While much of cybersecurity focuses on protecting information technology (IT) systems, data and intellectual property, digital transformation has changed the game. As more systems are connected to the internet through the Industrial Internet of Things (IIoT), sectors like critical manufacturing, energy, chemical and water/wastewater need to be concerned about protecting their operational technology (OT) assets. One key sector that often gets overlooked, despite being listed as part of the Cybersecurity and Infrastructure Security Agency’s (CISA) critical infrastructure sectors, is commercial facilities.
In 2013, one of the most tech savvy companies on the planet, Google, had their building control system hacked at their offices in Sydney, Australia. This feat was accomplished by two security researchers, considered ethical hackers, who claimed that hundreds of other buildings had similar vulnerabilities and could easily have suffered the same fate. Of course, it stands to reason that if a company like Google was vulnerable, almost anyone would be.
Commercial facilities hacking
In early April, CISA and other government agencies put out a joint cybersecurity advisory warning that advanced hackers had proven they could take control of several programmable logic controllers (PLCs) that are used to run manufacturing plants and energy facilities. The dangers of attacks on many critical infrastructure sectors are quite clear. If an attacker can take control of an energy grid, a water/wastewater facility (as they did with Oldsmar in Florida) or a nuclear plant, they can cause serious damage to public health and safety as well as the environment.
While perhaps not as outwardly frightening, an attack on the commercial facilities sector can do the same thing. Now that everything from elevators to HVAC to camera and alarm systems are connected to the internet, threat actors have the ability to digitally disrupt physical systems. Imagine someone tampering with the elevators in a high rise, causing a boiler to explode or simply locking the doors and raising the heat to dangerous levels.
According to CISA, the commercial facilities sector is especially susceptible to attack because it operates on the principle of open public access. People are able to move freely, and “the majority of these facilities are privately owned and operated, with minimal interaction with the federal government and other regulatory entities.”
The commercial facilities sector consists of eight subsectors: entertainment and media (e.g., motion picture studios, broadcast media), gaming (e.g., casinos), lodging (e.g., hotels, motels, conference centers), outdoor events (e.g., theme and amusement parks, fairs, campgrounds, parades), public assembly (e.g., arenas, stadiums, aquariums, zoos, museums, convention centers), real estate (e.g., office and apartment buildings, condominiums, mixed use facilities, self-storage), retail (e.g., retail centers and districts, shopping malls) and sports leagues (e.g., professional sports leagues and federations).
The Google Wharf 7 hack
The Google hack started with two U.S.-based IT security researchers, Billy Rios and Terry McCorkle of security firm Cylance, who were able to easily hack into the building control system for Google’s Wharf 7 office headquarters, located on the water in the Pyrmont section of Sydney. Building control systems are computer-based systems that control and monitor a facility’s mechanical and electrical equipment — things like HVAC, fire protection and lighting. The duo found that the Australian building was vulnerable after locating it on the Shodan search engine, a popular hacker site that maps out vulnerable devices on the internet.
The Wharf 7 facility was using a building management system built on the Tridium Niagara AX platform, a platform that had been shown to have serious security issues, according to an article on the incident in Wired. Tridium had released a patch for the system at the time, but Google had not run it, a common security issue that accounts for many cyber intrusions. The researchers were thus able to obtain the administrative password (anyonesguess), giving them access to building control panels.
The system they hacked was running off a DSL line and controlled only the building’s heating and air conditioning, but it still it showed water lines and buttons marked “active overrides,” “active alarms,” “alarm console,” “LAN Diagram,” “schedule” and the building management system key. Because the pair was not out to do damage, they did not disrupt any of Google’s systems and quickly reported to issue to the tech giant.
“We didn’t want to exercise any of the management functionality on the device itself. It’s pretty fragile, and we don’t want to take that thing down,” said Rios in the Wired article.
“From that point, we could have actually installed a rootkit,” said McCorkle in the same article. “We could have taken over the operating system and accessed any other control systems that are on the same network as that one. We didn’t do that because that wasn’t the intent. … But that would be the normal path if an attacker was actually looking to do that.”
While the unpatched vulnerabilities gave the ethical hackers tremendous access — including blueprints to the floor and roof plans and diagrams of the water pipes in the building — a Google spokesperson said that the hacked system was not connected to any of the other building automation systems, other than HVAC.
Remediation of the Google hack
After being contacted by the researchers, Google confirmed the Wharf 7 breach and said it had disconnected the control system from the internet.
“We’re grateful when researchers report their findings to us,” the spokesperson told Wired. “We took appropriate action to resolve this issue.”
McCorkle, who first located the Google building on Shodan, created a spreadsheet listing all the Tridium-based control systems connected to the internet. There were more than 25,000. By searching the Tridium website, Wired found that these included a government office building in Chicago, a British Army training facility, Boeing’s manufacturing facilities, the Changi airport in Singapore, the Four Points Sheraton hotel in Sydney, and many other facilities spanning the globe.
Despite the fact that a patch existed for the Tridium vulnerability, Google — again, presumably one of the most tech-forward companies on the planet — had not implemented the patch. This likely does not bode well for the other 25,000 vulnerable systems. In fact, Rios told the Sydney Morning Herald that they had discovered thousands of building control systems on the internet that were just as exploitable, including “hospitals, banks and government buildings.”
Given that commercial facilities generally draw huge crowds, it’s essential that their systems have robust cybersecurity in place. Hackers of a commercial facility can do a lot more damage than simply ransoming company data; they can take aim at human and environmental safety.