Although smart buildings which automate control of heating and ventilation systems are becoming more common, security standards aren’t keeping up.
Security issues are regularly raised within so-called Internet of Things (IoT) devices, but new research suggests that building automation systems (BAS) are particularly vulnerable.
IoT devices include everything from kettles and fridges, through to cars and smart meters – devices which aren’t designed for web-browsing, but are connected to the internet for analytics and control purposes.
According to research by cyber security business ForeScout, IoT devices within smart buildings – including those which automate heating and ventilation – are regularly unsecured from hackers.
ForeScout was able to discover thousands of vulnerable devices using search engines Shodan and Cenys, many of which were located in hospitals and schools.
Heating, ventilation, and air conditioning (HVAC) systems were among those that the team could have taken control over after it developed its own proof-of-concept malware.
HVAC manipulation could allow attackers to “take offline data centres used by large companies to store and process sensitive data” including financial information, “as well as harm people in facilities where these devices are vital, such as tunnels and mines”.
Physical access control systems, which prohibit non-authorised personnel from accessing restricted areas in hospitals and airports, were also found to be vulnerable.
Outside of the laboratory, this lack of security has been highlighted by real-world malicious software targeting industrial controls systems in recent years.
A number of sophisticated cyber attacks using malware believed to be developed with the sponsorship of the Russian state have been observed in recent years.
Researchers often warn that it is only a matter of time before the tools used by state-level threat actors begin to be adopted by criminal hackers too.
Elisa Costante, senior director at ForeScout, said: “In recent years, hackers have become increasingly sophisticated in their attacks, and are nowadays well-equipped to identify and target vulnerabilities across most business and consumer technologies.
“Building automation systems in particular are at a real risk of being targeted by such bad actors – yet we rarely talk about them.
“By targeting industrial heating, ventilation, and air conditioning systems, bad actors can disable cooling systems in data centres and server rooms, leading to downtime and, in a worst-case scenario, to the complete loss of data.
“Hackers can also take control and manipulate or disable critical medical equipment, resulting in hospitals needing to cancel appointments and, in extreme cases, leading to the loss of human lives.
“Equally, ventilation systems in tunnels can be disabled, rendering them unusable and causing chaos on our streets.”