Companies should review carefully the network access given to third-party engineers monitoring building control systems to avoid a Target-like attack, experts say.
[CSO's guide to the Target data breach]
Security related to providers of building automation and control systems was in the spotlight this week after the security blog KrebsonSecurity reported that credentials stolen from Fazio Mechanical Services, based in Sharpsburg, Penn, were used by hackers who snatched late last year 40 million debit- and credit-card numbers from Target's electronic cash registers, called point-of-sale (POS) systems.
The blog initially identified Fazio as a provider of refrigeration and heating, ventilation and air conditioning (HVAC) systems. The report sparked a discussion in security circles on how such a subcontractor's credentials could provide access to areas of the retailer's network Fazio would not need.
On Thursday, Fazio released a statement saying it does not monitor or control Target's HVAC systems, according to KrebsonSecurity. Instead it remotely handles "electronic billing, contract submission and project management," for the retailer.
In light of its work, Fazio having access to Target business applications that could be tied to POS systems is certainly possible. However, interviews with experts before Fazio's clarification found that subcontractors monitoring and maintaining HVAC and other building systems remotely often have too much access to corporate networks.
"Generally what happens is some new business service needs network access, so, if there's time pressure, it may be placed on an existing network, (without) thinking through all the security implications," Dwayne Melancon, chief technology officer for data security company Tripwire, said.
Most building systems, such as HVAC, are Internet-enabled so maintenance companies can monitor them remotely. Use of the Shodan search engine for Internet-enabled devices can reveal thousands of systems ranging from building automation to crematoriums with weak login credentials, researchers have found.
Using homegrown technology, Billy Rios, director of threat intelligence for vulnerability management company Qualys, found on the Internet a building control system for Target's Minneapolis-based headquarters.
While the system is connected to an internal network, Rios could not determine whether it's a corporate network without hacking the system, which would be illegal.
[Target credential theft highlights third-party vendor risk]
"We know that we could probably exploit it, but what we don't know is what purpose it's serving," he said. "It could control energy, it could control HVAC, it could control lighting or it could be for access control. We're not sure."
If the Web interface of such systems is on a corporate network, then some important security measures need to be taken.
All data traffic moving to and from the server should be closely monitored. To do their job, building engineers need to access only a few systems. Monitoring software should flag traffic going anywhere else immediately.
"Workstations in your HR (human resources) department should probably not be talking to your refrigeration devices," Rios said. "Seeing high spikes in traffic from embedded devices on your corporate network is also an indication that something is wrong."
In addition, companies should know the IP addresses used by subcontractors in accessing systems. Unrecognized addresses should be automatically blocked.
Better password management is also a way to prevent a cyberattack. In general, a subcontractor's employees will share the same credentials to access a customer's systems. Those credentials are seldom changed, even when an employee leaves the company.
"That's why it's doubly important to make sure those accounts and systems have very restricted access, so you can't use that technician login to do other things on the network," Melancon said.
Every company should do a thorough review of their networks to identify every building system. "Understanding where these systems are is the first step," Rios said.
Discovery should be followed by an evaluation of the security around those systems that are on the Internet.