The recent hack of the building management system in a Google office demonstrates how organizations should not trust third-party installers to adequately secure the technology.
Cylance, a security company focused on industrial control systems, broke into the Tridium-developed Niagara system in one of Google's Australian offices and showed how it could have taken full control of whatever automation systems were attached. Instead, the company notified Google, which took the system off the Internet.
Exactly what was accessible is not clear. Google said a hacker would only be able to change the temperature of the air conditioning or turn it off and on. Cylance said Wednesday the heating, ventilation and AC systems, as well as a water and energy meter, were attached. However, the company did not go far enough with the hack to determine exactly what it could control.
To hack the system, Cylance exploited a known vulnerability that had been patched by Tridium, but not deployed by the company that installed the device. Cylance declined to name the installer, and Google refused to say whether it checked the security of the system.
Cylance found more than 25,000 Internet-facing Niagara systems that could potentially have the same vulnerability. Organizations often have building management systems deployed and leave it up to the installer, also called an integrator, to secure the Internet interfaces, Cylance researchers said.
In Google's case, the Niagara system, which was maintained by the installer, was on a dedicated network that was not connected to the company's corporate network. Nevertheless, installers' work should never be trusted, and companies should make it a point to seek security guarantees, said Bill Rios, a security researcher for Cylance.
"This is not Google's fault," Rios, a former Google employee, said. "It's their building that's going to be affected by the compromise of this device, but they didn't actually put that device on the Internet."
Many Tridium Niagara systems in use today are left unpatched, leaving them vulnerable to attack, Rios said. "I don't think I've ever seen a Tridium Niagara machine on the Internet that was fully patched," Rios said. "And that's because integrators just simply aren't patching."
Tridium released a statement agreeing there's a problem with getting patches deployed. "We continue to work with our system integrators and customers to address the problem through seminars, forums and on-line training about security best practices."
Niagara is the software administration panel used to control HVAC, alarm and access control systems in buildings. The software is often housed in an appliance that's connected to the systems.
Knowing the patching problem, Cylance went searching for Niagara systems on the Internet using the SHODAN computer search engine. The site finds the IP addresses of the devices, but provides very few other details. Cylance developed a custom tool that used the addresses to uncover more information about the device itself, such as location and platform version.
Once the company figured out it had stumbled upon a Nigara system in a Google office, Rios and colleague Terry McCorkle used an exploit for the known vulnerability in order to retrieve the "config.bog" file, which contained the usernames and passwords for all the people with access to the software.
With passwords in hand, the Cylance researchers exploited another vulnerability to decode the passwords and find the administrator's credentials. Once that was found, Cylance was in a position to take advantage of a third flaw to jailbreak the system and take control of whatever systems were attached. Cylance stopped there, and contacted Google.
"We're grateful when researchers report their findings to us," Google said in an emailed statement. "We took appropriate action to resolve this issue."
Security problems associated with building automation systems and industrial control systems are well documented. The U.S. Department of Homeland Security has issued warnings about the increasing security risk of systems used by power utilities, water treatment plants and manufacturing.
As a result, security researchers have become more aggressive in exposing vulnerabilities to build awareness of the problem. In addition, Congress is considering legislation to require the sharing of information between government and private industry in order to better secure the systems.