The use of the Internet to manage electronic platforms that control such things as heating, ventilation and air condition (HVAC) systems presumably seemed like a good idea when implemented. That marriage today, however, appears to be about as well thought out as the one between Kim Kardashian and Chris Humphries.
The reason is that the Internet is inherently insecure. Much of the security work of the past two decades has been aimed at retrofitting it with hardware and software to mitigate that failing. As with all such retrofits, it is a spotty process filled with successes and failures. Meanwhile, HVAC – not to mention other hugely important platforms that now ride on the Internet, such as those that manage nuclear reactors, energy distribution and public transportation – really must be air tight. If they aren’t, the comfort and safety of millions of people will be compromised.
Don’t think the bad guys haven’t noticed. The MIT’s Technology Review’s Tom Simonite today writes about a project by Trend Micro researcher Kyle Wilhoit that features honeypots – Internet entities designed to attract malicious hackers (crackers) – aimed at HVAC systems.
Wilhoit created three honeypots that differed slightly. The attacks started 18 hours after he went on line:
A total of 39 attacks were mounted on Wilhoit’s honeypots, some of which involved modifying the settings of the physical system they appeared to control. Attacks appeared to originate from computers in a variety of countries, with 35 percent from China, 19 percent from the U.S., and 12 percent from Laos. Attackers often appeared to use automated tools that search out industrial systems on the Internet before investigating more thoroughly.
The problem of trying to add protections to the Internet is simple: Actual use of emerging patches and other fixes depends on the end user. The difference between an organically secure network and one in which security is added later is akin to the difference between cars that come with seat belts and those that offer them if the owner stops by the dealership. Luckily, seat belts are mandatory – but Internet security isn’t, in a real sense.
Even Google doesn’t always keep up. A Wired story this week found that the building management system – presumably, an HVAC or HVAC-like systems — controlling the company’s Wharf7 office in Sydney, Australia, was vulnerable due to operator negligence:
Google Australia uses a building management system that’s built on the Tridium Niagara AX platform, a platform that has been shown to have serious security vulnerabilities. Although Tridium has released a patch for the system, Google’s control system was not patched, which allowed the researchers to obtain the administrative password for it (“anyonesguess”) and access control panels.
This type activity is common. Last month, CSO Online posted on attacks on the Tridium software that were reported by U.S. Cyber Emergency Response Team (US-CERT). One of the attacks was designed to take down the air conditioning in a data center. The story pointed out how dangerous this is: The time between when the cool air stops flowing and a data center going off line can be as little as five minutes.
There is no easy answer to the challenge of protecting HVAC and other critical systems. On one level, the best approach is for organizations using the Internet to manage these vital infrastructure elements to keep abreast of patches and other tools that can help. That’s a bit disconcerting, however, since the overall level of compliance with this best practice at best is mixed.