The Target data breach is far from unique, but the amount of attention and expert analysis it has received should provide an excellent learning opportunity for the building automation community.
It has been widely reported that the initial victim of the attack against Target was a company that provides mechanical services to Target. According to KrebsonSecurity, it appears that the initial attack was via email. You have probably seen email messages that try to entice you into clicking on a link or opening an email attachment; in fact, I receive many such email messages every day, most of which are from people that I know well. However occasionally I receive a message that was constructed with the purpose of attacking the PC (or other device) that I am using to read the message. Such an email might have an attachment containing malware or a link to a web site that will attempt to install malware on my device. Hopefully my antivirus software will protect me, but antivirus software will not catch everything, so I need to be careful about what links I follow and what email attachments I open.
Let's assume that one day I slip up and my antivirus software does not save me, with the result that malware is installed on my PC. Depending on the nature of the malware, the "bad guys" behind the attack on my PC may now have access to my PC, which means that they may be able to use my PC to access or attack other systems. They might also install a keystroke logging program that can be used to record passwords (and other sensitive information) that I type.
Automation Systems and the Internet
If you are in charge of your organization's building automation system, you might have asked yourself whether the system's operator workstations should be allowed to be used for e-mail or visiting web sites. I have come to the conclusion that in general, operator workstations should not have internet access and should not be used for email. This is especially true if the operator workstation performs an essential function, such as alarm management or collecting important trend data. Although building operators and service personnel that use the operator workstations have legitimate reasons to access the Internet, access can be provided using other devices that are not connected to the building automation system.
More broadly, I believe that a strong case can be made for creating isolated networks for building automation systems. By that, I do not mean 100% physical isolation with dedicated wiring. And there is still a strong case for allowing service providers limited remote access to the building automation systems, although this comes with some risk that must be carefully managed.
In the case of Target, it appears that attackers used a service provider's access to one Target system in order to attack other systems. That service provider's credentials to access the Target system were most likely stolen following the initial successful attack. The attackers then exploited other weaknesses in Target's systems in order to ultimately gain access to credit card records.
The Target data breach illustrates the risk of allowing service providers remote access to any of your systems. When you do a risk assessment, a good assumption is that your service providers' systems will be compromised at some time in the future. However, for most organizations, the benefits of allowing remote access can be pretty compelling, and therefore the question will be how to manage the risk. Your organization's IT staff have relevant expertise, so it is time to get to know them better.
A Shameless Plug for our Services
Cimetrics works with several organizations that have large and complex networked automation systems. If you work for such an organization in the U.S. or Canada, we may be able to help you to solve your network-related problems and to develop standards for your automation networks. We are particularly well known for our expertise in BACnet, and we have considerable experience working with IT departments in large organizations. Please contact us for additional information.
Mary Jander's blog post Target Breach: A Warning for 'Dumb' Smart Buildings, and KrebsOnSecurity's blog posts on the Target data breach.
Comments will be approved before showing up.
cimetrics.com Legal Terms and Conditions
June 29, 2016
cimetrics.com (the "Site") is owned by Cimetrics Inc. ("Cimetrics").
PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THIS SITE. YOU MAY NOT USE THIS SITE IF YOU DO NOT ACCEPT THE TERMS AND CONDITIONS.
The information herein provided is for general informative purposes only, and no warranties or representations are made with respect thereto. The information may contain inaccuracies or typographical errors. The information provided is subject to change at any time, and without notice. Changed information may include, but is not limited to, technical specifications and pricing. Binding declarations are only given after detailed enquiries.
BECAUSE THE INFORMATION IS NOT WARRANTED, ALL LIABILITY FOR THE ACCURACY OF THE INFORMATION IS EXPRESSLY EXCLUDED.
If you have been given a Password in order to gain access to certain information on this Site, or any other affiliates’ website, then you agree, as a condition of receiving said Password, that you shall keep the Password confidential. You shall only disclose the Password to your employees or agents who have a need to know. You are solely responsible for all activities that occur using your Password.
If you become aware of any unauthorized use of your Password, you agree to notify Cimetrics immediately. Cimetrics reserves the right to revoke your Password access at any time for any reason whatsoever.
Copyrights and Trademarks
All information provided on the web pages of Cimetrics.com is protected by copyright. It is prohibited to copy, process, modify or commercially distribute this information without the express written permission of Cimetrics.
Analytika, Infometrics, Metermetrics, BACstac, BACstac/DN, and BAS-o-matic are trademarks or registered trademarks of Cimetrics. The Analytika, Cimetrics, Infometrics and Metermetrics logos are trademarks or registered trademarks of Cimetrics. All other trademarks are owned by their respective companies.
Links to Other Websites