And who in their right mind puts a BMS on the Internet?
Why of course, people who should know better. Or at least you'd be forgiven for thinking so given how much network-related work they've done over the years.
The building housing Google Australia's lavish Sydney headquarters is running the known-vulnerable Tridium Niagara building management system, and has been compromised by the Cylance researchers who have made Niagara their mission. The researchers identified the underlying system – QNX on an embedded system – and extracted the …
Used to play around with smart-card access control system for a building I worked at.
At the time, I thought getting it hooked up to the net would be a neat idea - could feed in things like public holiday and daylight saving changes, (main doors were unlocked by default during business hours) and being able to log in remotely and say turn on air-con ahead of time for people working over the weekend, or unlock doors in a loading dock when a courier driver turned up late etc.
In the end we decided that keeping an air-gap was not so bad. Users could copy across the odd update on CD or USB stick during regular maintenance updates, but surprising thing to me about this story was any system like this connected to the net, security was an obvious concern up front.
QNX should be secure enough (most RTOS have security backed in at a low level, so the fault must be with some very dodgy DMS software and lax firewalls.
Part of the problem in my experience is that maintenance teams looking after these systems tend to lean towards old-school sparkys, alarm technical or locksmiths who have migrated to a new IP connected world in which firewall configuration is a required skill and cutting keys from brass no so much. Don't get me started on HVAC maintenance people though...
I had a certain HVAC contractor ask me to do just that for two federal buildings. One houses the Department of Homeland Security, the second houses the Drug Enforcement Administration. The system did not have any authentication to prevent unauthorized access.
I refused and recommended that if they wanted remote access to the HVAC system, they needed to implement a VPN and IP-based access controls. Of course the told me how they "do it all the time" and have never had a problem.
Please let us know who the control manufacturers was. Responsible vendors use various forms of authentication including FIPS level security and RSA keys.
Since these are Federal facilities, they may have taken the lowest cost solution, not the most responsible one.
Sometimes, you get exactly what you don't pay for.....
The only reason why it's not done correctly... the VPN wasn't in the canned specs, Google didn't want to pay for any change orders to correct it and they're too cheap to pay for a maintenance contract or a service call.
Otherwise it's like most Building Manangement Systems that use Tridium gateways, a P.O.S.
I'm betting that this is an overlay on manufacturers controls too.
A reputable BMS contractor does not use that POS, they use their own network gateways and controllers not an overlay and they ALWAYS tell the customer that they need to setup a secure VPN no matter what the spec says.
The purpose of the internet connection is to save the client money and the contractor service time so a diagnosis can be made without a truck roll. This is REALLY easy to "Air Gap" if need be by having the cusomer call the vendor and give them the IP AFTER they plug the workstation into the router. Then unplug after seeing what's wrong.