: Surveillance HVAC Access Control revealed that their core technologies, fundamental development methods and legacy implementations make implementing proper security an often overlooked, but critical, task.
  • 8. 8 Key Findings Discovered and responsibly disclosed previously unknown vulnerabilities in building automation devices, ranging from controllers to gateways. Debunked the myth that malware for cyber-physical systems must be created by actors that are sponsored by nation-states and have almost unlimited resources. Developed a proof-of-concept malware that persists on devices at the automation level, as opposed to persisting at the management level as most OT malware does. Concluded that improved device visibility into vulnerable BAS networks is one of the best ways to reduce risk. 8
  • 9. 9 Where Do The Vulnerabilities Lie? EXPLORING THREE POTENTIAL ENTRY POINTS OF BAS 9
  • 10. 10 IP-Cameras publicly reachable and vulnerable to exploits used in our research Total IP-Cameras publicly reachable* 91.5% Area 1: Surveillance 11,269 devices 10,312 devices Malicious actors can leverage this channel to move laterally and: • Gain control of other subsystems at the automation level. • Gain control of the management level to orchestrate a larger, coordinated attack. Attacker Initial Access Lateral Movement 1 Lateral Movement 2 IP Camera Workstation HVAC PLC Protocol Gateway Access Control PLC * Of the models used in our research
  • 11. 11 Area 2: HVAC Malicious actors can use HVAC systems to bypass “air gaps” via a covert thermal channel [1] and move laterally to: • Raise the temperature setpoint in a data center to cause business disruption. • Gain access to the management network to orchestrate a larger, coordinated attack. Attacker Command & Control Internet Central A/C management unit A/C end unit Public domain Airgapped domain Targeted hosts [1] Y. Mirsky, M. Guri and Y. Elovici, “HVACKer: Bridging the Air-Gap by Attacking the Air Conditioning System,” 2017. [Online]. Available: https://arxiv.org/abs/1703.10454.
  • 12. 12 Area 3: Access Control Malicious actors can use access control systems comprised of access badges, badge readers, controllers, and databases that store user credentials to: • Control the doors and gain access to forbidden areas. • Lock building occupants in and demand ransom. • Gain access to the management network to orchestrate a larger, coordinated attack. Attacker Initial Access Lateral Movement 1 Lateral Movement 2 IP Camera Workstation HVAC PLC Protocol Gateway Access Control PLC
  • 14. 14 Methodology Cyber Attack Lifecycle (Mandiant) RECON RESEARCH WEAPONIZE COMPROMISE PERSISTENCE • Gather information on the target • Research networks & technologies • Find access means • Procure existing exploits • Find 0-days • Plan a stealth attack • Develop • Compromise • Move laterally • Execute • Persist after reboots • Clean traces 14
  • 15. 15 Potential Attack Paths IoT Device Subsystem 1 Management Subsystem 2...n Workstation Internet Physical Building Subsystems Attacker PLC Sensor Actuator 1. Publicly reachable PLCs: Using this path, the malware can enter directly from the Internet and exploit the programmable logic controllers (PLCs) controlling the sensors and actuators at the field level, so there is no need to perform any lateral movement from other devices. 2. Publicly reachable workstations: Using this path, the malware can enter a workstation from the Internet at the management level and move laterally to the PLCs. 3. Publicly reachable IoT devices: Using this path, the malware can enter an IoT device, such as an IP camera or a WiFi router, from the Internet and use that entry point to gain access to the internal network, usually moving to the management level first and then to other subsystems. 4. Air gapped network: Using this path, the attacker must have physical access to the building network (which could be accomplished via the HVAC system) and move laterally to reach the PLCs.
  • 16. 16 Attack Path Goals # Step Goal Possible Target 1 2 3 4 5 Initial Access Lateral Movement 1 Lateral Movement 2 Execution Persistence Establish an initial foothold in the network Move to the management level Move to another subsystem in the BAS Disrupt the normal functioning of the PLCs Persist in the infected automation level devices PLCs (path 1) Workstations (path 2) IoT devices (path 3) Workstations or networking equipment PLCs or IoT devices PLCs PLCs 16 Possible steps of an attack on building automation networks
  • 17. 17 The Attack Plan Attacker 1. Initial Access 2. Lateral Movement 1 3. Lateral Movement 2 5. Persistence 4. Execution IP Camera Workstation Access Control PLC Step 1 – Initial Access The IP Camera can be exploited using a combination of CVE-2018-10660 [1] , CVE-2018-10661 [2] , and CVE-2018-10662 [3] . The vulnerabilities and our exploit are based on the work of Or Peles [4] and the available Metasploit module [5] . STEP 2 - Lateral Movement 1 Once on the camera, the malware cleans its tracks by editing the files /var/volatile/log/{auth,info}.log, calls netstat to find the workstation connected to it (used for network video recording) and moves from the camera to the workstation by exploiting the misconfigured MS-SQL server. Step 3 – Lateral Movement 2 While running on the workstation, the malware looks for an instance of the Access Control PLC workbench and reads its configurations files to find the devices connected to and being managed by that workstation. Step 4 – Execution After being dropped on the target device, the first goal of the final payload is to disrupt the normal behavior of the PLC by adding a new user and a new badge to the database, giving access to an otherwise unauthorized person. Step 5 – Persistence After the final payload has been executed, the malware has to persist on the device after reboots. [1] “CVE-2018-10660,” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2018-10660 [2] “CVE-2018-10661,” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2018-10661. [3] “CVE-2018-10662,” [Online]. Available: https://nvd.nist.gov/vuln/detail/CVE-2018-10662. [4] O. Peles, “VDOO Discovers Significant Vulnerabilities in Axis Cameras,” 2018. [Online]. Available: https://blog.vdoo.com/2018/06/18/vdoo-discovers-significant-vulnerabilities- in-axis-cameras/. [5] Rapid7, “Axis Network Camera .srv to parhand RCE,” [Online]. Available: https://www.rapid7.com/db/modules/exploit/linux/http/axis_srv_parhand_rce.
  • 18. 18 Vulnerabilities Discovered (1/2) # Product Vulnerability Type Notes 1 Protocol Gateway XSS 0-day patched by the vendor and CVE assigned 2 Protocol Gateway Path traversal 0-day patched by the vendor and CVE assigned 3 Protocol Gateway Arbitrary file deletion 0-day patched by the vendor and CVE assigned 4 HVAC PLC XSS 0-day patched by the vendor and CVE assigned 5 HVAC PLC Authentication bypass 0-day patched by the vendor and CVE assigned 6 Access Control PLC XSS 0-day patched by the vendor and CVE assigned 7 Access Control PLC Hardcoded secret Not 0-day, the vulnerability was known and patched by the vendor, but never disclosed. 8 Access Control PLC Buffer overflow Not 0-day, the vulnerability was known and patched by the vendor, but never disclosed.
  • 19. 19 Vulnerabilities Discovered (2/2) • XSS vulnerabilities allow an attacker to inject malicious scripts into trusted web interfaces running on the vulnerable devices, which may be executed by the browser of an unsuspecting user to access cookies, session tokens, or other sensitive information, as well as to perform malicious actions on behalf of the user. • Path traversal and file deletion vulnerabilities allow an attacker to manipulate path references and access or delete files and directories (including critical system files) that are stored outside the root folder of the web application running on the device. • Authentication bypass vulnerability allows an attacker to steal the credential information of application users, including plaintext passwords, by manipulating the session identifier sent in a request. The most severe vulnerabilities are issues #7 and #8, which allow a remote attacker to execute arbitrary code on the target device and gain complete control of it. • Hardcoded secret: The Java framework used on the Access Control PLC and on its control software stores system configurations in a file called daemon.properties and application configurations in a file called config.bog, which is a compressed xml. These files contain usernames and passwords, among other information. The passwords are hashed or encrypted depending on the version of the framework. • Buffer overflow: There is a binary daemon running on the Access Control PLC that exposes multiple HTTP endpoints that remote users can access to manage the device. “A myriad of these affected BAS devices are available online and can still be exploited because they are unpatched.”
  • 20. 20 How to Reduce Risk for BAS Networks Implement security solutions that offer: • Passively and automatically establishes asset inventory with full device fingerprinting • Documents the network baseline of normal communications • Automatically assesses common vulnerabilities & exposures (CVEs) for BAS devices • Continuously monitors the network for changes in behavior • Automatically checks device behavior against threat indicators and protocol compliance standards • Alerts in real time with interactive visualizations of threats and risks • Monitors both IT and OT networks from a single screen • Offers extensive, cross- functional automation capabilities • Is agentless and infrastructure-agnostic Complete Device Visibility Real-Time Threat Detection Converged IT-OT Security
  • 21. 21 Conclusion Building automation systems (BAS) may be as critical as industrial control systems (ICS) in terms of safety and security, yet receive much less attention from the security community. Enhancing BAS cybersecurity programs with device visibility and network monitoring can give organizations a thorough understanding of the environment and its connections, making it easier to design effective security architectures, identify attack vectors, and locate blind spots. 21
  • 22. 22 About the Researchers Daniel dos Santos holds a PhD in Computer Science from the University of Trento and has experience in security consulting and research. He is a researcher at Forescout, focusing on vulnerability research and the development of innovative features for Forescout OT products. Clément Speybrouck holds a post-master degree in Security in Computer Systems and Communication from EURECOM and worked as an intern at Forescout during the development of this research project. Elisa Costante holds a PhD in Computer Science from the Eindhoven University of Technology. She is an expert in IT and OT security and privacy. As Head of Industrial and OT Research at Forescout, she manages the internal and external research activities. Her responsibilities include the management of national and international projects, the planning of research strategy and the supervision of prototype development activities for innovative features to be added to Forescout OT products. Acknowledgement: the authors would like to thank Andrés Castellanos-Páez and Jos Wetzels for their help in discovering and exploiting the buffer overflow vulnerability.
  • 23. 23 Download the full research report to learn more about the current state of smart building cybersecurity DOWNLOAD
  • 24. 24 About Forescout Connect with us Forescout Technologies is the leader in device visibility and control. Our unified security platform enables enterprises and government agencies to gain complete situational awareness of their extended enterprise environments and orchestrate actions to reduce cyber and operational risk. Forescout products deploy quickly with agentless, real-time discovery and classification, as well as continuous posture assessment. www.forescout.com @Forescout Forescout Technologies