The Target data breach is far from unique, but the amount of attention and expert analysis it has received should provide an excellent learning opportunity for the building automation community.
It has been widely reported that the initial victim of the attack against Target was a company that provides mechanical services to Target. According to KrebsonSecurity, it appears that the initial attack was via email. You have probably seen email messages that try to entice you into clicking on a link or opening an email attachment; in fact, I receive many such email messages every day, most of which are from people that I know well. However occasionally I receive a message that was constructed with the purpose of attacking the PC (or other device) that I am using to read the message. Such an email might have an attachment containing malware or a link to a web site that will attempt to install malware on my device. Hopefully my antivirus software will protect me, but antivirus software will not catch everything, so I need to be careful about what links I follow and what email attachments I open.
Let's assume that one day I slip up and my antivirus software does not save me, with the result that malware is installed on my PC. Depending on the nature of the malware, the "bad guys" behind the attack on my PC may now have access to my PC, which means that they may be able to use my PC to access or attack other systems. They might also install a keystroke logging program that can be used to record passwords (and other sensitive information) that I type.
Automation Systems and the Internet
If you are in charge of your organization's building automation system, you might have asked yourself whether the system's operator workstations should be allowed to be used for e-mail or visiting web sites. I have come to the conclusion that in general, operator workstations should not have internet access and should not be used for email. This is especially true if the operator workstation performs an essential function, such as alarm management or collecting important trend data. Although building operators and service personnel that use the operator workstations have legitimate reasons to access the Internet, access can be provided using other devices that are not connected to the building automation system.
More broadly, I believe that a strong case can be made for creating isolated networks for building automation systems. By that, I do not mean 100% physical isolation with dedicated wiring. And there is still a strong case for allowing service providers limited remote access to the building automation systems, although this comes with some risk that must be carefully managed.
In the case of Target, it appears that attackers used a service provider's access to one Target system in order to attack other systems. That service provider's credentials to access the Target system were most likely stolen following the initial successful attack. The attackers then exploited other weaknesses in Target's systems in order to ultimately gain access to credit card records.
The Target data breach illustrates the risk of allowing service providers remote access to any of your systems. When you do a risk assessment, a good assumption is that your service providers' systems will be compromised at some time in the future. However, for most organizations, the benefits of allowing remote access can be pretty compelling, and therefore the question will be how to manage the risk. Your organization's IT staff have relevant expertise, so it is time to get to know them better.
A Shameless Plug for our Services
Cimetrics works with several organizations that have large and complex networked automation systems. If you work for such an organization in the U.S. or Canada, we may be able to help you to solve your network-related problems and to develop standards for your automation networks. We are particularly well known for our expertise in BACnet, and we have considerable experience working with IT departments in large organizations. Please contact us for additional information.
Mary Jander's blog post Target Breach: A Warning for 'Dumb' Smart Buildings, and KrebsOnSecurity's blog posts on the Target data breach.
Comments will be approved before showing up.