Your building automation system (BAS) has been compromised and a hacker is threatening to shut down the HVAC in your facility in exchange for a large ransom in untraceable Bitcoin currency. What do you do?
If this scenario seems far-fetched or unlikely, you may need to pull your head out of the proverbial sand and consider what follows very seriously. Denying or downplaying the existence and prevalence of cyber-related security threats is a common miscalculation—and that’s exactly what hackers are banking on.
In fact, a recent Accenture security survey, “Building Confidence: Facing the Cybersecurity Conundrum”, found that overconfidence may be putting companies at greater risk for cyberattacks. Two-thirds of respondents to the survey indicated their organizations are capable of protecting their assets from such threats, yet actual data suggests otherwise. Of the companies surveyed, cyberattacks were carried out at a rate of three times per month during the past year alone.
Thanks in part to the increased connectivity of building control systems and mobile devices afforded by the Internet of Things (IoT), which was covered in retrofit’s January-February 2017 issue, “Trend Alert”, shared networks often create gaps that allow easier access for cyberattacks and privacy invasion, which hackers are persistently trying to identify and exploit.
The Threat Is Real
If you still think this is child’s play, consider the fact that Hollywood Presbyterian Medical Center in Hollywood, Calif., paid $17,000 (approximately 40 Bitcoin) to ransomware hackers last year after a cyberattack locked doctors and nurses out of their computer system for days, according to the Los Angeles Times. For the uninitiated, ransomware is a type of malicious software (or malware) that encrypts a user’s data, then demands payment in exchange for unlocking it. This sort of invasive activity happens more often than many realize.
“If you consider a non-organized exploit—in other words, just a simple query where IP ad- dresses and networks have been identified and then simple open ports are looked at and queried—this happens every hour of every day with virtually every system that is connected. This is going on constantly,” explains Steve Surfaro, industry liaison for Phoenix-based security solutions provider Axis Communications and chairman of the Security Applied Sciences Council for ASIS International, Alexandria, Va.
Jim Kelton, managing principal at Altius Information Technologies Inc., a security audit company in Costa Mesa, Calif., agrees cyberattacks are on the rise and notes commercial buildings are a relatively easy target.
“We’ve seen an increase across the board in the [frequency of] cybersecurity attacks,” he says. “Attackers can’t always distinguish one organization from another, so commercial buildings may be at the same risk as even, let’s say a high-tech firm; hackers are looking for low- hanging fruit, the path of least resistance, to try and see where they may be able to exploit a vulnerability.”
This seemingly innocuous intrusion into building networks is essentially a game for “black hat hackers,” or individuals with extensive computer knowledge whose purpose is to breach or bypass internet security measures. (“White hat hackers,” on the other hand, are ethical security specialists who perform the same function to expose weaknesses before malicious hackers can detect and exploit them.)
“[Black-hat hackers] are essentially doing this almost as frequently as gamers play, and they are looking to intrude, and they’re looking for vulnerabilities—and not in a good way,” Surfaro says. “Once they find those vulnerabilities, then they either do it for their own hobby or they do it for profit.”
The motives behind cyberattacks is where things get worrisome. These can range from financial, self-promoting, pathological to political, “which is usually incredibly organized and very, very dangerous,” Surfaro warns. “These are the folks who are going after entire companies they’re disagreeing with.”
Surfaro explains that systematized factions throughout the world are seeking hackers who will identify and catalogue weaknesses within organizations. But these cyberterrorists don’t want hackers to act on their own; rather, they want to launch massive, coordinated attacks to inflict the most damage.
For example, Dave Tyson, CEO of security consultancy firm CISO Insights, Racine, Wis., notes earlier this summer a ransomware attack dubbed “Petya” (and later, “NotPeta”) was launched in the Ukraine and linked to a state-sponsored organization that wiped out a significant portion of the country’s business financial services and industrial control systems. While this incident was deemed an attack between nation states, companies can also become targets based on their political affiliations.