Diese Präsentation wurde erfolgreich gemeldet.

Cyber Security in Smart Buildings

4

Teilen

Wird geladen in …3
×
1 von 192
1 von 192

Cyber Security in Smart Buildings

4

Teilen

Herunterladen, um offline zu lesen

Beschreibung

Cyber Security in Smart Buildings

Transkript

  1. 1. Cyber-Security In Smart Buildings Siegeware: When Criminals Take Over Your Smart Building
  2. 2. Smart Building • A smart building is any structure that uses automated processes to automatically control the building’s operations including heating, ventilation, air conditioning, lighting, security and other systems.
  3. 3. Smart Building
  4. 4. Smart Building • A smart building uses sensors, actuators and microchips, in order to collect data and manage it according to a business’ functions and services. • This infrastructure helps owners, operators and facility managers improve asset reliability and performance, which reduces energy use, optimizes how space is used and minimizes the environmental impact of buildings.
  5. 5. Smart Building
  6. 6. Smart Building • At the most fundamental level, smart buildings make occupants more productive with lighting, thermal comfort, air quality, physical security, sanitation and more at lower costs and environmental impact than buildings that are not connected.
  7. 7. Smart Building
  8. 8. Smart Building • Smart office buildings, health care facilities, hospitals, educational facilities, stadiums and many other types of smart buildings exist around the world. • Navigant Research estimates that the smart building technology market will generate global revenue of $8.5 billion in 2020, up from $4.7 billion in 2016, growing at a compound annual growth rate of 15.9% over the forecast period.
  9. 9. Smart Building
  10. 10. The Creation of a Smart Building • Making a smart building, or making a building smart, begins by linking core systems such as lighting, power meters, water meters, pumps, heating, fire alarms and chiller plants with sensors and control systems. • At a more advanced stage, even elevators, access systems and shading can become part of the system.
  11. 11. The Creation of a Smart Building
  12. 12. The Creation of a Smart Building • There is no single set of standards that makes up what a smart building is, but what they all have in common is integration. • Many new building have “smart” technology, and are connected and responsive to a smart power grid. • You don’t even need to move offices or create a new building to work in a smart building. • Building automation systems like those from Honeywell or Johnson Controls exist so property owners can take advantage of the power available in older structures.
  13. 13. The Creation of a Smart Building
  14. 14. The Creation of a Smart Building
  15. 15. The benefits • Creating or transforming a building into a smart building is beneficial for both the owner and the organizations working within. • These benefits range from energy savings to productivity gains to sustainability. • Smart building strategies can reduce energy costs, increase the productivity of the facility staff, improve building operations, support sustainability efforts and enhance decision- making across the organization.
  16. 16. The benefits
  17. 17. The Benefits • One example of energy efficiency is the use of optimal start/stop, which allows the building automation system to learn when it should bring the air conditioning system online for a particular zone in the building. • Another feature is electrical loads that are grouped into categories from critical to high priority to non-essential.
  18. 18. The Benefits
  19. 19. The Benefits • “When the building load is rising and approaching the high limit setting, the nonessential loads are turned off in their subgroup order, followed by the high- priority loads”
  20. 20. The Benefits
  21. 21. Cyber-Security Vulnerabilities in Smart Buildings • Today’s smart buildings are increasingly enabled by Internet of Things (IoT) and made functional by the ongoing convergence of Operational Technology (OT) systems and Information Technology (IT) systems in buildings. • A host of new elements such as the cloud, remote access, data sharing and analytics, and connected and shared networks has fundamentally changed how built environments are being used and operated.
  22. 22. Internet of Things (IoT)
  23. 23. Internet of Things (IoT)
  24. 24. Cyber-Security Vulnerabilities in Smart Buildings • However, buildings are exposed to a new threat that has been downplayed and undervalued for a long time. • After witnessing a recent slew of security breaches, stake holders of the smart buildings industry are recognizing the potential damaging impact cyber threats pose for the industry and its related businesses.
  25. 25. Cyber-Security Vulnerabilities in Smart Buildings
  26. 26. Defining Smart Buildings And Cyber-Security • Smart Building can be defined as one that uses both technology and processes to create an environment that is safe, healthy, and comfortable and enables productivity and well-being for its occupants.
  27. 27. Defining Smart Buildings And Cyber-Security
  28. 28. Defining Smart Buildings And Cyber- Security • A smart building is characterized by active IT-aided intelligence, smart sensors and controls for seamless operation, real-time dissemination of operational information for predictive analytics, and diagnostics to facilitate better management, maintenance, and optimization over time.
  29. 29. Defining Smart Buildings And Cyber-Security • Cyber security in the context of a smart building is defined as the quantum of technologies, processes, and practices designed to protect from unauthorized access all building systems and networks, including front-end physical and IT systems within the building, accessories and field-level devices, data and application platforms, and data aggregation systems such as all localized and remote systems that help in operating and maintaining a smart building.
  30. 30. Cyber Risks in Smart Buildings • Technology Progression • The building automation system (BAS) or a building operating system (BOS) has moved considerably from the physical realm to one with IT enabling all aspects of its functioning. Furthermore, there is now a new generation of connected and intelligent buildings powered by IoT.
  31. 31. The Integrated Building Network • The integrated network of a smart building is where the true benefits of a smart and converged infrastructure are realized by building owners and operators; however, this is also the point where extreme exposure to security vulnerabilities are manifest.
  32. 32. Security Vulnerabilities of a Smart Building’s Integrated Network
  33. 33. Security Vulnerabilities of a Smart Building’s Integrated Network • The integration portion of a smart building’s software is subject to extreme vulnerabilities, in which the BAS is connected to virtually any other aspect of the building, and from which a skilled hacker could access nearly any system in a corporate network.
  34. 34. Security Vulnerabilities of a Smart Building’s Integrated Network
  35. 35. IoT and Cyber Risks • Activities centering on IoT are delivering increasingly unique advantages and novel challenges. • The advantages include real-time access, vast data generation and analytics, and interconnectivity of systems and devices. • These advantages by themselves, however, offer little value unless the crucial decision to share the data and networks is simultaneously taken, thus permitting access to multiple service providers to tap into a smart building’s various systems and devices.
  36. 36. IoT and Cyber Risks
  37. 37. IoT and Cyber Risks • This access implies potential security breaches that could render a smart building, its occupants, and service providers powerless over an adversary’s damaging actions to corrupt networks, misuse critical information, and cause significant operational and financial loss.
  38. 38. IoT-influenced Cyber Risk Areas in a Smart Building
  39. 39. Impact of Cyber Threats to BAS/BOS Infrastructure
  40. 40. Why cyber criminals are targeting smart buildings ? • In countries like the United States, the growth of smart buildings is estimated to reach 16.6% by 2020 compared to 2014, although this expansion is not limited to the US but rather is taking place on a global scale. • This growth is largely due to the fact we live in a world increasingly permeated by technology, in which process automation and the search for energy efficiency contribute not only to sustainability, but also to cost reduction
  41. 41. Why cyber criminals are targeting smart buildings ? • Smart buildings use technology to control a wide range of variables within their respective environments with the aim of providing more comfort and contributing to the health and productivity of the people inside them. • To do so, they use so-called Building Automation Systems (BAS).
  42. 42. Building Automation Systems (BAS)
  43. 43. Why cyber criminals are targeting smart buildings ? • With the arrival of the Internet of Things (IoT), smart buildings have redefined themselves. • With the information they obtain from smart sensors, their technological equipment is used to analyse, predict, diagnose and maintain the various environments within them, as well as to automate processes and monitor numerous operational variables in real time. • Ambient temperature, lighting, security cameras, elevators, parking and water management are just some of the automatable services currently supported by the technology.
  44. 44. Building Automation Systems (BAS)
  45. 45. Why cyber criminals are targeting smart buildings ?
  46. 46. Why cyber criminals are targeting smart buildings ? • To put the possibilities of this smart infrastructure into perspective, is the example of a smart building in Las Vegas where, two years ago, they decided to install a sophisticated automation system to control the use of the air conditioning (keeping in mind Las Vegas has a hot desert climate and very little rain), so it is turned on only when there are people present. • This decision led to a saving of US$2m during the first year after the smart system was installed, due to the reduction in energy consumption achieved by automating the process. • Marriott Hotels implemented a similar system across the entire chain that is expected to generate an estimated US$9.9 m in energy savings.
  47. 47. Marriott Hotels implemented a BAS system across the entire chain that is expected to generate an estimated US$9.9 m in energy savings
  48. 48. Possibility of a smart building being attacked • The risk of a security incident taking place in an intelligent building is linked to the motivations of cyber criminals, who mainly seek to achieve economic gain through their actions, as well as to impact and spread fear. • There are already some tools such as Shodan that allow anybody to discover vulnerable and/or unsecured IoT devices connected publicly to the internet. • If you run a search using the tool, you can find thousands of building automation systems in its lists, complete with information that could be used by an attacker to compromise a device.
  49. 49. Tools Such As Shodan That Allow Anybody To Discover Vulnerable And/Or Unsecured Iot Devices Connected Publicly To The Internet
  50. 50. Possibility of a smart building being attacked • Smart homes and buildings are a new battlefield for hackers and security experts • Most people wouldn’t consider their heating, ventilation, and air conditioning (HVAC) system as a prized target for cyber criminals. After all, a successful hacking attempt could go as far as making us uncomfortable for a few minutes until we fix the problem.
  51. 51. Smart homes and buildings are a new battlefield for hackers and security experts
  52. 52. Possibility of a smart building being attacked • This wishful thinking, however, is what hackers are counting on. As we deploy a growing number of connected devices such as smart HVACs, intelligent cameras, and smart doorbells in our homes and offices, the complexity of the Internet of Things (IoT) ecosystem increases.
  53. 53. Possibility of a smart building being attacked
  54. 54. Possibility of a smart building being attacked • Gartner, a research and advisory company, predicts that 25 billion connected devices will be in use by 2021. • And many of these IoT devices will interact with each other through house automation servers like FHEM (Freundliche Hausautomatisierung und Energie- Messung) and Home Assistant, making our lives more comfortable, but less secure.
  55. 55. Possibility of a smart building being attacked
  56. 56. Possibility of a smart building being attacked
  57. 57. Possibility of a smart building being attacked • Sure, having tech that automatically turns on the air conditioner and lights as people enter the room is convenient, but building automation systems (BAS) that integrate connected ‘things’ are often inadequately secured and configured.
  58. 58. Possibility of a smart building being attacked
  59. 59. Possibility of a smart building being attacked • Hackers easily breach them by, for instance, finding a weak spot in an unprotected web login page of a fire detection system. • Once inside, hackers move to take over other parts of the BAS as well and can shut down the alarm or heating systems and demand ransom payment. • This threat, also known as ‘siegeware’, is growing in severity, and many companies and individuals have already fallen victim to these attacks.
  60. 60. Hackers easily breach a weak spot in an unprotected web login page of a fire detection system
  61. 61. Siegeware
  62. 62. Scope of The ‘Siegeware’ Threat • According to ForeScout, a cyber-security firm, the number of vulnerabilities in automation systems is constantly increasing. • Hospitals and schools are particularly unprotected from cyber-attacks, and they operate as much as 8,000 highly vulnerable devices. And taking full control of these devices can have major consequences.
  63. 63. The ‘Siegeware’ Threat
  64. 64. Scope of The ‘Siegeware’ Threat • ForeScout explains that control over smart devices can eventually provide hackers with access to private financial files and information stored in data centres. • Also, they can listen to conversations, review camera streams, delete files, reprogram automation rules, distribute malware, and provide unauthorised individuals with physical access to the building.
  65. 65. Scope of The ‘Siegeware’ Threat
  66. 66. Scope of The ‘Siegeware’ Threat • And although many of the vulnerabilities that hackers exploit are well known, only about half of them in industrial and IoT systems have been patched. • What’s worse, even hackers with limited resources can develop effective malware and hack smart buildings.
  67. 67. Creating powerful malware isn’t as expensive as it may seem • For instance, it took ForeScout only $12,000 to develop proof-of-concept malware to show how easy it is to hack a smart building. • In that process, the security experts first spent some time analysing various automation systems and looking for weak spots.
  68. 68. Scope of The ‘Siegeware’ Threat
  69. 69. A hacker hijacked Nest devices in a family home • Arjun and Jessica Sud from Lake Barrington, a village in the US state of Illinois, certainly agree with ForeScout, as they were victims of a malicious cyber criminal. • He hacked their Nest cameras, speakers, and thermostat, and, at first, talked to their 7- month-old baby. • As Arjun grabbed the kid and went downstairs, he noted that the temperature, which was usually set to around 22°C, was turned up to 32°C.
  70. 70. Nest camera hacked: Hacker spoke to baby, hurled obscenities
  71. 71. Family Was Watched Through Nest Security Cameras • https://youtu.be/qrgn8zHpGfs • https://sagaciousnewsnetwork.com/family-was- watched-through-nest-security-cameras
  72. 72. A hacker hijacked Nest devices in a family home • A deep male voice then yelled at him through the speaker in a security camera, using racial insults and cursing. • And as soon as the voice stopped screaming, Arjun and Jessica unplugged 17 Nest devices worth $4,000 and returned them to Google’s company.
  73. 73. A hacker hijacked Nest devices in a family home
  74. 74. Exfiltrating data through a fish tank and modem routers • But despite all the security measures in place, creative hackers are sometimes able to overcome any obstacle. • In Las Vegas, for instance, they hacked a casino through a high-tech fish tank that was connected to the internet. • The malware extracted ten gigabytes of data and transferred it to a remote server in Finland.
  75. 75. Ex-filtrating data through a fish tank and modem routers
  76. 76. Exfiltrating data through a fish tank and modem routers • The full scope of the breach was spotted only after the staff called in experts from Darktrace, a cyber-defence company, to analyse suspicious activity. • Darktrace says that “this was a clear case of data exfiltration but far more subtle than typical attempts at data theft.” • This, however, isn’t the only way hackers exploit the vulnerabilities of connected ecosystems.
  77. 77. Darktrace, A Cyber-defence Company
  78. 78. Exfiltrating data through a fish tank and modem routers • In one such example, cyber criminals hijacked DLink DSL modem routers and redirected all users that wanted to visit the website of Banco de Brasil to a fake website. • The attack was highly sophisticated in the sense that the hijacking succeeded without editing URLs in the victim’s browser. Also, the malicious code works on both Apple and Android phones and tablets. • The victims then enter their username and password, believing they’re accessing online banking accounts, while in reality, they’re delivering sensitive data to hackers.
  79. 79. Cyber Criminals Hijacked Dlink DSL Modem Routers
  80. 80. Cyber Criminals Hijacked Dlink DSL Modem Routers And Redirected All Users That Wanted To Visit The Website Of Banco De Brasil To A Fake Website.
  81. 81. Google Hacked By Its Own Employee • Even big tech companies aren’t immune to security flaws in IoT devices. • Google’s engineer David Tomaschik, for example, found a way to control smart locks used in the company’s Sunnyvale offices by replicating the encryption key and forging commands in the office controller software made by the tech firm Software House. • Even without the required RFID keycard, Tomaschik managed to open or lock the door and prevent people from entering the facility. And he could do all of this without leaving any digital traces behind.
  82. 82. Google Hacked By Its Own Employee
  83. 83. Hospital data breach left 1.5 million patients exposed • Meanwhile, cyber criminals stole the personal data of 1.5 million patients in Singapore, including their names, gender, identity card numbers, and addresses. • They stole even the prescription data of Prime Minister Lee Hsien Loong.
  84. 84. Hospital data breach left 1.5 million patients exposed
  85. 85. Hospital data breach left 1.5 million patients exposed • The attack took place between 27 June and 4 July 2018, as the hackers breached the network of Sing Health, Singapore’s largest group of healthcare institutions. • Luckily, records such as diagnoses or test results weren’t tampered with, but the authorities paused many of the country’s Smart Nation initiatives because of the attack.
  86. 86. Hackers stole personal, medication data
  87. 87. Hospital data breach left 1.5 million patients exposed • And many people fear that hackers could misuse their identities, as ID numbers are crucial for accessing various government services in Singapore. • Leonard Kleinman, the senior director of IT Security for the Australian Tax Office and cyber security advisor to the security company RSA, says that “such data can fetch a high price”. In 2017, a stolen or lost healthcare record was worth as much as $408 on the Dark Web.
  88. 88. Hospital data breach left 1.5 million patients exposed
  89. 89. Siegeware and BAS attacks, an emerging threat • As technological solutions to cybercrime become increasingly advanced, able to preempt attacks and weed out vulnerabilities before they’re widely known, attackers also become more adept at cloaking their presence and concealing their intent.
  90. 90. Siegeware and BAS attacks, an emerging threat
  91. 91. Siegeware and BAS attacks, an emerging threat • The targets of attacks also change with the times. • Hacking websites and bank accounts is old- hat, some of the most threatening dangers to the most modernized companies and even citizens are those that target technology that doesn’t yet have the robust security systems, or even standards, in place.
  92. 92. Siegeware and BAS attacks, an emerging threat
  93. 93. Siegeware and BAS attacks, an emerging threat • It’s sad, but well known that the average consumer doesn’t spend a lot of time worrying about whether the firmware on their IoT devices is up-to-date, leaving millions of devices around the world critically vulnerable to attack.
  94. 94. Siegeware and BAS attacks, an emerging threat • However, you would be forgiven for assuming that companies implementing centralized control of a building’s life support functions such as HVAC, fire security, doors and windows, etc. along with more convenience focused building automation systems, would prioritize cyber security. • This is not always the case, and can lead to a potentially disastrous situation for the homes and organizations that implement Building Automation Systems (BAS) and the companies that manufacture, install, and maintain them.
  95. 95. Siegeware and BAS attacks, an emerging threat
  96. 96. Siegeware and BAS attacks • When attackers combine ransom ware with BAS vulnerabilities, we get Siegeware. • The attacker takes control of a building and shuts down critical operations such as heating, cooling, alarm systems, and even physical access, and will only rescind control once a ransom has been paid.
  97. 97. When attackers combine ransom ware with BAS vulnerabilities, we get Siegeware
  98. 98. Siegeware and BAS attacks • Gaining access to the BAS means the attacker becomes the digital overlord of the building. By controlling the automated system that governs the functionality of the building, they control the building itself. • They can turn off ventilation, heating, fire suppression systems, and potentially extend influence to other digital functionality of the building.
  99. 99. Siegeware and BAS attacks
  100. 100. The hacker can access seven systems remotely once he hijacks the BAS: • Lighting control systems • Fire detection and alarm systems • Automated fire suppression systems • Integrated security and access control systems • Heating, ventilation, and Air conditioning • Power management and assurance systems • Command and control systems • The consequences of losing control of these systems may range from discomfort to potentially life-threatening situations.
  101. 101. The hacker can access seven systems remotely once he hijacks the BAS
  102. 102. An Emerging Threat • Siegeware is quickly becoming one of the most dangerous and effective methods of cyber-attack. • Many companies have already fallen victim to these attacks, and those that haven’t given in to the ransom demands have faced highly disrupted operations as a result.
  103. 103. Siegeware is quickly becoming one of the most dangerous and effective methods of cyber-attack
  104. 104. An Emerging Threat • BAS allows a single command center to control and automate all connected systems in a building so that a high level of comfort can be achieved efficiently. • But vulnerabilities exist in any connected system, and when the network is compromised the prospect of physical danger becomes very real.
  105. 105. An Emerging Threat
  106. 106. An Emerging Threat • With increasing numbers of organizations adopting BAS infrastructures, the number of potential targets rises, along with the time spent by attackers searching for as-yet unknown vulnerabilities. • To make things worse, many of these buildings are connected to the internet where anyone with the correct username and password can access it. • As of February 2019, there were 35,000 BAS systems connected to the public internet globally, and it’s highly likely that many of these are using default usernames and passwords.
  107. 107. An Emerging Threat
  108. 108. An Emerging Threat • Even if the majority of organizations implement adequate security, those that do not face severe consequences. • Countless schools, hospitals, universities, and banks have all fallen prey to ransomware attacks in the past few years, and this is likely to mutate into large-scale siegeware attacks in coming months to many BAS equipped buildings that do not have effectively secured networks.
  109. 109. An Emerging Threat
  110. 110. Siegeware: When Criminals Take Over Your Smart Building • Siegeware is what you get when cybercriminals mix the concept of ransomware with building automation systems: abuse of equipment control software to threaten access to physical facilities.
  111. 111. Siegeware: When Criminals Take Over Your Smart Building • Imagine you are the person in charge of operations for a property company that manages a dozen buildings in a number of cities. What would you do if you got the following text on your phone? • “We have hacked all the control systems in your building at 400 Main Street and will close it down for three days if you not pay $50,000 in Bitcoin within 24 hours.”
  112. 112. Siegeware: When Criminals Take Over Your Smart Building
  113. 113. Siegeware: When Criminals Take Over Your Smart Building • In this scenario, the building at that address is one of several upscale medical clinics in your company’s portfolio. • The buildings all use something called a BAS or Building Automation System to remotely manage Heating, Air Conditioning, and Ventilation (HVAC), as well as fire alarms and controls, lighting, and security systems, and so on. • As many as eight different systems may be remotely accessible.
  114. 114. Siegeware: When Criminals Take Over Your Smart Building
  115. 115. BAS or Building Automation System
  116. 116. Siegeware: When Criminals Take Over Your Smart Building • In this scenario, if someone has in fact gained control of the BAS, then it is entirely possible that the sender of the threatening message could make good on their threat.
  117. 117. Siegeware: When Criminals Take Over Your Smart Building
  118. 118. Siegeware: When Criminals Take Over Your Smart Building • Clearly, holding a building for ransom by leveraging its reliance upon software is now on the criminal agenda, part of the expanding arsenal of techniques for profiting from the abuse of technology
  119. 119. Siegeware: When Criminals Take Over Your Smart Building
  120. 120. Siegeware: When Criminals Take Over Your Smart Building • From Neolithic hilltop settlements to medieval castles and walled cities, human structures have always been a target for nefarious activity, often besieged by aggressors because access to them is essential to their functionality, be that living, working, meeting, trading, storage, or medical care.
  121. 121. Siegeware: When Criminals Take Over Your Smart Building • Numerous practical and financial benefits can accrue from enabling remote access to a BAS, but when you combine criminal intent with poorly protected remote access to software that runs a building automation system, siegeware is a very real possibility. • To put it another way, siegeware is the code- enabled ability to make a credible extortion demand based on digitally impaired building functionality.
  122. 122. Siegeware: When Criminals Take Over Your Smart Building
  123. 123. Siegeware: When Criminals Take Over Your Smart Building • How widespread will the siegeware problem become in 2019? • That will depend on several factors: how aggressively cases are investigated by law enforcement; how many victims refuse to pay; and how many targets of opportunity the bad actors can find.
  124. 124. Siegeware: When Criminals Take Over Your Smart Building
  125. 125. Siegeware: When Criminals Take Over Your Smart Building • So, if you are at all concerned about the possibility of a siegeware attack, ask around to see if there is any remote access for the BAS in “your” building. • Then try to find out how well protected it is. Has access been placed behind a firewall? • Does access require a VPN connection? • Is access protected with multi-factor authentication or just a password? • If the latter, then immediately call a meeting to get that fixed.
  126. 126. Siegeware: When Criminals Take Over Your Smart Building
  127. 127. Siegeware: When Criminals Take Over Your Smart Building • Frankly, anything less than hiding the BAS login behind a VPN with 2FA means a building is at risk from criminals wielding siegeware. • With 2FA now being so widely available and easy to use, failure to take advantage of it to protect a BAS is likely to fail a reasonable test, should building tenants sue in the wake of a siegeware attack.
  128. 128. Siegeware: When Criminals Take Over Your Smart Building
  129. 129. Preventing BAS hijacking • Any smart home or other BAS controlled building is a potential target for siegeware attacks. • If you live in a smart-home, or are the building manager or security officer at an organization that utilizes BAS to control functions of the building, then it’s critical to provide that the security systems are up to the task of controlling access to the BAS.
  130. 130. Preventing BAS hijacking • Many contractors will simply set up the automated control system on a web-based login interface. • It makes it easier for them to make any changes later on or solve any issues that might appear. • However, such remote access is vulnerable to unauthorized access.
  131. 131. Preventing BAS hijacking • If there is remote-access to your BAS it needs to be considered a critical IT system, see to it that you have the following, at the very minimum: • Up to date firmware • Firewall • Encrypted connection • Preferably VPN-only access from the building’s IP • Strong passwords • Multi-factor authentication • Lockout on failed password attempts • Notification of login attempts
  132. 132. Preventing BAS hijacking
  133. 133. Preventing BAS Hijacking • If remote access to a BAS is vulnerable in even one of these areas, it’s susceptible to being hijacked. • By implementing at least three authentication types - password, possession, IP - unauthorized access can be discouraged, but not necessarily stopped entirely for a determined attacker.
  134. 134. Preventing BAS Hijacking • In the case of smart-homes and IoT devices, one has to make sure that all connected devices utilize security that prevents any unauthorized access. • The security of the controlling BAS box, in this case, extends to each and every physical device controlled through the network.
  135. 135. Preventing BAS Hijacking • The concept of a smart home, of top-tier technology that aspires to increase convenience and comfort, becomes one of the most powerful enablers of cyber-terrorism. • Here’s hoping that those companies and individuals implementing BAS into buildings will be working closely with IT departments and security researchers to protect our buildings’ critical support systems.
  136. 136. Preventing BAS Hijacking
  137. 137. Cyber Risk Management for Smart Buildings • Dealing with cyber risks and threats demands a sophisticated and robust approach for smart buildings, which essentially consists of a systematic review and analysis of aspects such as the following: • ICS vulnerabilities • Cost of damage • Scope and magnitude of cyber crimes • Technology initiatives and mitigation methods • A cyber-security management strategy
  138. 138. Cyber Risk Management for Smart Buildings
  139. 139. Scope and Magnitude of Cyber Crimes in Smart Buildings • Cyber crime encompasses a broad range of activities; however, cyber security professionals tend to group criminal activity into categories based on capabilities and impact. • It can be categorized in following 4 groups
  140. 140. Scope and Magnitude of Cyber Crimes in Smart Buildings • Terrorist organizations are considered low- to-moderate in impact and directed mostly for propaganda and recruitment; however, they could potentially launch high-impact attacks in the future.
  141. 141. Terrorist organizations
  142. 142. Scope and Magnitude of Cyber Crimes in Smart Buildings • Hacktivists (e.g., politically motivated groups such as Anonymous and LulzSec) depict a steep upward trend since 2011and are prone to high and low fluctuations as technology changes and as the business, economic, and socio-political landscape changes over time.
  143. 143. Hacktivists
  144. 144. Scope and Magnitude of Cyber Crimes in Smart Buildings • Organized crime (e.g., profit-seeking criminals and criminal organizations) is considered a medium/high threat in terms of capabilities and impact and is primarily focused on data theft and not directed at destroying the host system so as to maintain a lifeline to illicit revenues.
  145. 145. Organized Crime
  146. 146. Scope and Magnitude of Cyber Crimes in Smart Buildings • Espionage (e.g., corporate and government) is considered a high-skilled and high-impact growing threat involving computer and physical network attacks to obtain, destroy, and render critical information unavailable.
  147. 147. Scope and Magnitude of Cyber Crimes in Smart Buildings • Among the 4 categories discussed above, the 2 considered most applicable to smart buildings, with the ability to inflict substantial damage, are espionage and organized crime. • However, the potential of hactivism impacting a smart building cannot be ruled out. • Similarly, depending upon the nature and strategic importance of the building, terrorist- devised cyber threats could be a strong possibility as well
  148. 148. Cyber security Measures Adopted for Smart Buildings • Cyber security solutions currently being offered to the smart buildings industry combines IT and physical security options, in addition to technology deployment approaches that attempt at annomaly detection and reduce vulnerabilities for IT and OT staff.
  149. 149. Cyber security Measures Adopted for Smart Buildings
  150. 150. Cyber security Measures Adopted for Smart Buildings • In reviewing such technology options, it is important to begin by looking at a building’s critical vulnerability areas that gain top consideration.
  151. 151. Technology Initiatives Addressing Cyber-security in Smart Buildings
  152. 152. Cyber Risk Mitigation • The smart buildings industry is currently adopting mitigation methods that are varied and somewhat specific and/or proprietary to every organization. • Upon closer inspection, however, several best practices and commonalities in techniques have emerged from these approaches, which range from simple best practices to more rounded strategies based on life-cycle principles discussed below.
  153. 153. Best Practices for Adoption • Industry experts agree that simple best practices can be applied for protection from cyber attacks. • These best practices include the following steps as examples: • Restricting BAS access to virtual private network (VPN)connections only • Using a Web server-based human machine interface (HMI) because it relies on IT technologies to secure access and restricts ports that need to be opened on a firewall • Segregating the BAS network from the IT backbone using virtual local area network (VLAN)IT technologies to restrict internal attacks/breakdowns
  154. 154. Restricting BAS access to virtual private network
  155. 155. Using a Web server-based human machine interface
  156. 156. Segregating the BAS network from the IT backbone using virtual local area network (VLAN)IT
  157. 157. Best Practices for Adoption • Maintaining password etiquette • Keeping BAS software and firmware up-to date and installing patches on a timely basis • Encrypting the data at rest to protect an organization further, and backing up to a separate system for access during a data breach • Conducting security audits to validate security measures to-help avoid complacency • Educating database users, owners, and operators on the need for, and methodology of cyber security
  158. 158. Maintaining password etiquette
  159. 159. Keeping BAS software and firmware up-to date
  160. 160. Conducting security audits to validate security
  161. 161. Cyber Security
  162. 162. Conclusion • Smart buildings are creating new standards in technology, comforts, efficiency, and operational gains for owners, users, operators, service providers, and the community at large. • The influence of IoT in smart buildings has drastically changed both services and value delivery models; however, IoT has exposed buildings to unprecedented vulnerabilities of cyber space.
  163. 163. IoT has exposed buildings to unprecedented vulnerabilities of cyber space
  164. 164. Conclusion • While still in the early stages, cyber security concerns have the potential to derail an otherwise fast-growing smart buildings industry and its associated markets, primarily because of significant operational and financial loses that all stakeholders will have to sustain in the event of a cyber breach.
  165. 165. Conclusion
  166. 166. Conclusion • Evolving technology, advances in connectivity, and an M2M environment will continue to shape the trajectory of smart buildings, thus raising the need for protection against cyber threats. • According to David Fisk, “If intelligent buildings are the future, then so too are cyber threats to building services.” • The question is not how but when a cyber attack will strike smart buildings. • It would be in the interests of all stakeholders if an appropriate response strategy is put in place without delay, such that cyber threats do not exert a destabilizing impact on the smart buildings industry.
  167. 167. If intelligent buildings are the future, then so too are cyber threats to building services
  168. 168. Terminology • Building Automation • Building automation is the automatic centralized control of a building's heating, ventilation and air conditioning, lighting and other systems through a building management system or building automation system (BAS).
  169. 169. Building Automation
  170. 170. Terminology • Home Automation • Home automation or domotics is building automation for a home, called a smart home or smart house. A home automation system will control lighting, climate, entertainment systems, and appliances. It may also include home security such as access control and alarm systems
  171. 171. Home Automation
  172. 172. Terminology • Internet of Things • The Internet of Things (IoT) is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human- to-human or human-to-computer interaction
  173. 173. Internet of Things
  174. 174. Terminology 5G • 5G is the fifth generation of cellular technology. It is designed to increase speed, reduce latency, and improve flexibility of wireless services. 5G technology has a theoretical peak speed of 20 Gbps, while the peak speed of 4G is only 1 Gbps. • 5G also promises lower latency, which can improve the performance of business applications as well as other digital experiences (such as online gaming, videoconferencing, and self-driving cars).
  175. 175. 5G
  176. 176. Terminology • Siegeware • Siegeware is what you get when cybercriminals mix the concept of ransomware with building automation systems: abuse of equipment control software to threaten access to physical facilities
  177. 177. Siegeware
  178. 178. Terminology • Darknet • Dark Net (or Darknet) is the part of the Internet purposefully not open to public view, or hidden networks whose architecture is superimposed on that of the Internet. • "Darknet" is often associated with the encrypted part of the Internet called Tor network where illicit trading takes place such as the former infamous online drug bazaar called Silk Road. It is also considered part of the deep web
  179. 179. Darknet
  180. 180. Terminology • Electronic Harassment • Electronic harassment, electromagnetic torture, or psychotronic torture is a conspiracy theory that government agents make use of electromagnetic radiation radar, and surveillance techniques to transmit sounds and thoughts into people's heads, affect people's bodies, and harass people. • Individuals who claim to experience this call themselves "targeted individuals" ("TIs") .
  181. 181. Electronic Harassment
  182. 182. Terminology • Black Hat Hackers • Black hat hackers are the stereotypical illegal hacking groups often portrayed in popular culture, and are "the epitome of all that the public fears in a computer criminal". • Black hat hackers break into secure networks to destroy, modify, or steal data, or to make the networks unusable for authorized network users
  183. 183. Black Hat Hackers
  184. 184. Books The Internet of Risky Things: Trusting the Devices That Surround Us - by Sean W. Smith
  185. 185. The Smart Enough City Putting Technology in Its Place to Reclaim Our Urban Future By Ben Green
  186. 186. Ted Talks • Avi Rubin: All your devices can be hacked • https://www.ted.com/talks/avi_rubin_all_your_devices_can_be_hacked?utm_c ampaign=tedspread&utm_medium=referral&utm_source=tedcomshare
  187. 187. 'Future Crimes,' by Marc Goodman • https://www.ted.com/talks/marc_goodman_a_vision_of_crimes_in_the _future?utm_campaign=tedspread&utm_medium=referral&utm_sour ce=tedcomshare
  188. 188. References • Building Automation & Control Systems An Investigation into Vulnerabilities, Current Practice & Security Management Best Practice • https://www.securityindustry.org/wp-content/uploads/2018/08/BACS-Report_Final- Intelligent-Building-Management-Systems.pdf • Cyber security In Smart Buildings in action Is Not An Option Anymore • https://www.switchautomation.com/wp-content/uploads/2015/12/Cybersecurity-in- Smart-Buildings_-Discussion-Paper.pdf • How Common Are Attacks Through The BAS? • https://www.facilitiesnet.com/buildingautomation/article/How-Common-Are-Attacks- Through-The-BAS---16713 • Siegeware: When criminals take over your smart building • https://www.welivesecurity.com/2019/02/20/siegeware-when-criminals-take-over-your- smart-building/ • What is a smart building? • https://www.rcrwireless.com/20160725/business/smart-building-tag31-tag99 • What is a Building Automation System (BAS)? • https://www.opensourcedworkplace.com/glossary/what-is-a-building-automation- system-bas- • Why cybercriminals are eyeing smart buildings • https://www.welivesecurity.com/2019/06/12/cybercriminals-eyeing-smart-buildings/
  189. 189. Thanks…

Beschreibung

Cyber Security in Smart Buildings

Transkript

  1. 1. Cyber-Security In Smart Buildings Siegeware: When Criminals Take Over Your Smart Building
  2. 2. Smart Building • A smart building is any structure that uses automated processes to automatically control the building’s operations including heating, ventilation, air conditioning, lighting, security and other systems.
  3. 3. Smart Building
  4. 4. Smart Building • A smart building uses sensors, actuators and microchips, in order to collect data and manage it according to a business’ functions and services. • This infrastructure helps owners, operators and facility managers improve asset reliability and performance, which reduces energy use, optimizes how space is used and minimizes the environmental impact of buildings.
  5. 5. Smart Building
  6. 6. Smart Building • At the most fundamental level, smart buildings make occupants more productive with lighting, thermal comfort, air quality, physical security, sanitation and more at lower costs and environmental impact than buildings that are not connected.
  7. 7. Smart Building
  8. 8. Smart Building • Smart office buildings, health care facilities, hospitals, educational facilities, stadiums and many other types of smart buildings exist around the world. • Navigant Research estimates that the smart building technology market will generate global revenue of $8.5 billion in 2020, up from $4.7 billion in 2016, growing at a compound annual growth rate of 15.9% over the forecast period.
  9. 9. Smart Building
  10. 10. The Creation of a Smart Building • Making a smart building, or making a building smart, begins by linking core systems such as lighting, power meters, water meters, pumps, heating, fire alarms and chiller plants with sensors and control systems. • At a more advanced stage, even elevators, access systems and shading can become part of the system.
  11. 11. The Creation of a Smart Building
  12. 12. The Creation of a Smart Building • There is no single set of standards that makes up what a smart building is, but what they all have in common is integration. • Many new building have “smart” technology, and are connected and responsive to a smart power grid. • You don’t even need to move offices or create a new building to work in a smart building. • Building automation systems like those from Honeywell or Johnson Controls exist so property owners can take advantage of the power available in older structures.
  13. 13. The Creation of a Smart Building
  14. 14. The Creation of a Smart Building
  15. 15. The benefits • Creating or transforming a building into a smart building is beneficial for both the owner and the organizations working within. • These benefits range from energy savings to productivity gains to sustainability. • Smart building strategies can reduce energy costs, increase the productivity of the facility staff, improve building operations, support sustainability efforts and enhance decision- making across the organization.
  16. 16. The benefits
  17. 17. The Benefits • One example of energy efficiency is the use of optimal start/stop, which allows the building automation system to learn when it should bring the air conditioning system online for a particular zone in the building. • Another feature is electrical loads that are grouped into categories from critical to high priority to non-essential.
  18. 18. The Benefits
  19. 19. The Benefits • “When the building load is rising and approaching the high limit setting, the nonessential loads are turned off in their subgroup order, followed by the high- priority loads”
  20. 20. The Benefits
  21. 21. Cyber-Security Vulnerabilities in Smart Buildings • Today’s smart buildings are increasingly enabled by Internet of Things (IoT) and made functional by the ongoing convergence of Operational Technology (OT) systems and Information Technology (IT) systems in buildings. • A host of new elements such as the cloud, remote access, data sharing and analytics, and connected and shared networks has fundamentally changed how built environments are being used and operated.
  22. 22. Internet of Things (IoT)
  23. 23. Internet of Things (IoT)
  24. 24. Cyber-Security Vulnerabilities in Smart Buildings • However, buildings are exposed to a new threat that has been downplayed and undervalued for a long time. • After witnessing a recent slew of security breaches, stake holders of the smart buildings industry are recognizing the potential damaging impact cyber threats pose for the industry and its related businesses.
  25. 25. Cyber-Security Vulnerabilities in Smart Buildings
  26. 26. Defining Smart Buildings And Cyber-Security • Smart Building can be defined as one that uses both technology and processes to create an environment that is safe, healthy, and comfortable and enables productivity and well-being for its occupants.
  27. 27. Defining Smart Buildings And Cyber-Security
  28. 28. Defining Smart Buildings And Cyber- Security • A smart building is characterized by active IT-aided intelligence, smart sensors and controls for seamless operation, real-time dissemination of operational information for predictive analytics, and diagnostics to facilitate better management, maintenance, and optimization over time.
  29. 29. Defining Smart Buildings And Cyber-Security • Cyber security in the context of a smart building is defined as the quantum of technologies, processes, and practices designed to protect from unauthorized access all building systems and networks, including front-end physical and IT systems within the building, accessories and field-level devices, data and application platforms, and data aggregation systems such as all localized and remote systems that help in operating and maintaining a smart building.
  30. 30. Cyber Risks in Smart Buildings • Technology Progression • The building automation system (BAS) or a building operating system (BOS) has moved considerably from the physical realm to one with IT enabling all aspects of its functioning. Furthermore, there is now a new generation of connected and intelligent buildings powered by IoT.
  31. 31. The Integrated Building Network • The integrated network of a smart building is where the true benefits of a smart and converged infrastructure are realized by building owners and operators; however, this is also the point where extreme exposure to security vulnerabilities are manifest.
  32. 32. Security Vulnerabilities of a Smart Building’s Integrated Network
  33. 33. Security Vulnerabilities of a Smart Building’s Integrated Network • The integration portion of a smart building’s software is subject to extreme vulnerabilities, in which the BAS is connected to virtually any other aspect of the building, and from which a skilled hacker could access nearly any system in a corporate network.
  34. 34. Security Vulnerabilities of a Smart Building’s Integrated Network
  35. 35. IoT and Cyber Risks • Activities centering on IoT are delivering increasingly unique advantages and novel challenges. • The advantages include real-time access, vast data generation and analytics, and interconnectivity of systems and devices. • These advantages by themselves, however, offer little value unless the crucial decision to share the data and networks is simultaneously taken, thus permitting access to multiple service providers to tap into a smart building’s various systems and devices.
  36. 36. IoT and Cyber Risks
  37. 37. IoT and Cyber Risks • This access implies potential security breaches that could render a smart building, its occupants, and service providers powerless over an adversary’s damaging actions to corrupt networks, misuse critical information, and cause significant operational and financial loss.
  38. 38. IoT-influenced Cyber Risk Areas in a Smart Building
  39. 39. Impact of Cyber Threats to BAS/BOS Infrastructure
  40. 40. Why cyber criminals are targeting smart buildings ? • In countries like the United States, the growth of smart buildings is estimated to reach 16.6% by 2020 compared to 2014, although this expansion is not limited to the US but rather is taking place on a global scale. • This growth is largely due to the fact we live in a world increasingly permeated by technology, in which process automation and the search for energy efficiency contribute not only to sustainability, but also to cost reduction
  41. 41. Why cyber criminals are targeting smart buildings ? • Smart buildings use technology to control a wide range of variables within their respective environments with the aim of providing more comfort and contributing to the health and productivity of the people inside them. • To do so, they use so-called Building Automation Systems (BAS).
  42. 42. Building Automation Systems (BAS)
  43. 43. Why cyber criminals are targeting smart buildings ? • With the arrival of the Internet of Things (IoT), smart buildings have redefined themselves. • With the information they obtain from smart sensors, their technological equipment is used to analyse, predict, diagnose and maintain the various environments within them, as well as to automate processes and monitor numerous operational variables in real time. • Ambient temperature, lighting, security cameras, elevators, parking and water management are just some of the automatable services currently supported by the technology.
  44. 44. Building Automation Systems (BAS)
  45. 45. Why cyber criminals are targeting smart buildings ?
  46. 46. Why cyber criminals are targeting smart buildings ? • To put the possibilities of this smart infrastructure into perspective, is the example of a smart building in Las Vegas where, two years ago, they decided to install a sophisticated automation system to control the use of the air conditioning (keeping in mind Las Vegas has a hot desert climate and very little rain), so it is turned on only when there are people present. • This decision led to a saving of US$2m during the first year after the smart system was installed, due to the reduction in energy consumption achieved by automating the process. • Marriott Hotels implemented a similar system across the entire chain that is expected to generate an estimated US$9.9 m in energy savings.
  47. 47. Marriott Hotels implemented a BAS system across the entire chain that is expected to generate an estimated US$9.9 m in energy savings
  48. 48. Possibility of a smart building being attacked • The risk of a security incident taking place in an intelligent building is linked to the motivations of cyber criminals, who mainly seek to achieve economic gain through their actions, as well as to impact and spread fear. • There are already some tools such as Shodan that allow anybody to discover vulnerable and/or unsecured IoT devices connected publicly to the internet. • If you run a search using the tool, you can find thousands of building automation systems in its lists, complete with information that could be used by an attacker to compromise a device.
  49. 49. Tools Such As Shodan That Allow Anybody To Discover Vulnerable And/Or Unsecured Iot Devices Connected Publicly To The Internet
  50. 50. Possibility of a smart building being attacked • Smart homes and buildings are a new battlefield for hackers and security experts • Most people wouldn’t consider their heating, ventilation, and air conditioning (HVAC) system as a prized target for cyber criminals. After all, a successful hacking attempt could go as far as making us uncomfortable for a few minutes until we fix the problem.
  51. 51. Smart homes and buildings are a new battlefield for hackers and security experts
  52. 52. Possibility of a smart building being attacked • This wishful thinking, however, is what hackers are counting on. As we deploy a growing number of connected devices such as smart HVACs, intelligent cameras, and smart doorbells in our homes and offices, the complexity of the Internet of Things (IoT) ecosystem increases.
  53. 53. Possibility of a smart building being attacked
  54. 54. Possibility of a smart building being attacked • Gartner, a research and advisory company, predicts that 25 billion connected devices will be in use by 2021. • And many of these IoT devices will interact with each other through house automation servers like FHEM (Freundliche Hausautomatisierung und Energie- Messung) and Home Assistant, making our lives more comfortable, but less secure.
  55. 55. Possibility of a smart building being attacked
  56. 56. Possibility of a smart building being attacked
  57. 57. Possibility of a smart building being attacked • Sure, having tech that automatically turns on the air conditioner and lights as people enter the room is convenient, but building automation systems (BAS) that integrate connected ‘things’ are often inadequately secured and configured.
  58. 58. Possibility of a smart building being attacked
  59. 59. Possibility of a smart building being attacked • Hackers easily breach them by, for instance, finding a weak spot in an unprotected web login page of a fire detection system. • Once inside, hackers move to take over other parts of the BAS as well and can shut down the alarm or heating systems and demand ransom payment. • This threat, also known as ‘siegeware’, is growing in severity, and many companies and individuals have already fallen victim to these attacks.
  60. 60. Hackers easily breach a weak spot in an unprotected web login page of a fire detection system
  61. 61. Siegeware
  62. 62. Scope of The ‘Siegeware’ Threat • According to ForeScout, a cyber-security firm, the number of vulnerabilities in automation systems is constantly increasing. • Hospitals and schools are particularly unprotected from cyber-attacks, and they operate as much as 8,000 highly vulnerable devices. And taking full control of these devices can have major consequences.
  63. 63. The ‘Siegeware’ Threat
  64. 64. Scope of The ‘Siegeware’ Threat • ForeScout explains that control over smart devices can eventually provide hackers with access to private financial files and information stored in data centres. • Also, they can listen to conversations, review camera streams, delete files, reprogram automation rules, distribute malware, and provide unauthorised individuals with physical access to the building.
  65. 65. Scope of The ‘Siegeware’ Threat
  66. 66. Scope of The ‘Siegeware’ Threat • And although many of the vulnerabilities that hackers exploit are well known, only about half of them in industrial and IoT systems have been patched. • What’s worse, even hackers with limited resources can develop effective malware and hack smart buildings.
  67. 67. Creating powerful malware isn’t as expensive as it may seem • For instance, it took ForeScout only $12,000 to develop proof-of-concept malware to show how easy it is to hack a smart building. • In that process, the security experts first spent some time analysing various automation systems and looking for weak spots.
  68. 68. Scope of The ‘Siegeware’ Threat
  69. 69. A hacker hijacked Nest devices in a family home • Arjun and Jessica Sud from Lake Barrington, a village in the US state of Illinois, certainly agree with ForeScout, as they were victims of a malicious cyber criminal. • He hacked their Nest cameras, speakers, and thermostat, and, at first, talked to their 7- month-old baby. • As Arjun grabbed the kid and went downstairs, he noted that the temperature, which was usually set to around 22°C, was turned up to 32°C.
  70. 70. Nest camera hacked: Hacker spoke to baby, hurled obscenities
  71. 71. Family Was Watched Through Nest Security Cameras • https://youtu.be/qrgn8zHpGfs • https://sagaciousnewsnetwork.com/family-was- watched-through-nest-security-cameras
  72. 72. A hacker hijacked Nest devices in a family home • A deep male voice then yelled at him through the speaker in a security camera, using racial insults and cursing. • And as soon as the voice stopped screaming, Arjun and Jessica unplugged 17 Nest devices worth $4,000 and returned them to Google’s company.
  73. 73. A hacker hijacked Nest devices in a family home
  74. 74. Exfiltrating data through a fish tank and modem routers • But despite all the security measures in place, creative hackers are sometimes able to overcome any obstacle. • In Las Vegas, for instance, they hacked a casino through a high-tech fish tank that was connected to the internet. • The malware extracted ten gigabytes of data and transferred it to a remote server in Finland.
  75. 75. Ex-filtrating data through a fish tank and modem routers
  76. 76. Exfiltrating data through a fish tank and modem routers • The full scope of the breach was spotted only after the staff called in experts from Darktrace, a cyber-defence company, to analyse suspicious activity. • Darktrace says that “this was a clear case of data exfiltration but far more subtle than typical attempts at data theft.” • This, however, isn’t the only way hackers exploit the vulnerabilities of connected ecosystems.
  77. 77. Darktrace, A Cyber-defence Company
  78. 78. Exfiltrating data through a fish tank and modem routers • In one such example, cyber criminals hijacked DLink DSL modem routers and redirected all users that wanted to visit the website of Banco de Brasil to a fake website. • The attack was highly sophisticated in the sense that the hijacking succeeded without editing URLs in the victim’s browser. Also, the malicious code works on both Apple and Android phones and tablets. • The victims then enter their username and password, believing they’re accessing online banking accounts, while in reality, they’re delivering sensitive data to hackers.
  79. 79. Cyber Criminals Hijacked Dlink DSL Modem Routers
  80. 80. Cyber Criminals Hijacked Dlink DSL Modem Routers And Redirected All Users That Wanted To Visit The Website Of Banco De Brasil To A Fake Website.
  81. 81. Google Hacked By Its Own Employee • Even big tech companies aren’t immune to security flaws in IoT devices. • Google’s engineer David Tomaschik, for example, found a way to control smart locks used in the company’s Sunnyvale offices by replicating the encryption key and forging commands in the office controller software made by the tech firm Software House. • Even without the required RFID keycard, Tomaschik managed to open or lock the door and prevent people from entering the facility. And he could do all of this without leaving any digital traces behind.
  82. 82. Google Hacked By Its Own Employee
  83. 83. Hospital data breach left 1.5 million patients exposed • Meanwhile, cyber criminals stole the personal data of 1.5 million patients in Singapore, including their names, gender, identity card numbers, and addresses. • They stole even the prescription data of Prime Minister Lee Hsien Loong.
  84. 84. Hospital data breach left 1.5 million patients exposed
  85. 85. Hospital data breach left 1.5 million patients exposed • The attack took place between 27 June and 4 July 2018, as the hackers breached the network of Sing Health, Singapore’s largest group of healthcare institutions. • Luckily, records such as diagnoses or test results weren’t tampered with, but the authorities paused many of the country’s Smart Nation initiatives because of the attack.
  86. 86. Hackers stole personal, medication data
  87. 87. Hospital data breach left 1.5 million patients exposed • And many people fear that hackers could misuse their identities, as ID numbers are crucial for accessing various government services in Singapore. • Leonard Kleinman, the senior director of IT Security for the Australian Tax Office and cyber security advisor to the security company RSA, says that “such data can fetch a high price”. In 2017, a stolen or lost healthcare record was worth as much as $408 on the Dark Web.
  88. 88. Hospital data breach left 1.5 million patients exposed
  89. 89. Siegeware and BAS attacks, an emerging threat • As technological solutions to cybercrime become increasingly advanced, able to preempt attacks and weed out vulnerabilities before they’re widely known, attackers also become more adept at cloaking their presence and concealing their intent.
  90. 90. Siegeware and BAS attacks, an emerging threat
  91. 91. Siegeware and BAS attacks, an emerging threat • The targets of attacks also change with the times. • Hacking websites and bank accounts is old- hat, some of the most threatening dangers to the most modernized companies and even citizens are those that target technology that doesn’t yet have the robust security systems, or even standards, in place.
  92. 92. Siegeware and BAS attacks, an emerging threat
  93. 93. Siegeware and BAS attacks, an emerging threat • It’s sad, but well known that the average consumer doesn’t spend a lot of time worrying about whether the firmware on their IoT devices is up-to-date, leaving millions of devices around the world critically vulnerable to attack.
  94. 94. Siegeware and BAS attacks, an emerging threat • However, you would be forgiven for assuming that companies implementing centralized control of a building’s life support functions such as HVAC, fire security, doors and windows, etc. along with more convenience focused building automation systems, would prioritize cyber security. • This is not always the case, and can lead to a potentially disastrous situation for the homes and organizations that implement Building Automation Systems (BAS) and the companies that manufacture, install, and maintain them.
  95. 95. Siegeware and BAS attacks, an emerging threat
  96. 96. Siegeware and BAS attacks • When attackers combine ransom ware with BAS vulnerabilities, we get Siegeware. • The attacker takes control of a building and shuts down critical operations such as heating, cooling, alarm systems, and even physical access, and will only rescind control once a ransom has been paid.
  97. 97. When attackers combine ransom ware with BAS vulnerabilities, we get Siegeware
  98. 98. Siegeware and BAS attacks • Gaining access to the BAS means the attacker becomes the digital overlord of the building. By controlling the automated system that governs the functionality of the building, they control the building itself. • They can turn off ventilation, heating, fire suppression systems, and potentially extend influence to other digital functionality of the building.
  99. 99. Siegeware and BAS attacks
  100. 100. The hacker can access seven systems remotely once he hijacks the BAS: • Lighting control systems • Fire detection and alarm systems • Automated fire suppression systems • Integrated security and access control systems • Heating, ventilation, and Air conditioning • Power management and assurance systems • Command and control systems • The consequences of losing control of these systems may range from discomfort to potentially life-threatening situations.
  101. 101. The hacker can access seven systems remotely once he hijacks the BAS
  102. 102. An Emerging Threat • Siegeware is quickly becoming one of the most dangerous and effective methods of cyber-attack. • Many companies have already fallen victim to these attacks, and those that haven’t given in to the ransom demands have faced highly disrupted operations as a result.
  103. 103. Siegeware is quickly becoming one of the most dangerous and effective methods of cyber-attack
  104. 104. An Emerging Threat • BAS allows a single command center to control and automate all connected systems in a building so that a high level of comfort can be achieved efficiently. • But vulnerabilities exist in any connected system, and when the network is compromised the prospect of physical danger becomes very real.
  105. 105. An Emerging Threat
  106. 106. An Emerging Threat • With increasing numbers of organizations adopting BAS infrastructures, the number of potential targets rises, along with the time spent by attackers searching for as-yet unknown vulnerabilities. • To make things worse, many of these buildings are connected to the internet where anyone with the correct username and password can access it. • As of February 2019, there were 35,000 BAS systems connected to the public internet globally, and it’s highly likely that many of these are using default usernames and passwords.
  107. 107. An Emerging Threat
  108. 108. An Emerging Threat • Even if the majority of organizations implement adequate security, those that do not face severe consequences. • Countless schools, hospitals, universities, and banks have all fallen prey to ransomware attacks in the past few years, and this is likely to mutate into large-scale siegeware attacks in coming months to many BAS equipped buildings that do not have effectively secured networks.
  109. 109. An Emerging Threat
  110. 110. Siegeware: When Criminals Take Over Your Smart Building • Siegeware is what you get when cybercriminals mix the concept of ransomware with building automation systems: abuse of equipment control software to threaten access to physical facilities.
  111. 111. Siegeware: When Criminals Take Over Your Smart Building • Imagine you are the person in charge of operations for a property company that manages a dozen buildings in a number of cities. What would you do if you got the following text on your phone? • “We have hacked all the control systems in your building at 400 Main Street and will close it down for three days if you not pay $50,000 in Bitcoin within 24 hours.”
  112. 112. Siegeware: When Criminals Take Over Your Smart Building
  113. 113. Siegeware: When Criminals Take Over Your Smart Building • In this scenario, the building at that address is one of several upscale medical clinics in your company’s portfolio. • The buildings all use something called a BAS or Building Automation System to remotely manage Heating, Air Conditioning, and Ventilation (HVAC), as well as fire alarms and controls, lighting, and security systems, and so on. • As many as eight different systems may be remotely accessible.
  114. 114. Siegeware: When Criminals Take Over Your Smart Building
  115. 115. BAS or Building Automation System
  116. 116. Siegeware: When Criminals Take Over Your Smart Building • In this scenario, if someone has in fact gained control of the BAS, then it is entirely possible that the sender of the threatening message could make good on their threat.
  117. 117. Siegeware: When Criminals Take Over Your Smart Building
  118. 118. Siegeware: When Criminals Take Over Your Smart Building • Clearly, holding a building for ransom by leveraging its reliance upon software is now on the criminal agenda, part of the expanding arsenal of techniques for profiting from the abuse of technology
  119. 119. Siegeware: When Criminals Take Over Your Smart Building
  120. 120. Siegeware: When Criminals Take Over Your Smart Building • From Neolithic hilltop settlements to medieval castles and walled cities, human structures have always been a target for nefarious activity, often besieged by aggressors because access to them is essential to their functionality, be that living, working, meeting, trading, storage, or medical care.
  121. 121. Siegeware: When Criminals Take Over Your Smart Building • Numerous practical and financial benefits can accrue from enabling remote access to a BAS, but when you combine criminal intent with poorly protected remote access to software that runs a building automation system, siegeware is a very real possibility. • To put it another way, siegeware is the code- enabled ability to make a credible extortion demand based on digitally impaired building functionality.
  122. 122. Siegeware: When Criminals Take Over Your Smart Building
  123. 123. Siegeware: When Criminals Take Over Your Smart Building • How widespread will the siegeware problem become in 2019? • That will depend on several factors: how aggressively cases are investigated by law enforcement; how many victims refuse to pay; and how many targets of opportunity the bad actors can find.
  124. 124. Siegeware: When Criminals Take Over Your Smart Building
  125. 125. Siegeware: When Criminals Take Over Your Smart Building • So, if you are at all concerned about the possibility of a siegeware attack, ask around to see if there is any remote access for the BAS in “your” building. • Then try to find out how well protected it is. Has access been placed behind a firewall? • Does access require a VPN connection? • Is access protected with multi-factor authentication or just a password? • If the latter, then immediately call a meeting to get that fixed.
  126. 126. Siegeware: When Criminals Take Over Your Smart Building
  127. 127. Siegeware: When Criminals Take Over Your Smart Building • Frankly, anything less than hiding the BAS login behind a VPN with 2FA means a building is at risk from criminals wielding siegeware. • With 2FA now being so widely available and easy to use, failure to take advantage of it to protect a BAS is likely to fail a reasonable test, should building tenants sue in the wake of a siegeware attack.
  128. 128. Siegeware: When Criminals Take Over Your Smart Building
  129. 129. Preventing BAS hijacking • Any smart home or other BAS controlled building is a potential target for siegeware attacks. • If you live in a smart-home, or are the building manager or security officer at an organization that utilizes BAS to control functions of the building, then it’s critical to provide that the security systems are up to the task of controlling access to the BAS.
  130. 130. Preventing BAS hijacking • Many contractors will simply set up the automated control system on a web-based login interface. • It makes it easier for them to make any changes later on or solve any issues that might appear. • However, such remote access is vulnerable to unauthorized access.
  131. 131. Preventing BAS hijacking • If there is remote-access to your BAS it needs to be considered a critical IT system, see to it that you have the following, at the very minimum: • Up to date firmware • Firewall • Encrypted connection • Preferably VPN-only access from the building’s IP • Strong passwords • Multi-factor authentication • Lockout on failed password attempts • Notification of login attempts
  132. 132. Preventing BAS hijacking
  133. 133. Preventing BAS Hijacking • If remote access to a BAS is vulnerable in even one of these areas, it’s susceptible to being hijacked. • By implementing at least three authentication types - password, possession, IP - unauthorized access can be discouraged, but not necessarily stopped entirely for a determined attacker.
  134. 134. Preventing BAS Hijacking • In the case of smart-homes and IoT devices, one has to make sure that all connected devices utilize security that prevents any unauthorized access. • The security of the controlling BAS box, in this case, extends to each and every physical device controlled through the network.
  135. 135. Preventing BAS Hijacking • The concept of a smart home, of top-tier technology that aspires to increase convenience and comfort, becomes one of the most powerful enablers of cyber-terrorism. • Here’s hoping that those companies and individuals implementing BAS into buildings will be working closely with IT departments and security researchers to protect our buildings’ critical support systems.
  136. 136. Preventing BAS Hijacking
  137. 137. Cyber Risk Management for Smart Buildings • Dealing with cyber risks and threats demands a sophisticated and robust approach for smart buildings, which essentially consists of a systematic review and analysis of aspects such as the following: • ICS vulnerabilities • Cost of damage • Scope and magnitude of cyber crimes • Technology initiatives and mitigation methods • A cyber-security management strategy
  138. 138. Cyber Risk Management for Smart Buildings
  139. 139. Scope and Magnitude of Cyber Crimes in Smart Buildings • Cyber crime encompasses a broad range of activities; however, cyber security professionals tend to group criminal activity into categories based on capabilities and impact. • It can be categorized in following 4 groups
  140. 140. Scope and Magnitude of Cyber Crimes in Smart Buildings • Terrorist organizations are considered low- to-moderate in impact and directed mostly for propaganda and recruitment; however, they could potentially launch high-impact attacks in the future.
  141. 141. Terrorist organizations
  142. 142. Scope and Magnitude of Cyber Crimes in Smart Buildings • Hacktivists (e.g., politically motivated groups such as Anonymous and LulzSec) depict a steep upward trend since 2011and are prone to high and low fluctuations as technology changes and as the business, economic, and socio-political landscape changes over time.
  143. 143. Hacktivists
  144. 144. Scope and Magnitude of Cyber Crimes in Smart Buildings • Organized crime (e.g., profit-seeking criminals and criminal organizations) is considered a medium/high threat in terms of capabilities and impact and is primarily focused on data theft and not directed at destroying the host system so as to maintain a lifeline to illicit revenues.
  145. 145. Organized Crime
  146. 146. Scope and Magnitude of Cyber Crimes in Smart Buildings • Espionage (e.g., corporate and government) is considered a high-skilled and high-impact growing threat involving computer and physical network attacks to obtain, destroy, and render critical information unavailable.
  147. 147. Scope and Magnitude of Cyber Crimes in Smart Buildings • Among the 4 categories discussed above, the 2 considered most applicable to smart buildings, with the ability to inflict substantial damage, are espionage and organized crime. • However, the potential of hactivism impacting a smart building cannot be ruled out. • Similarly, depending upon the nature and strategic importance of the building, terrorist- devised cyber threats could be a strong possibility as well
  148. 148. Cyber security Measures Adopted for Smart Buildings • Cyber security solutions currently being offered to the smart buildings industry combines IT and physical security options, in addition to technology deployment approaches that attempt at annomaly detection and reduce vulnerabilities for IT and OT staff.
  149. 149. Cyber security Measures Adopted for Smart Buildings
  150. 150. Cyber security Measures Adopted for Smart Buildings • In reviewing such technology options, it is important to begin by looking at a building’s critical vulnerability areas that gain top consideration.
  151. 151. Technology Initiatives Addressing Cyber-security in Smart Buildings
  152. 152. Cyber Risk Mitigation • The smart buildings industry is currently adopting mitigation methods that are varied and somewhat specific and/or proprietary to every organization. • Upon closer inspection, however, several best practices and commonalities in techniques have emerged from these approaches, which range from simple best practices to more rounded strategies based on life-cycle principles discussed below.
  153. 153. Best Practices for Adoption • Industry experts agree that simple best practices can be applied for protection from cyber attacks. • These best practices include the following steps as examples: • Restricting BAS access to virtual private network (VPN)connections only • Using a Web server-based human machine interface (HMI) because it relies on IT technologies to secure access and restricts ports that need to be opened on a firewall • Segregating the BAS network from the IT backbone using virtual local area network (VLAN)IT technologies to restrict internal attacks/breakdowns
  154. 154. Restricting BAS access to virtual private network
  155. 155. Using a Web server-based human machine interface
  156. 156. Segregating the BAS network from the IT backbone using virtual local area network (VLAN)IT
  157. 157. Best Practices for Adoption • Maintaining password etiquette • Keeping BAS software and firmware up-to date and installing patches on a timely basis • Encrypting the data at rest to protect an organization further, and backing up to a separate system for access during a data breach • Conducting security audits to validate security measures to-help avoid complacency • Educating database users, owners, and operators on the need for, and methodology of cyber security
  158. 158. Maintaining password etiquette
  159. 159. Keeping BAS software and firmware up-to date
  160. 160. Conducting security audits to validate security
  161. 161. Cyber Security
  162. 162. Conclusion • Smart buildings are creating new standards in technology, comforts, efficiency, and operational gains for owners, users, operators, service providers, and the community at large. • The influence of IoT in smart buildings has drastically changed both services and value delivery models; however, IoT has exposed buildings to unprecedented vulnerabilities of cyber space.
  163. 163. IoT has exposed buildings to unprecedented vulnerabilities of cyber space
  164. 164. Conclusion • While still in the early stages, cyber security concerns have the potential to derail an otherwise fast-growing smart buildings industry and its associated markets, primarily because of significant operational and financial loses that all stakeholders will have to sustain in the event of a cyber breach.
  165. 165. Conclusion
  166. 166. Conclusion • Evolving technology, advances in connectivity, and an M2M environment will continue to shape the trajectory of smart buildings, thus raising the need for protection against cyber threats. • According to David Fisk, “If intelligent buildings are the future, then so too are cyber threats to building services.” • The question is not how but when a cyber attack will strike smart buildings. • It would be in the interests of all stakeholders if an appropriate response strategy is put in place without delay, such that cyber threats do not exert a destabilizing impact on the smart buildings industry.
  167. 167. If intelligent buildings are the future, then so too are cyber threats to building services
  168. 168. Terminology • Building Automation • Building automation is the automatic centralized control of a building's heating, ventilation and air conditioning, lighting and other systems through a building management system or building automation system (BAS).
  169. 169. Building Automation
  170. 170. Terminology • Home Automation • Home automation or domotics is building automation for a home, called a smart home or smart house. A home automation system will control lighting, climate, entertainment systems, and appliances. It may also include home security such as access control and alarm systems
  171. 171. Home Automation
  172. 172. Terminology • Internet of Things • The Internet of Things (IoT) is a system of interrelated computing devices, mechanical and digital machines, objects, animals or people that are provided with unique identifiers (UIDs) and the ability to transfer data over a network without requiring human- to-human or human-to-computer interaction
  173. 173. Internet of Things
  174. 174. Terminology 5G • 5G is the fifth generation of cellular technology. It is designed to increase speed, reduce latency, and improve flexibility of wireless services. 5G technology has a theoretical peak speed of 20 Gbps, while the peak speed of 4G is only 1 Gbps. • 5G also promises lower latency, which can improve the performance of business applications as well as other digital experiences (such as online gaming, videoconferencing, and self-driving cars).
  175. 175. 5G
  176. 176. Terminology • Siegeware • Siegeware is what you get when cybercriminals mix the concept of ransomware with building automation systems: abuse of equipment control software to threaten access to physical facilities
  177. 177. Siegeware
  178. 178. Terminology • Darknet • Dark Net (or Darknet) is the part of the Internet purposefully not open to public view, or hidden networks whose architecture is superimposed on that of the Internet. • "Darknet" is often associated with the encrypted part of the Internet called Tor network where illicit trading takes place such as the former infamous online drug bazaar called Silk Road. It is also considered part of the deep web
  179. 179. Darknet
  180. 180. Terminology • Electronic Harassment • Electronic harassment, electromagnetic torture, or psychotronic torture is a conspiracy theory that government agents make use of electromagnetic radiation radar, and surveillance techniques to transmit sounds and thoughts into people's heads, affect people's bodies, and harass people. • Individuals who claim to experience this call themselves "targeted individuals" ("TIs") .
  181. 181. Electronic Harassment
  182. 182. Terminology • Black Hat Hackers • Black hat hackers are the stereotypical illegal hacking groups often portrayed in popular culture, and are "the epitome of all that the public fears in a computer criminal". • Black hat hackers break into secure networks to destroy, modify, or steal data, or to make the networks unusable for authorized network users
  183. 183. Black Hat Hackers
  184. 184. Books The Internet of Risky Things: Trusting the Devices That Surround Us - by Sean W. Smith
  185. 185. The Smart Enough City Putting Technology in Its Place to Reclaim Our Urban Future By Ben Green
  186. 186. Ted Talks • Avi Rubin: All your devices can be hacked • https://www.ted.com/talks/avi_rubin_all_your_devices_can_be_hacked?utm_c ampaign=tedspread&utm_medium=referral&utm_source=tedcomshare
  187. 187. 'Future Crimes,' by Marc Goodman • https://www.ted.com/talks/marc_goodman_a_vision_of_crimes_in_the _future?utm_campaign=tedspread&utm_medium=referral&utm_sour ce=tedcomshare
  188. 188. References • Building Automation & Control Systems An Investigation into Vulnerabilities, Current Practice & Security Management Best Practice • https://www.securityindustry.org/wp-content/uploads/2018/08/BACS-Report_Final- Intelligent-Building-Management-Systems.pdf • Cyber security In Smart Buildings in action Is Not An Option Anymore • https://www.switchautomation.com/wp-content/uploads/2015/12/Cybersecurity-in- Smart-Buildings_-Discussion-Paper.pdf • How Common Are Attacks Through The BAS? • https://www.facilitiesnet.com/buildingautomation/article/How-Common-Are-Attacks- Through-The-BAS---16713 • Siegeware: When criminals take over your smart building • https://www.welivesecurity.com/2019/02/20/siegeware-when-criminals-take-over-your- smart-building/ • What is a smart building? • https://www.rcrwireless.com/20160725/business/smart-building-tag31-tag99 • What is a Building Automation System (BAS)? • https://www.opensourcedworkplace.com/glossary/what-is-a-building-automation- system-bas- • Why cybercriminals are eyeing smart buildings • https://www.welivesecurity.com/2019/06/12/cybercriminals-eyeing-smart-buildings/
  189. 189. Thanks…

Weitere Verwandte Inhalte

Ähnliche Bücher

Kostenlos mit einer 30-tägigen Testversion von Scribd

Alle anzeigen

Ähnliche Hörbücher

Kostenlos mit einer 30-tägigen Testversion von Scribd

Alle anzeigen

×