Feeds

back to article Google hit by building automation security FAIL

The building housing Google Australia's lavish Sydney headquarters is running the known-vulnerable Tridium Niagara building management system, and has been compromised by the Cylance researchers who have made Niagara their mission. The researchers identified the underlying system – QNX on an embedded system – and extracted the …

COMMENTS

This topic is closed for new posts.
Bronze badge
Facepalm

And who in their right mind puts a BMS on the Internet?

Why of course, people who should know better. Or at least you'd be forgiven for thinking so given how much network-related work they've done over the years.

1
1
Silver badge
Paris Hilton

Re: And who in their right mind puts a BMS on the Internet?

A facilities manager who doesn't want to drive in at 3AM to fix a simple settings issue?

Putting x on the internet isn't the problem, failing to ensure that x is secure and to have procedures for keeping it secure before doing so is.

13
0
Boffin

Re: And who in their right mind puts a BMS on the Internet?

Used to play around with smart-card access control system for a building I worked at.

At the time, I thought getting it hooked up to the net would be a neat idea - could feed in things like public holiday and daylight saving changes, (main doors were unlocked by default during business hours) and being able to log in remotely and say turn on air-con ahead of time for people working over the weekend, or unlock doors in a loading dock when a courier driver turned up late etc.

In the end we decided that keeping an air-gap was not so bad. Users could copy across the odd update on CD or USB stick during regular maintenance updates, but surprising thing to me about this story was any system like this connected to the net, security was an obvious concern up front.

QNX should be secure enough (most RTOS have security backed in at a low level, so the fault must be with some very dodgy DMS software and lax firewalls.

Part of the problem in my experience is that maintenance teams looking after these systems tend to lean towards old-school sparkys, alarm technical or locksmiths who have migrated to a new IP connected world in which firewall configuration is a required skill and cutting keys from brass no so much. Don't get me started on HVAC maintenance people though...

3
0
Bronze badge
FAIL

Re: And who in their right mind puts a BMS on the Internet?

The same facilities manager who can't figure out a VPN, with all the brains in Google to assist him/her?

2
0
Bronze badge
WTF?

Re: And who in their right mind puts a BMS on the Internet?

Agreed. Certificate-based VPN (possibly IP-restricted) should be the minimum for such a critical system, if it has to be accessible externally.

4
0
Stop

Re: And who in their right mind puts a BMS on the Internet?

I had a certain HVAC contractor ask me to do just that for two federal buildings. One houses the Department of Homeland Security, the second houses the Drug Enforcement Administration. The system did not have any authentication to prevent unauthorized access.

I refused and recommended that if they wanted remote access to the HVAC system, they needed to implement a VPN and IP-based access controls. Of course the told me how they "do it all the time" and have never had a problem.

1
0
Anonymous Coward

Re: And who in their right mind puts a BMS on the Internet?

Please let us know who the control manufacturers was. Responsible vendors use various forms of authentication including FIPS level security and RSA keys.

Since these are Federal facilities, they may have taken the lowest cost solution, not the most responsible one.

Sometimes, you get exactly what you don't pay for.....

2
0
Silver badge

So I guess you could say... Niagra Falls!

6
0
Bronze badge
Coat

Niagra Fails

2
0
Silver badge

I saw that in the movie "Fair Game". I was only watching it for Cindy Crawford, honest!

0
0
Mushroom

Hack what, exactly

So I could hack the BMS and, I don't know, maybe make it uncomfortably warm for a few people?

I know in Skyfall the baddie blew up MI6 HQ but in reality a BMS doesn't allow that much control.

0
1
Silver badge

Re: Hack what, exactly

You won't be so complacent when it's your toilets turned to 'reverse!

0
1

Re: Hack what, exactly

Or, say, unlock all the doors and then have your friends wearing balaclavas turn up in a Luton with blanked-out number plates.

2
0
Anonymous Coward

Only one reason why it's not done right....

The only reason why it's not done correctly... the VPN wasn't in the canned specs, Google didn't want to pay for any change orders to correct it and they're too cheap to pay for a maintenance contract or a service call.

Otherwise it's like most Building Manangement Systems that use Tridium gateways, a P.O.S.

I'm betting that this is an overlay on manufacturers controls too.

A reputable BMS contractor does not use that POS, they use their own network gateways and controllers not an overlay and they ALWAYS tell the customer that they need to setup a secure VPN no matter what the spec says.

The purpose of the internet connection is to save the client money and the contractor service time so a diagnosis can be made without a truck roll. This is REALLY easy to "Air Gap" if need be by having the cusomer call the vendor and give them the IP AFTER they plug the workstation into the router. Then unplug after seeing what's wrong.

0
0
This topic is closed for new posts.