Heating, lighting and physical security most vulnerable systems to cyber attack

The systems which control heating, lighting and security in most buildings are particularly vulnerable to cyber attack, a QinetiQ whitepaper has warned.

In analysis undertaken in late 2015, QinetiQ found that these systems create a route for serious damage and disruption to be caused to most major companies and organisations; capabilities now showcased in the real-world through the spear-phishing attack on a Ukrainian power network . Those that would suffer the most disruption include airports, stadiums, hospitals and government departments.

Despite the dangers, such as no communications at an airport or lighting failure in a hospital, the systems which control these applications remains some of the least secure, QinetiQ believes. The whitepaper explains that these systems have evolved from technologies not designed to be connected. They are therefore often designed, installed and managed by people who have not been trained to understand the security implications.

This creates vulnerabilities that could be exploited by those looking to damage an organisation or create panic, such as activists, terrorists, aggrieved nation states or disgruntled former employees. It could also help criminals physically break in.

The whitepaper outlines the consequences of a compromise, the potential attack vectors and recommendations for mitigating these risks.

Attack vectors often exist because such systems have not been securely installed. The QinetiQ research team found Building Management Systems (BMS) were often simply switched on or plugged in, connecting them to insecure networks or leaving them accessible via Wi-Fi. Default passwords were often left unchanged.

The paper recommends that installation of these systems must involve an understanding of how these systems are connected to the online world and how to restrict this. Installers and facilities managers setting up the systems should be trained and certified to ISO 27001 or equivalent, or consultants with these qualifications should be involved.

Andrew Kelly, Principal Consultant, Cyber Security, QinetiQ and co-author of the paper said: "Devices that were never built for security are increasingly becoming connected to networks, and so becoming hackable. We are seeing this in the domestic sphere too, as the Internet of Things becomes more prevalent, but it is the but BMS-connected devices have particular potential to wreak havoc as they control systems necessary for business to function. Despite this, they have some of the laxest security, both in their design and in their installation and maintenance.

"This is a pressing issue. The challenge is that it crosses two previously unconnected areas: facilities management and IT. But as more BMS become connected, these departments either need to work more closely together, or facilities managers need to become security experts."

Comments (1)

  1. Stephen Meredith:
    Jan 21, 2016 at 10:56 AM

    Andrew has a highlighted a very real and growing problem that extends to the whole IOT arena. Basically this is a disaster waiting to happen. BMS and public infrastructure systems need to be considered as a subnet off the corporate WAN, protected by their own IPS and Firewall devices and then regularly assessed and rules updated to protect against the latest exploits. Unless the same level of security is applied to these critical infrastructures as would (should) be deployed to the corporate network it is just a matter of time before there is a major incident of national or International significance.

Add a Comment

This thread has been closed from taking new comments.

Editorial: +44 (0)1892 536363
Publisher: +44 (0)208 440 0372
Subscribe FREE to the weekly E-newsletter