What can we learn from the Target data breach?

by Jim Butler February 21, 2014

The Target data breach is far from unique, but the amount of attention and expert analysis it has received should provide an excellent learning opportunity for the building automation community.

It has been widely reported that the initial victim of the attack against Target was a company that provides mechanical services to Target. According to KrebsonSecurity, it appears that the initial attack was via email. You have probably seen email messages that try to entice you into clicking on a link or opening an email attachment; in fact, I receive many such email messages every day, most of which are from people that I know well. However occasionally I receive a message that was constructed with the purpose of attacking the PC (or other device) that I am using to read the message. Such an email might have an attachment containing malware or a link to a web site that will attempt to install malware on my device. Hopefully my antivirus software will protect me, but antivirus software will not catch everything, so I need to be careful about what links I follow and what email attachments I open.

Let's assume that one day I slip up and my antivirus software does not save me, with the result that malware is installed on my PC. Depending on the nature of the malware, the "bad guys" behind the attack on my PC may now have access to my PC, which means that they may be able to use my PC to access or attack other systems.  They might also install a keystroke logging program that can be used to record passwords (and other sensitive information) that I type.

Automation Systems and the Internet

If you are in charge of your organization's building automation system, you might have asked yourself whether the system's operator workstations should be allowed to be used for e-mail or visiting web sites. I have come to the conclusion that in general, operator workstations should not have internet access and should not be used for email. This is especially true if the operator workstation performs an essential function, such as alarm management or collecting important trend data.  Although building operators and service personnel that use the operator workstations have legitimate reasons to access the Internet, access can be provided using other devices that are not connected to the building automation system.

More broadly, I believe that a strong case can be made for creating isolated networks for building automation systems. By that, I do not mean 100% physical isolation with dedicated wiring. And there is still a strong case for allowing service providers limited remote access to the building automation systems, although this comes with some risk that must be carefully managed.

In the case of Target, it appears that attackers used a service provider's access to one Target system in order to attack other systems. That service provider's credentials to access the Target system were most likely stolen following the initial successful attack. The attackers then exploited other weaknesses in Target's systems in order to ultimately gain access to credit card records.

The Target data breach illustrates the risk of allowing service providers remote access to any of your systems. When you do a risk assessment, a good assumption is that your service providers' systems will be compromised at some time in the future.  However, for most organizations, the benefits of allowing remote access can be pretty compelling, and therefore the question will be how to manage the risk.  Your organization's IT staff have relevant expertise, so it is time to get to know them better.

A Shameless Plug for our Services

Cimetrics works with several organizations that have large and complex networked automation systems. If you work for such an organization in the U.S. or Canada, we may be able to help you to solve your network-related problems and to develop standards for your automation networks. We are particularly well known for our expertise in BACnet, and we have considerable experience working with IT departments in large organizations. Please contact us for additional information.

Recommended Reading

Mary Jander's blog post Target Breach: A Warning for 'Dumb' Smart Buildings, and KrebsOnSecurity's blog posts on the Target data breach.




Jim Butler
Jim Butler

Author



Leave a comment

Comments will be approved before showing up.


Also in Cimetrics News

Cimetrics Professional Services Delivers the Promise of Analytics
Cimetrics Professional Services Delivers the Promise of Analytics

by Anto Budiardjo June 12, 2017

Combining cloud-based analytics with professional services to keep smart buildings performing.

Read More

A New Deal for Buildings - An Initiative for 21st Century Facilities
A New Deal for Buildings - An Initiative for 21st Century Facilities

by Anto Budiardjo May 31, 2017

Cimetrics is pleased to announce its support for a new industry initiative: A New Deal for Buildings.

Read More

Mass Innovation Nights #98: IoT at MITRE
Mass Innovation Nights #98: IoT at MITRE

by Svetlana Lyons May 11, 2017

Cimetrics had an honor to participate in the Mass Innovation Nights at MITRE last week in Bedford.

Read More

cimetrics.com Legal Terms and Conditions

June 29, 2016

cimetrics.com (the "Site") is owned by Cimetrics Inc. ("Cimetrics").

PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THIS SITE.  YOU MAY NOT USE THIS SITE IF YOU DO NOT ACCEPT THE TERMS AND CONDITIONS.

Terms of Use

The information herein provided is for general informative purposes only, and no warranties or representations are made with respect thereto. The information may contain inaccuracies or typographical errors.  The information provided is subject to change at any time, and without notice. Changed information may include, but is not limited to, technical specifications and pricing. Binding declarations are only given after detailed enquiries.

BECAUSE THE INFORMATION IS NOT WARRANTED, ALL LIABILITY FOR THE ACCURACY OF THE INFORMATION IS EXPRESSLY EXCLUDED.

IN NO EVENT SHALL CIMETRICS, ITS OFFICERS, DIRECTORS, EMPLOYEES, PARENTS, AFFILIATES, SUCCESSORS OR ASSIGNS, BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OR PERFORMANCE OF THE CIMETRICS SITE, WITH THE DELAY OR INABILITY TO USE THE CIMETRICS SITE OR RELATED SERVICES, THE PROVISION OF OR FAILURE TO PROVIDE SERVICES, OR FOR ANY INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND RELATED GRAPHICS OBTAINED THROUGH THE CIMETRICS SITE, OR OTHERWISE ARISING OUT OF THE USE OF THE CIMETRICS SITE, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF CIMETRICS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES. BECAUSE SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. IF YOU ARE DISSATISFIED WITH ANY PORTION OF THE CIMETRICS SITE, OR WITH ANY OF THESE TERMS OF USE, YOUR SOLE AND EXCLUSIVE REMEDY IS TO DISCONTINUE USING THE CIMETRICS SITE.

Passwords

If you have been given a Password in order to gain access to certain information on this Site, or any other affiliates’ website, then you agree, as a condition of receiving said Password, that you shall keep the Password confidential. You shall only disclose the Password to your employees or agents who have a need to know. You are solely responsible for all activities that occur using your Password.

If you become aware of any unauthorized use of your Password, you agree to notify Cimetrics immediately.  Cimetrics reserves the right to revoke your Password access at any time for any reason whatsoever.

Copyrights and Trademarks

All information provided on the web pages of Cimetrics.com is protected by copyright. It is prohibited to copy, process, modify or commercially distribute this information without the express written permission of Cimetrics.

Analytika, Infometrics, Metermetrics, BACstac, BACstac/DN, and BAS-o-matic are trademarks or registered trademarks of Cimetrics.  The Analytika, Cimetrics, Infometrics and Metermetrics logos are trademarks or registered trademarks of Cimetrics.  All other trademarks are owned by their respective companies.

Links to Other Websites

This Site may from time to time contain links to other websites ("Linked Site") or other Internet information sources ("Third Party Source"). These links are provided solely as a convenience to users of this Site and do not constitute an endorsement, sponsorship or recommendation by Cimetrics.  Each Third Party Source or Linked Site may have its own terms of use and privacy policy. Cimetrics is not responsible for the content, availability, or policies of any Linked Site or Third Party Source, or any additional links contained therein.

Privacy

Please read the privacy policy for this Site, which is incorporated into these Terms and Conditions by reference.