Stay ahead of the pack
with the latest independent smart building research and thought leadership.
Have an account? Login
What Exactly Do you Get?
- Read every article published in full and get unlimited access to our archive of over 1,400 articles.
- 10% discount on ALL Memoori Research reports for Subscribers! So if you only buy ONE report you will get your subscription fee back!
- Industry-leading Analysis Every Week, Direct to your Inbox.
- AND Cancel at any time
Next week, in Memoori’s Interactive Webinar, we will be joined by Billy Rios, one of the two men responsible for hacking into the Building Automation System at Google’s Australian headquarters back in 2013.
The planned cyber assault was designed to test the internet giant’s resolve against malicious hacking; it also raises concerns over cyber security in our increasingly online and smart buildings.
Despite Google's implementing a relatively high level of authentication, researchers Billy Rios and Terry McCorkle, from information security company Cylance, were able to bypass these restrictions easily, primarily because the system was not kept up to date.
From here, Rios and McCorkle had full run of Google's Building Management System, and stated that they could have rooted the device. Rooting would provide the pair of researchers with access to a machine from which they could conduct further attacks. Google, however, disagreed with Cylance’s claim, a Google spokesperson announcing that the device accessed by the researchers was capable only of managing the air conditioning system and nothing more.
Rios and McCorkle chose not to root the device, but instead reported the issue to the company via its Vulnerability Rewards Program. However, Google stated the issue was not eligible for a reward. The official statement read “Google is grateful when researchers report their findings, and that it has taken appropriate action to resolve the issue”. According to Cylance, the system was then pulled offline.
As Memoori explored in an article last year, Google’s Australian headquarters uses a building management system that’s built using the Tridium Niagara AX platform.
Rios and McCorkle had previously contacted Tridium regarding a directory traversal vulnerability in July 2012, which could allow access to restricted files within the management system. The company quickly issued an alert to its customers to take precautionary steps.
Tridium then released a security patch to further address the issue in August, and noted in a security alert that a specific file, config.bog, could be a security risk if attackers were able to access it. A second patch against directory traversal was released in February this year.
The attack highlights the increasing vulnerability in our modern interconnected world. As the excitement and development continue in the Smart Building and Internet of Things (IoT) space, it leaves us vulnerable to attacks not only on our private information, but also on the built environment around us.
Do you have any questions for Billy Rios? Join us on Thursday, Mar 19, 4PM GMT for our interactive webinar entitled "Cyber Security in Smart Buildings - The Elephant in the Room!"
The increasing focus on making buildings more energy efficient, secure and responsive to changing conditions is resulting in a plethora of web-enabled technologies. Building Management Systems are not only more tightly integrated with each other, they are also integrated with systems outside the building, like the Smart Grid.
The threat that such systems pose is twofold, analysts said. Many of the web-enabled intelligent devices embedded in modern buildings have little security built into them, making them vulnerable to attacks that could disrupt building operations and create safety risks.
Web-connected, weakly protected building management systems also could provide a new way for malicious attackers to break into enterprise business systems that are on the same network.
The massive data theft at, US retail giant, Target for example, started with hackers finding their way into the firm’s network using the access credentials of a company that remotely maintained the retailer's heating, ventilation and air conditioning (HVAC) system. In the Target example, the breach appears to have happened because the company did not properly segment its data network.
Such issues seem set to become more common as buildings management systems become increasingly intelligent and interconnected, suggested Hugh Boyes, cyber-security lead at the Institution of Engineering and Technology, a UK based professional organization promoting science and engineering.
"It creates some interesting challenges for enterprise IT" Boyes said. "They need to know there are some increasingly complex networks being put into their buildings that are running outside their control".
Many of the devices integrated in smart buildings have little security built into them and come from vendors that are unfamiliar to most IT organizations. Suppliers in the building automation and consumer electronics industries don't have the same kind of processes in place that IT vendors do for responding to vulnerabilities in their products.
Cyber security has become second nature to Internet and IT companies, which is not to say they’ve mastered it, but that it has become a daily element in their businesses. Like power supply, or data processing capacity, the limitations created by cyber security represent the limitations on the product or service as a whole.
If building and automation firms want to enter this space, then surely they must place the highest regard to the dynamic world of cyber security, because the threats are all too real.
Do you have any questions for Billy Rios? Join us on Thursday, Mar 19, 4PM GMT for our interactive webinar entitled "Cyber Security in Smart Buildings - The Elephant in the Room!"
