Tuesday, May 28, 2013

Vulnerability in Building Control Systems

Vital buildings such as hospitals, universities and government offices are vulnerable to hackers

You're in intensive care at a hospital when the lights go out and the heating turns up. Meanwhile, doctors trying to get you to an operating theatre have been trapped in elevators for almost an hour as hackers take control.

The building control system for one of Google's offices in Sydney was hacked into by two IT security researchers who say hundreds more in Australia are also accessible via the internet.

A building control system, or building management system, is a computer-based system used to control and monitor a building's mechanical and electrical equipment using software. It monitors and controls things like ventilation, air conditioning, lighting and fire systems.

US researchers Billy Rios and Terry McCorkle of security firm Cylance found that the building control system for Google's Wharf 7 office in Pyrmont was vulnerable after finding it on the popular hacker search engine Shodan, which maps out vulnerable devices on the internet.

A search engine Shodan, indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering. This makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities.

Please refer here for a good technical webcast explaining "How the information in SHODAN is put together and correlated".

The incident does highlight the need for sensitive systems (not just SCADA) to be isolated from hostile networks like the internet.

Hopefully, this incident will gain some more traction outside the security community.

No comments: