Who’s Guarding the Back Door of Your Network?

backdoor_feat0825

As I have written about on many occasions in this column, the Internet of Things (IoT) is rapidly becoming the norm allowing for greater facilities flexibility, accessibility, and sustainability. The Information Communications Technology (ICT) industry is leading the IoT charge by connecting everything from audiovisual devices, security systems, and other telcom networks into network enabled building systems such as HVAC, lighting and electrical.

Upcoming changes to ASHRAE 189.1 will require even greater control and management over plug load devices, load shedding capability, and power management, with all of this being done over the building’s IT network. This ultimately, through smart design and best practices, requires intelligent uninterruptable power supplies (UPS), power sequencers and power distribution units (PDU) to achieve the goals of the new ASHRAE standard combined with new ways of thinking about data management. In addition to this many, if not all, of the active devices have some connection to the outside world for remote monitoring and control capability.

On many levels all of this convergence onto the network has helped to dramatically reduce the carbon footprint of the built environment through real time monitoring, feedback, and control. This, in turn is creating a greater opportunity for efficiency by combining the intelligence of disparate systems. As has been pointed out in previous articles here, this ultimately creates a data overload that needs to be parsed, organized, and digested to gain the best use scenario for all systems involved whether it is a machine‐to‐machine interaction or a man‐to‐machine, multiple buildings across a campus or continents, or simply a single tenant office building. The new generation of facilities managers and building owners has had to quickly become fluent in IT protocols that each of these systems may speak such as telnet, BACNet, LonWorks, TC/IP, HTTP, ModBus and SNMP to name a few and how to manage them and get them to play nice together.

featured-aeiforaThis picturesque utopia of the connected world reminiscent of Sci‐Fy films galore does, like Star Wars, have its dark side — namely data access and breaches. If you have been paying attention in the news lately there have been many high profile data breaches: Target, Home Depot, Sony Pictures, Ebay, JP Morgan Chase, U.S. Office of Personnel Management (twice) and many others. Each of these breaches resulted in some serious mischief including the loss of personal information, credit card numbers, and large scale viruses being deployed across global networks costing billions of dollars in damages. With our effort to continue to be more energy efficient in the built environment, cyber security should be at the forefront of every systems designer, building owner, IT manager and facilities director’s mind.

There are many ways to secure data and IT professionals are pretty savvy when it comes to the strategies they deploy to enable network security. This is done via various types of firewalls, software that monitors traffic, and specific network topographies that can limit access to data all through control at the upper layers of the seven‐layer model of internet protocol. There is, however, one area that is often either overlooked or not really thought of as important for network security and that is the actual physical network security through the lower levels of the IP layers.

Forrester Research has dug into this topic and provided what it calls a “Zero Trust Model” approach where both internal and external traffic is viewed as a threat. They have concluded that the majority of all recent security breaches are now occurring inside an organization’s data network. This is not to say that there are armies of rogue employees bent of destruction of the corporate world, but simply that many unknowing pawns have opened Pandora’s Box to hackers.

The explosion of Bring your Own Device (BYOD) into the corporate, government, and higher education environments has forced ICT professionals to allow access to internal data networks for tablets, smart phones or personal laptops. Some operating systems of this BYOD hardware are more prone to spy bots, malware, and other nasties that can easily transfer themselves onto the network once inside. This has put more of a spotlight on the BYOD movement for security. However Smart Building Technology can easily be accessed via building networks and an infected BYOD unit can connect to any other device within its network

In addition to unintentional attack via an infected BYOD system, Smart Building Equipment can also be readily accessible physically in unsecured areas such as a conference room, lobby, or desks providing easy access to unscrupulous saboteurs. Foreign nations, our own Government, and non‐nation organizations and individuals have begun to attack these devices we are deploying to help make a building more energy efficient by providing a back door to internal networks.

In 2014 Cisco published in its Annual Security Report that the danger has become an exploitation of trust from users in their systems, security measures, employees and the clients they regularly interact with.

In the not so distant past, it was not uncommon for cyber criminals to embed malware into PDF documents and easily figure out emails form leadership within an organization and create fake emails to underlings who readily opened the documents unsuspectingly unleashing havoc in the network. It was based on trust, or the need to accept a million dollars from a prince in Nigeria for safe-keeping. We can be naïve and trusting in the rush of a day’s work.

So why is this important? Every single piece of Smart Building Equipment we are talking about relies on two things — power and cooling, both typically are controlled on the network and require mission critical power backup, control, and cooling to operate at peak performance. If a hacker can gain access to these systems through a back door it can get on the network and steal, corrupt, or destroy data on the network or take over physical control of all the building systems of the network. Securing the smart building infrastructure is no longer optional but mission critical.

See also  Extron Only ProAV Manufacturer to Pass Accreditations for New UL Standard

A key way this is accomplished is by exploiting weaknesses in the standard network protocols mentioned above Simple Network Management Protocol (SNMP) cards that are the mainstream of power management and control systems and they are also particularly susceptible to exploitation. Because having a meltdown or power loss within an IT network is catastrophic these days on its own, the ability to monitor and control these systems is a must. However, SNMP cards provide what is considered to be minimal security by the network security industry. Thus, they offer opportunity for both inside and outside access through network protocol ports that are open by default. Open ports on SNMP cards usually include HTTP, Telnet and FT, none of which offer encryption of passwords. This can allow a hacker to connect to an SNMP card, explore a data network undetected, penetrate other SNMP devices, change settings, or even disable emergency notifications that could alert IT professionals of trouble allowing them to deploy Trojans and other malicious software.

Why this is not often considered is an over reliance of industry standards as the only means of protection. Basically the mentality is that “If I follow the Standards, I must be safe.” Hint: Hackers don’t follow standards other than to find weaknesses to exploit. I am not saying that standards are bad, but as we have seen in the ICT industry, there are many to choose from just pick the one you like and it is not a guarantee that they all work together without causing problems. As an example pointed out in the white paper “The Need for Securing Mission Critical Infrastructure” by AlphaGuardian’s Robert Hunter and Chet Sandberg, organizations are relying on what turns out to be an audit report that is actually being peddled by industry manufacturers and professionals as a “certification.” This audit report, by the Financial Accounting Standards Board (FASB), is the Statement on Standards for Attestation Engagements (SSAE) #16 and is an audit report on controls at a service organization that is actually a compliance report not a standard in itself.

Organizations can have an audit done by a qualified firm based on one of three categories of Service Organization Control (SOC) reports (SOC1, SOC2, SOC3) with the latter two levels based on the Trust Principals of security and availability. The metrics used in the audit include the organization’s policies, communications of the defined policies, procedures to achieve its objectives, and monitoring compliance. None of these areas focus on cyber or physical attacks on the infrastructure of the network which can give a false sense of security to the organization. This also does not take into account various management consoles such as building automation systems, energy management systems, and others as discuss previously. Additionally the Department of Homeland Security Industrial Control Systems Cyber Emergency Response Team (ICS‐CERT) has reviewed several BMS and System Control and Data Acquisition Systems and found several vulnerabilities that would allow attackers to easily gain access. In short order the systems we in the ICT industry design and implement in our altruistic effort to lower a building’s carbon footprint are a weak link in the chain.

The key to countering this vulnerability in technology that helps us increase and maintain a building’s energy efficiency is in securing the infrastructure firewall system. AlphaGuardian has outlined the following starting points for a competent infrastructure firewall:

  • The ability to competently and completely repel an attack
  • Be able to instantly notify key personnel of an attack
  • The ability to allow the facilities manager and building owner’s access to the required data and control remotely while keeping the data secure from unwanted

AlphaGuardian’s solution, RackGuardian, differs from a traditional enterprise data firewall in that the traditional firewall method (which is what most people think of when you think of a firewall) is a rules‐ based solution that controls bi‐directional data flow through a credentialing solution. These credential-based firewalls can unfortunately be tricked into allowing access into a network and this allows a hacker to access critical devices and data. A recent solution to this problem was the creation of the diode‐firewall that limits traffic to a single direction much like its electronics equivalent. This has excellent protection but significantly reduces flexibility in a system. Critical to this is compatibility with internal servers and components that are not diode firewall friendly or the limitations in the need to make updates to remote devices through that firewall.

The RackGuardian solution looks to combine the best of both firewalls where it acts like a diode firewall until an encrypted and verified signal from a known-server allows for two‐way secure communication. Since every communication must be originated from the RackGuardian for it to pass, it easily rejects attempts at hacking. Because this physical firewall device is between the critical power system, the server, and the corporate data it offers multiple layers of protection and the ability to have several layers of notification in the event of any attempt of intrusion. Additionally if the data stream is interrupted it will also trigger an alarm to through the secure WebSockets‐based messaging system. All data with respect to a system that the RackGuardian is protecting is culled for anomalies on a regulated bases using statistical analysis and pushed directly to the secure server. Any anomaly is instantly communicated to the manager.

Solutions such as this should be seriously considered as part of any smart building technology in the ICT industry to provide clients an additional level of security against breaches and to prevent the fingers from being pointed towards the ICT industry as the weak link. Implementing technology to control and manage ICT technologies while reducing the carbon footprint of the built environment is only going to continue to increase in the upcoming years as building owners demand it and code officials require it. Being smart about securing the data side will put you ahead of the competition, reduce your liability, and hopefully provide repeat business.