Siegeware and BAS Attacks, an Emerging Threat

As technological solutions to cybercrime become increasingly advanced, able to preempt attacks and weed out vulnerabilities before they’re widely known, attackers also become more adept at cloaking their presence and concealing their intent.

The targets of attacks also change with the times. Hacking websites and bank accounts are old-hat, some of the most threatening dangers to the most modernized companies and even citizens are those that target technology that doesn’t yet have the robust security systems, or even standards, in place.

It’s sad, but well known that the average consumer doesn’t spend a lot of time worrying about whether the firmware on their IoT devices is up-to-date, leaving millions of devices around the world critically vulnerable to attack. However, you would be forgiven for assuming that companies implementing centralized control of a building’s life support functions such as HVAC, fire security, doors and windows, etc. along with more convenience focused building automation systems, would prioritize cybersecurity. This is not always the case, and can lead to a potentially disastrous situation for the homes and organizations that implement Building Automation Systems (BAS) and the companies that manufacture, install, and maintain them.

Siegeware and BAS attacks

When attackers combine ransomware with BAS vulnerabilities, we get Siegeware. The attacker takes control of a building and shuts down critical operations such as heating, cooling, alarm systems, and even physical access, and will only rescind control once a ransom has been paid.

Gaining access to the BAS means the attacker becomes the digital overlord of the building. By controlling the automated system that governs the functionality of the building, they control the building itself. They can turn off ventilation, heating, fire suppression systems, and potentially extend influence to other digital functionality of the building.

The hacker can access seven systems remotely once he hijacks the BAS:

  • Lighting control systems
  • Fire detection and alarm systems
  • Automated fire suppression systems
  • Integrated security and access control systems
  • Heating, ventilation, and Air conditioning
  • Power management and assurance systems
  • Command and control systems

The consequences of losing control of these systems may range from discomfort to potentially life-threatening situations.

An emerging threat

Siegeware is quickly becoming one of the most dangerous and effective methods of cyber-attack. Many companies have already fallen victim to these attacks, and those that haven’t given in to the ransom demands have faced highly disrupted operations as a result.

BAS allows a single command center to control and automate all connected systems in a building so that a high level of comfort can be achieved efficiently. But vulnerabilities exist in any connected system, and when the network is compromised the prospect of physical danger becomes very real.

With increasing numbers of organizations adopting BAS infrastructures, the number of potential targets rises, along with the time spent by attackers searching for as-yet unknown vulnerabilities. To make things worse, many of these buildings are connected to the internet where anyone with the correct username and password can access it. As of February 2019, there were 35,000 BAS systems connected to the public internet globally, and it’s highly likely that many of these are using default usernames and passwords.

Even if the majority of organizations implement adequate security, those that do not face severe consequences. Countless schools, hospitals, universities, and banks have all fallen prey to ransomware attacks in the past few years, and this is likely to mutate into large-scale siegeware attacks in coming months to many BAS equipped buildings that do not have effectively secured networks.

Preventing BAS hijacking

Any smart home or other BAS controlled building is a potential target for siegeware attacks. If you live in a smart-home, or are the building manager or security officer at an organization that utilizes BAS to control functions of the building, then it’s critical to provide that  the security systems are up to the task of controlling access to the BAS.

Many contractors will simply set up the automated control system on a web-based login interface. It makes it easier for them to make any changes later on or solve any issues that might appear. However, such remote access is vulnerable to unauthorized access.

If there is remote-access to your BAS it needs to be considered a critical IT system, see to it that you have the following, at the very minimum:

  • Up to date firmware
  • Firewall
  • Encrypted connection
  • Preferably VPN-only access from the building’s IP
  • Strong passwords
  • Multi-factor authentication
  • Lockout on failed password attempts
  • Notification of login attempts

If remote access to a BAS is vulnerable in even one of these areas, it’s susceptible to being hijacked. By implementing at least three authentication types - password, possession, IP - unauthorized access can be discouraged, but not necessarily stopped entirely for a determined attacker.

In the case of smart-homes and IoT devices, one has to make sure that all connected devices utilize security that prevents any unauthorized access. The security of the controlling BAS box, in this case, extends to each and every physical device controlled through the network.

The concept of a smart home, of top-tier technology that aspires to increase convenience and comfort, becomes one of the most powerful enablers of cyber-terrorism. Here’s hoping that those companies and individuals implementing BAS into buildings will be working closely with IT departments and security researchers to protect our buildings’ critical support systems.

Joe Robinson is a data privacy and cybersecurity writer for the AT&T Cybersecurity blog. Read more AT&T Cybersecurity blogs here.