Building management systems which are used to make buildings intelligent has led to the widespread use of proprietary ‘enterprise’ software platforms and networks for monitoring and control of these environments.
As any PC user well tell you, networked computers can be remarkably vulnerable to malicious software. However, it is only recently that attention has been paid to the possibility of virus damage and attacks to these smart building systems.
Building owners and designers, and particularly members of the building services industry, are racing to implement intelligent buildings and smart grids, which have been heralded as the future in terms of both energy efficiency and facilities management. But many are overlooking the potential risk of malicious attacks on these highly networked control systems, leaving them wide open.
The market for virus protection has been estimated at $2billion each year (e.g. Savvas 2007) but it is hard to find any discussion on cyber-security issues in intelligent building design
David Fisk of the Laing O’Rourke Centre for Systems Engineering and Innovation at Imperial College London warns that, as we have seen with household PCs, the basic building blocks of intelligent buildings can be infected by malware.
The terrorist attack on New York in 2001 spawned wide ranging assessments of risks from ‘innovative’ terrorists. Naturally, this included ICT risks to infrastructure from cyber terrorism.
Much of this material drew on earlier work that shadowed conventional virus technology (Rathmell 1997). Industrial sites or email services could be attacked by denial of service or just hacked. But it became evident that Supervisory Control and Data Acquisition (SCADA) could also be compromised – Building Management Systems (BMSs) full under this area.
In 2010, a PC in Iran started to repeatedly reboot itself – that would set off alarm bells with any PC owner with the assumption that their machine had become infected. This was the start of a virus now known as Stuxnet.
Once Stuxnet had made itself comfortable it looked to communicate using a Windows platform with other devices that were running Step 7. This is the Siemens system which was being used in the programmable logic controllers.
Now, Siemens are one of the world’s largest manufacturers of controls and control systems – so once the backdoor was figured out this, in theory, left a huge number of other systems open for attack.
The thing is, industrial controllers are not themselves usually connected to the internet (or so their operators think!) in attempt to prevent this happening.
Stuxnet got around this little problem by installing itself on any USB drive inserted in to the infected system and then went wherever the drive went next.
As drives are routinely used to transfer data between standalone networks, the Stuxnet transfer was activated simply by inserting the drive. It then was ready to insert itself in any clean USB stick inserted later – and so on.
It was also helped along as Siemens had designed the input process image to the controller as read–write instead of read.
Stuxnet was special as it was tailor-made to attack a specific plant in Iran. The strong suspicion is that it stopped the Iran uranium enrichment programme for a while in 2009. But it signified the wider potential of malicious software to those who write it and the vulnerabilities of SCADA systems.
Stuxnet is now patched (Siemens 2011) but, unfortunately, the idea is out that malicious software can infect plant controllers at the very time that SCADA engineering is tending to move away from physically quarantined control systems to fully integrated information systems embedded in enterprise software.
Fisk outlines how risks may be assessed and mitigated by using a hypothetical attack on the heating, ventilation and air-conditioning (HVAC) systems of a super-casino.
The scenario points out that if the lights were to fail even for a moment the casino would lose sight of thousands of chips in play. This is why super casinos employ large standby generation sets and, to cover start-up, they also have large banks of standby batteries.
If start-up fails for some generator sets, the BMS sheds non-lighting load. But under the ‘plan for the worst’ the battery back-up provision is enhanced to allow time for gaming to be halted under lit conditions if all sets fail, before emergency lighting comes on and the casino is evacuated. But like a vulnerability patch, this extra investment highlights the point of weakness.
Now an ‘intelligent super casino’ might automate the entire process so avoiding human error or oversight (like an operator tea break).
This is where a software attack could potentially capitalise on the trust left in the automated system as, now, the supervisory system just needs to be infected in order to jeopardise the entire security investment.
If the HVAC system just locked down and refused to start, an internal temperature of 40°C and 80% relative humidity would be enough to clear the complex.
If the doors were locked down, and the lighting, ventilation and air-conditioning switched off – it wouldn’t take long for panic to set in.
For the full, in-depth and interesting article click here.