The security behind: Building Management Systems

Subscribe now on your favourite podcast app, Spotify, Amazon or Apple podcasts by searching for ‘You Gotta Hack That’!

Hello, I’m Felix and welcome to You Gotta Hack That, the podcast All about the security behind the Internet of Things. In this episode I’m going to talk to you about Building Management Systems.

All right, So what are building management systems? They’re also known as BMS and they are basically a centralized point where loads of different tech that controls a building gets centralized and connected together. Now these sorts of things can include, heating, ventilation, air conditioning or HVAC. It can include fire suppression or detection, and sometimes other fire related bits of kit. And then there’s things like CCTV systems and access control systems. The sort of thing that you have to swipe a card over to open a door. And then you’ve also got other items, which are about comfort and looking after people while they’re there and lighting and energy saving kit. You don’t want stuff turned on when people aren’t present, so have a system that turns it off. And then finally lifts and accessibility services. So we’re talking about escalators or other types of system that may allow people who would otherwise not be able to access a building, be able to.

How do these things work? This varies tremendously as a result of the different scale of the implementations. There’s going to be other reasons as well like what does the site do and what does the building do? But as a general principle, the bigger the building, bigger the area, the more likely it is to have much more complex system installed. As we’ve already seen, there’s loads of different technologies that are available as options here. What that means is that the tech itself varies quite significantly as well. It’s not just a case of there being lots of it and therefore it’s more complex, there’s lots of variation too.

They’re probably going to be based around a server on web application, or a thick client application that you install locally on your machine, Then whoever is running the system logs in and can make changes, see logs, basically operate the system via that particular bit of kit. It’s also important to think about the fact that this isn’t limited to a single building. This could be a suite of buildings in an area. For instance, if you’ve got a whole site and you’ve got ten buildings there why not have a centralized security team connect all those buildings together. But it’s not limited to that either. You can actually do this across national areas as well as international ones, because these things can be connected over the Internet if done correctly.

Ultimately there’s the question about why bother. and I think more than most subjects, this one’s probably the most obvious. I can think of half a dozen reasons off the top of my head, but that’s probably because this is the thing of movie plots. We’ve had so many movies over the years where a hacker has access to a building to be able to find secret files in a particular vault. or they’ve stolen stuff from the vault of a casino, they’ve used it to get people to come out of the building or all sorts of different techniques and tactics. Those are some of the examples that I would think are relevant, depending on the context of the site. So as a short list: evacuating buildings, accessing restricted areas, and whatever is behind those restricted areas, a bit of surveillance for example if you’re following your your wife and she always goes to the same shopping centre or something like that, then maybe you’d want to know whether she’s there or not. There’s also the obvious stuff like theft and being a disgruntled employee. Because the attacker can or because they want to get back at somebody, but there’s also the more serious side of things as well, which is terrorism and ransomware.

Ransom ware is an interesting one because it has picked up quite a bit over the last few years. There’s examples of hotels having their door control systems being ransomware’d and they simply just couldn’t operate. Could you imagine if your local shopping centre was under a ransomware attack suddenly? Could they let anybody in? Probably not because they couldn’t trust that the fire systems would work. Therefore they wouldn’t be able to allow people to go on site except to fix those fire systems.

That then brings us to the question about what might go wrong on such a system. Regular listeners would probably recognise the fact that the the complexity and the scale of these problems present problems that are quite difficult to overcome. There’s more to it than just simply the scale and complexity. For starters, they tend to be run by physical security teams, and not disrespecting the physical security teams whatsoever, it’s just they don’t necessarily have training on cybersecurity issues and how to look after those systems. Sometimes it’s the physical security teams that implement those systems as well as run them and operate them. So if they don’t know what they’re doing at the very beginning, then they are going to have a very weak system. What this means is that those connected systems, various different sensors, door locks, whatever, that is that connected to this building, is going to have varying levels of security. There’s a chance that the system is potentially as weak as the most vulnerable part. So if you had a fire system of whatever description, and it was absolutely top notch perfect, no probable weaknesses, no vulnerabilities that were known or anything along those lines, that would be great. However, it is connected to the same BMS as a door lock system that’s vulnerable to everything. Well, I don’t need to necessarily attack the fire system to be able to impact it. I could attack the door lock system, access the BMS, and then cause an event to happen within the fire system. That concept brings it down to the lowest common denominator.

There’s also the challenges of who’s set this up, and where have they set it up and have they thought about how that’s going to be segregated? If they put it on the same network as the corporate IT network, I’ve seen that quite a few times, that’s not a great idea. This is because these devices tend to have all sorts of issues with them. If I can break into the operational technology or the BMS network, then I can probably move across from that over to the IT network. Therefore it’s not just a physical impact that I could have, it’s an IT or information impact that I could have. The flip side to this is if someone hasn’t been smart enough to segregate the BMS network from everything else, then the chances are that level of security maturity on that network is relatively low. For instance, they probably haven’t put in security event monitoring, any network monitoring or intrusion detection systems or anything along those lines. That’s just another cost and another thing to maintain. The BMS is an isolated thing and we go back to this psychological concept of it being a magic thing in the corner. It’s a black box. It works. Don’t touch it. So why would you interact with it? Why would you do anything more? And it takes quite enlightened security team to recognize the vulnerabilities that are present here and actually do something about them.

Where there’s lots of sites connected together, lots of buildings in the same site connected together. There’s some extra interesting vulnerabilities that can come up too. If you have a site and it’s got three buildings, there’s a high security building, a medium security building, and really open low security building, well, if they’re all connected together and I go and sit in the cafe that’s in the low security building. For example a shopping centre and from there I gain access to the BMS system, I can start working out a way of accessing systems that look after and protect the high security or the medium security building. Therefore I’d be able to have an impact there too. This is a whole broad problem, rather than just in isolation. To illustrate my point just now think about the difference between a power plant and a shopping centre, you want people to be in one, but you don’t want people to be in the other. But if they’re connected, then I’m going to have an impact if I’m attacking one from the other. It’s also fair to say that a lot of this kit is quite exposed if you think about it. The sheer volume of fire detection sensors that are around. If I’m an attacker, and I know that I can impact a fire system by fiddling with the sensor, then all I need to do is find one of those sensors that’s exposed and then be able to have a fiddle with it.

There’s also a huge number of RF protocols involved in these technologies, obviously that makes it quite difficult to get any level of security assurance that is worth having, because how do you know which bits of it have been tested properly, did those penetration testers know that protocol properly. There’s also the obvious stuff, like having bad passwords. If if you think about the CCTV system in your building, there’s a reasonable chance that the password is something like one, two, three, four. That’s the default on so many CCTV systems. Operators often don’t change it because they consider it to be on an isolated network and cybersecurity is a secondary concern. There’s loads of other kind of traditional IT vulnerability problems that might well be an issue. Like patching the operating system for the BMS server for instance.

All right, so what can be done about it? I think it is definitely fair to say that there’s probably the drive for better network segregation and in big installations that means not just one big BMS network, but actually to segregate it further. Will the fire system only talk to the BMS system. Maybe it shouldn’t also be able to talk to the lift. Instead maybe it needs to communicate via the BMS. There’s some challenges with that, for example fire systems are usually designed to ensure that the lift will go down to the ground floor to let people out if the fire alarm goes off, rather than carry on or get stuck somewhere. If the communication has to go via the BMS system and not direct to the lift you would need systems that are capable of doing that. So there’s some complexity there, but that’s largely an engineering problem. Rather than it being physically not possible. We’ve touched on this already, but actually gaining Cyder security assurance activities for BMS is hard work, but it’s really really valuable if you know that someone has spent some time on it. It doesn’t need to be an exhaustive test if you’re you’re defending against a casual attacker, knowing that somebody spent a couple of weeks looking at the security of the system, you can be reasonably confident that if the attacker is appropriately skilled then it’s not going to be that easy. I’d also like to encourage monitoring. You need to think about this from a traditional networks point of view, but also on top of that, you need specific capabilities around understanding what happens within the BMS technologies that are in play. That may be radio frequency based stuff, or perhaps on the wire, at the database and so on. It’s about understanding the context of that a bit more. and to extend that further, it’s probably a good idea, bigger installations in particular, to start doing pattern analysis, so that you can recognize when things have gone a bit differently to usual. This would be the defending team would be able to raise the anomaly as a question for the physical security team to understand or to ask more questions about. And next we have patching. I don’t know whether or not there’s going to ever be an episode that goes passed where I don’t say patching is important. This is very important here, but clearly, if there’s a lot of technology involved then doing patching of all of that technology is going to be hard work. It’s going to be involved and it’s going to take a lot of time. That means somebody needs to be pre-emptively thinking about doing it, rather than waiting for those patches to be sent by the vendor, you actually need to go seeking unpatched devices to work out what technology you’ve got and on what patch cycles, and therefore you know when the next patching event is going to happen, And finally, if you’ve got a limited number of people who are accessing these systems and understanding them, maintaining them, that kind of stuff, then they need to be trained correctly to understand the specific cybersecurity problems that those technologies might have.

All right, so as a brief summary, what do I think? Well, the security of BMSs are clearly going to be quite hard work and the more obscure the tech used is going to mean the greater the challenge. But despite those things, I believe that these systems can provide great benefits, whether that be for a security purpose, like knowing that you can turn off the access to a particular office to an employee as they walk out the door after being fired. This is clearly easier than having to force them to give you the key, which they might have taken a copy of… There’s all sorts of other benefits as well, like environmentally friendly stuff. As a result of all of these things, security cannot be such an issue that nobody actually bothers to implement it because they’re scared of the other negative sides. I think it just requires careful consideration and probably some some good engineering effort and thought about how this is going to work

Thanks for listening today. I hope you’ve enjoyed the show. Please give the show rating or review in your podcast app. We would really appreciate it. If you fancy Tweeting about it or sticking it on LinkedIn, then that would be great too! Tag us, whatever you do. To talk to us about any aspect of the show, suggest a future topic, or to ask a question about IoT security. Please get in touch. You can do that via email on or with @gotta_hack, via Twitter. Or on LinkedIn you can search for us with You Gotta Hack That.

This entry was posted in Podcast Episode. Bookmark the permalink.