lax installers who have disregarded installation advice
You sure? Surely the responsibility of the manufacturer to have secure defaults.
Britain's freezing weather has reanimated the issue of insecure building control systems. Security researchers at Pen Test Partners have discovered that the web interfaces of heating controllers in many schools are accessible on the public internet and fundamentally insecure. The problem largely stems from lax installers who …
Stuart Castle,
But this isn't the installer changing the safe defaults to unsafe. This is a unit that the manufacturer knows will be installed onto the building network by people who don't understand security or networking. So it's certain that it'll be installed wrongly. Which makes it the manufacturers fault too.
This is a unit that the manufacturer knows will be installed onto the building network by people who don't understand security or networking
Why do they know this?
Many aspects of a building wide heating system will be unsafe if installed incorrectly. Why shouldn't the assumption of competence on the part of the installer be extended to the 'bits on the internet' too?
I'm sure the salesperson 'knew all about it'. ;)
FIA,
The people who install the heating controls and the BMS are usually not the same as those who install the actual explodey bits of the heating.
There is basically no internet security expertise in building services - becuase it wasn't part of the job description until very recently. Whereas Gas Safe training (formerly Corgi) has been around for decades.
It's a bit like consumer electronics, in that people buy kit that they expect to work. It's probably a bit different in the world of BMS contractors, but I almost never talk to them, so don't know. I usually talk to the installer or design engineer and tell them what info our kit passes to the BMS, and they then tell them to set it up appropriately.
"consumer electronics ,,, people buy kit that they expect to work. "
In which parallel universe does this happen?
What I see 365 days a year (or thereabouts) and have increasingly seen for the last few years, is that vast numbers of people buy consumer electronics with the expectation that if it depends on software, there's a high risk it won't work as a reasonable person would expect it to, either at time of purchase or within a couple of years. And in the knowledge that the law as it applies to fitness for purpose etc in many allegedly civilised countries seems not to apply in any meaningful way to gadgets which are reliant on computers.
How do the rest of us make our universes match your land of milk and honey?
...
There is basically no internet security expertise in building services - becuase it wasn't part of the job description until very recently. Whereas Gas Safe training (formerly Corgi) has been around for decades.
It's not that new though is it? It's been around for a few years, and we've had several high profile 'connecting stuff to the internet is dangerous' events that surely there's at least basic training? Don't you have to recertify for Gas Safe every 2 years? Keeping up with things applies across the board doesn't it?
i get that this is due to intransigence but as a customer I expect things to be done correctly; however I also don't think it's unreasonable to extend this professionally too, I assume people I talk to in a professional context know how to do their job (even if bits of their job are relatively new), just as I hope they extend the same to me.
Maybe it's working in IT, which due to it's newness has probably had a more than average rate of change over the last few decades?
"The manufacturers can put in the most secure defaults possible, but if an installer changes them or the systems staff give the control systems publicly accessible IPs, then you have a security problem."
But if the installer doesn't change the default settings, wouldn't it be easy for someone to just use the default settings on that system to gain access to it?
Y'know, a lot like how "admin" is both the username and password out of the box for most routers?
You would have thought so. Sky Facilities are true leaders in that special British practice of turning the heating up on the hottest day of the year and making sure that the aircon is at its coldest in bleak December.
It takes a special level of vindictiveness to do that.
>When I were a lad we had to bring in a lump a' coal.
You were lucky, when I were a lad we had to get up at 2am and go dig the coal for the school boiler then walk 5 miles in the snow from pit to school with 200 hundred weight of coal on our backs, if we were late or even one ounce short of 200 weight then we'd be thrashed and buggered by the headmaster. I swear the headmaster fixed the scales and the school clock.
"BMS vendors need to wake up and smell the coffee: educate your installers, accredit them and audit them. Then ensure your product is as foolproof as possible, making insecure installation as difficult as possible."
First and foremost; fuck off, how about the manufacturers who *know* most of this stuff will be installed by a random contractor make it more secure.
Secondly; Fuck off, any such company doing this would have to pass on the (significant) costs and would very quickly find themselves installing very, very few of these systems.
Thirdly: Fuck off! Any manufacturer in the building services industry knows that the person who takes the delivery of your kit onto site, first signs the POD as Mickey Mouse, then opens the box and steals anything useful and finally throws away all instruction and installation manuals.
I admit it's possible that they take the manuals to line their nests, rather than binning them? But I know that whenever I ask an installer or end-user if they've got our manual the answer is going to be no. Not quite sure why I still ask really - I must be an optimist...
Why do they need to be on the web anyway? Its a school. 5 days a week, from 8 to 6 roughly. How hard can it be just to install a multi on/off 14 day programmable timer? What do you employ the caretaker for?
So the COO at the Local Education Authority can have a completely pointless (but nonetheless very pretty) dashboard on a wall-mounted monitor somewhere in Council HQ.
That's because the article didn't mention the important Step 3 of that instruction, which is to "plant scare stories in the press, then lobby the DfE to mandate these steps for any school planning to buy a new BMS".
What do you think you just read?
Within a year or so, that or similar shit will be mandatory. And then the company that's ready to take those steps, and I guarantee that company exists (and quite possibly paid good money for this story to be generated), will be the only player in the market.
Presumably all these installations are specified by a consulting engineer, architect or whoever.
Is it not their responsibility to specify that they be installed securely and to inspect them before signing them off for final payment of the contract? The finger should be pointing there, not at manufacturers or installers. If they find manufacturers incompetent they stop specifying their products, if they find installers incompetent they remove them from future short lists.
If the manufacturers wanted to there is an easy way to stop these devices from being connected to the internet - have them check periodically if it is possible to connect to Google - if so then the installation has been connected incorrectly so disable the network connection. This would require the system to be administered from its front panel but would stop malicious attackers on the web.
Just because a device can connect to an Internet server does not mean the Internet can connect to the device.
But I take your point. At least some of the manufacturers do seem to be saying "hey, you can connect our system to an ip network to manage it. What? No, not _that_ ip network!"
About what percentage of your readers (or PTP followers for that matter) are actually still in school?
Or is there a way to calculate it from the number of schools that will still be closed after the snows due to frozen piping?
It looks like Parliament's push to get more students interested in IT may soon have real world results! ☺