Governance & Risk Management
,
Legacy Infrastructure Security
Claroty Finds Critical Vulnerabilities in Building Management Systems
Automation and remote connectivity in smart buildings doesn’t just help building managers – hackers also love it. Especially when the underlying systems treat security as an afterthought and depend on outdated, unpatched or outright obsolete technology, a fair description of smart building tech today.
The state of smart building security is “the cyber equivalent of putting a ‘kick me’ sign on someone’s back,” said Grant Geyer, CSO of industrial security firm Claroty.
What could go wrong with automated and remotely accessible systems that collect temperature, energy and water consumption? Hackers in 2021 partially answered that question when a German building automation engineering firm found hackers disabled hundreds of building automation control devices. “What had been a smart building before had lost its smartness completely, as its brains and nervous system were missing,” an Austrian operational technology security firm reported in 2023. Hackers bricked the devices, requiring engineers to manually reset circuit breakers.
Smart buildings aren’t quite the notorious target for industrial hacking as other sectors such as energy or water. But it’s not for lack of vulnerabilities, finds research from Claroty. The cyber-physical security firm analyzed more than 467,000 building automation systems across 529 organizations and found widespread exposure to known exploited vulnerabilities, particularly in building management systems and automation controllers.
“What security and risk management leaders need to know is that they have these OT assets in their networks, they are infrequently secured, at times internet exposed, with the potential for non-trivial impact,” Geyer said.
The potential for wrongdoing by hackers extends beyond stuffy air or sweltering conditions. If a targeted smart building is a data center, hackers could tinker with fire suppression systems and backup generators. A big enough breach could have hackers changing environmental conditions to cause servers to overheat or trigger alarms, shutting down operations. In buildings with food operations, hackers could compromise safety by compromising refrigeration controls.
Most building automation systems weren’t designed with internet connectivity or security in mind, yet they’re increasingly being integrated into enterprise IT environments without sufficient protections. Attackers can exploit unpatched flaws, default credentials, or weak access controls to compromise physical environments.
Of the building management systems – centralized platforms that aggregate data taken from building automation subsystems – analyzed by Claroty, three quarters contained flaws known to have been exploited by hackers. Nearly seven out of 10 of those systems had vulnerabilities previously exploited during ransomware attacks.
Half of organizations with a business automation system contained known vulnerabilities and were also insecurely connected to the internet, Claroty found.
Compounding risks is widespread use of insecure communication protocols like BACnet and Modbus, which lack encryption unless upgraded to optional secure variants like BACnet SecureConnect or KNX IP Secure.
Claroty’s analysis shows that more than 23,000 devices using BACnet or KNX IP are currently exposed to the internet, according results from the Shodan device search engine.
Building management systems “are commonly not on the radar of cybersecurity teams,” Geyer said. They’re typically installed by staff who are building engineers first and IT personnel a distant second. That means plenty of systems implemented with default credentials and insecure protocols.
As is the case with industrial environments, upgrading smart buildings isn’t the same as replacing an outdated company laptop. Buildings last a long time. Windows operating systems you’d never see in an IT environment today are prevalent – even versions of Windows XP. Vulnerabilities in those unsupported systems are never getting patched, resulting in “forever day” vulnerabilities whose only mitigation is layered compensating controls – which in many cases aren’t there.
Given operational constraints preventing a rip-and-replace of old systems, Claroty suggests discipline in network management. Segment and firewall the network. Make sure third-party remote access tools are locked down. Check to see if there are unexpectedly open socket ports.
Claroty also advocates for continuous threat exposure management instead of traditional CVSS-based vulnerability scoring for building management systems. CTEM focuses on prioritizing threat mitigation by tackling the vulnerabilities most likely to be exploited and their risk to the organization.
“Operators should first focus on identifying the BMS that are essential to sustaining mission-critical operations, like building safety, efficiency and business continuity,” Geyer said. “Organizations should map out key operational processes and determine which BMS supports them.”
