In this column and elsewhere, we’ve seen plenty of exhortations to make sure that control system networks are sufficiently isolated from corporate networks so as to prevent infiltrations from finding their way to the more sensitive and “more important” parts of the organization. For those delivering electricity, pumping oil, or whipping up batches of hazardous chemicals, it is critical that maximum protection be applied to these networks. However, we often forget that control systems play other roles that are not always front and center. Among these are building management systems that control temperature, humidity, elevators, water pumps, and just about any anything else in a structure that moves without human power. Increasingly, these are all likely to be digitally controlled and are well on their way to becoming part of the massive “Internet of Things” that is revolutionizing our world. Google’s recent decision to pay $3 billion for Nest Labs, Inc., a maker of high-tech thermostats, demonstrates the enormous potential many see for these technologies. However, despite the increased connectivity, energy savings, and Jetson-like quality of many of these devices, most quietly do what they are supposed to do and are quickly forgotten. While dangers of electrocution, explosions, and flying projectiles do exist, the risk of this happening from a cyber attack are minimal at this point. However, because network connectivity is now required to monitor and tweak the performance of these building management systems, there is the temptation to leverage existing connectivity to support both remote access for service providers and feeds to databases residing on the corporate network.
Initial reports had indicated that Target may have been compromised through a vendor monitoring its building management system. It now appears that while the credentials of a Target service provider were compromised, the route into Target’s network was through a financial system intended for vendors to submit invoices to Target. In some senses, this sort of attack is worse, as there were likely more potential sources to attack from. Additionally, it still highlights the weak points all too common with control systems and the access given to service providers who asset owners depend on for their expertise. Many of these providers also dictate the methods and security controls used for their access, leaving customers with a take-it-or-leave-it choice. Clearly, companies like Target have the market power to resist such ultimatums, but many critical infrastructure owners don’t have that clout. It is still not known how much isolation existed between Target’s financial system receiving vendor invoices and the point of sale terminals. As Stuxnet proved, even air-gapped networks can be breached. But it is likely that Target and most of its peers don’t provide that level of protection. Nonetheless, given the ease with which corporate networks can be infected via unsophisticated phishing campaigns, it is likely that the Target hackers were not amateurs in choosing a less-worn path through a largely unknown heating, ventilation, and air conditioning (HVAC) service provider. While not always harder, such methods require persistence, planning, and organization not found among “smash and grab” identity thieves. The fact that hackers have chosen that route means that we need to expand our appreciation of not only the possible, but the likely.
While the Target breach was not control system-related as originally reported, there are a number of lessons we can learn from the experience. The use of service providers for any purpose presents risks that need to be mitigated. Moreover, the lesson for those running building management systems is that the biggest concern is not always that a hacker is going to break in and play Space Invaders® on the side of their building. The clear message is that we are all vulnerable to the weakest link. While we can segregate networks, business requirements dictate that data be shared and cost-efficiencies be maintained. While nuclear power plants can afford air gaps and expensive data diodes, the typical retail store or office building generally cannot. What is important is that we remain vigilant and aware of these often hidden networks and the threats they can pose. Among steps to consider are:
- Use of two-factor authentication for all vendor access to both internal networks and Internet-facing applications
- Segmentation of building management systems and other control systems from business networks with real-time monitoring between those networks
- Requiring vendors to demonstrate security controls that meet or exceed the security of their customers
- Monitoring evolving threats and altering controls in response without waiting for industry consensus or new regulations
Most companies have not experienced attacks from determined adversaries. They are normally simply victims of crimes of opportunities. What the Target breach and other recent breaches demonstrate is that good hygiene and compliance with standards are not enough. We all need to step up our defenses and be prepared to still be breached.
Space Invaders is a registered trademark of Kabushiki Kaisha Taito Corporation in the U.S. and/or other countries.