Understanding Building Automation System Exposures - October 2015 Brought to you by: WhiteScope.io in Partnership with QED Secure Solutions [email protected] http://smartbuildingsecurity.com

Understanding Building Automation Exposures - October 2015 http://smartbuildingsecurity.com - [email protected] WhiteScope, LLC - © October 15th, 2015 All Rights Reserved

1

Introduction Last year, WhiteScope researchers discovered an interesting building that was exposed to the Internet. Sochi Arena supporting the 2014 Winter Olympics was online and accessible without a password. We quickly contacted the US Department of Homeland Security (DHS) who in turn put us in contact with the integrator who installed the building automation system (BAS). Given the integrator was onsite in Sochi, we spoke on the phone late one evening. "Thanks for letting us know" were the first words out of the grateful integrators mouth, followed up with "how did you manage to find our building?". The night before the opening ceremony, the automation system was removed from the Internet. WhiteScope periodically enumerates BAS through its BASec (pronounced "Basic") project. Our project has identified tens of thousands of online buildings and facilities. BASec performs automated, open source research on each exposed building in an attempt to identify additional data such as: the owner of the facility, integrators associated with the facility, the purpose of the facility, and the specific technologies in use at the facility. This report describes the various exposures discovered by WhiteScope and provides data on trends and statistics associated with BAS exposures. While WhiteScope collects information related to specific vendors and products during its BASec project, this report provides a vendor neutral and data driven overview of BAS exposures. The methodologies used to collect, analyze, and present BAS security data are provided in the Appendix section. Any suggestions or questions related to this report can be emailed to the following email: [email protected] Figure 1 - Sochi Arena Accessible with No Password

Understanding Building Automation Exposures - October 2015 http://smartbuildingsecurity.com - [email protected] WhiteScope, LLC - © October 15th, 2015 All Rights Reserved

2

BAS Exposure Data

On October 15th, 2015 WhiteScope discovered 34,075 devices supporting an Internet connected building. These devices were live on the Internet at the time of the worldwide scan. The collection methodology utilized during the collection phase is described in Appendix A. Compared to a previous scan conducted in January 2015, the total number of live devices dropped from 41,308 to 34,075. This represents a drop of approximately 16%. The most significant drop occurred in BACnet facing devices which dropped from 19,280 to 7,511. This represents a drop of 61% from January 2015 to October 2015. Devices discovered from Scans.io experienced the largest increase, nearly doubling (98%) since January. Of the 34,075 buildings live on the internet, 10,850 provided data which could be used to identify the device purpose, facility owner, or data linking the device to a specific industry. More aggressive interrogation would likely yield more data.

Internet Facing BAS and Identifying Data 32% 68%

Identifying information retrieved Provided no identifying information

The majority of the 34,075 buildings exposed to the Internet were located within commercial ISP IP address space and not within the IP address space of the end user. For example, if Acme Bank has deployed building automation systems for its corporate headquarters, the integrator hired to implement these systems may have placed the BAS devices on the Internet. Remote connectivity is often desired by the integrator to lower operational support, administration, and maintenance costs. The integrator typically deploys cable or cellular phone modems to enable remote connectivity to the BAS devices. These exposures will be in the commercial ISP IP space (ex. Comcast or AT&T), not in Acme Bank's IP address space. Understanding Building Automation Exposures - October 2015 http://smartbuildingsecurity.com - [email protected] WhiteScope, LLC - © October 15th, 2015 All Rights Reserved

3

Given that the majority of Internet facing BAS are not within the end user organizational IP space, simply looking up the registry information associated with a particular BAS IP address will not provide identifying information. Instead, custom signatures for devices must be developed which enable the determination of device owner, integrator, and device purpose. These signatures must make use of publicly available information and must work without authentication. WhiteScope has developed these signatures and makes use of these custom signatures for its BASec project. These signatures were used for the data collection for this report. WhiteScope has signatures and automation to discover the following BAS:

Delta Controls enteliWEB

Johnson Controls Metasys Delta Controls enteliTouch

Siemens Saphir

Andover Continuum

Alerton WEBtalk

Acuvim Webserver

Carrier CCNWeb

Philips Telerol

eBuilding Network Controller BACnet Communications Gateway

Siemens Building Technologies

BACnet Building Controller

i.Lon Server

MACH Proweb

Earthright Energy Dashboard

Power Measurement

Tridium Niagara

StruxureWare

ALC WebCTRL TRANE Tracer

7,743 of the 34,075 (23%) of the devices that were accessible via the Internet offer one or more interfaces (excluding login pages and static content) that are accessible without any authentication (ex. direct BACnet access, no login required, guest access enabled... etc). These exposures do not require a username or password to be provided. Unauthenticated exposures Access to BAS Device With No Password dropped from 19,583 to 7,743. This represents a drop 23% of nearly 60% of buildings Have one or more requiring no passwords for unauthenicated access. The majority of this exposures decline is directly related to 77% Requires authentication for all the drop in BACnet services actions directly exposed to the Internet

Understanding Building Automation Exposures - October 2015 http://smartbuildingsecurity.com - [email protected] WhiteScope, LLC - © October 15th, 2015 All Rights Reserved

4

Unauthenticated access to BAS can be difficult to conceptualize, the screenshots below demonstrate various systems which are accessible with no authentication. Where possible, identifying information has been removed however, the images shown are from actual Internet facing BAS systems accessible without a password.

Figure 2 - Exposed BAS for a Bank in Northern California

Figure 3 - Exposed BAS for a Residential Tower

Understanding Building Automation Exposures - October 2015 http://smartbuildingsecurity.com - [email protected] WhiteScope, LLC - © October 15th, 2015 All Rights Reserved

5

The role of the integrator is extremely important when it comes to exposed BAS. During the last round of Internet scanning, WhiteScope collected the name of the Internet Service Provider (ISP) of each exposed building IP address. 25% of all exposed buildings on the Internet (8,496 of the 34,075) can be found within 4 commercial ISP IP address spaces.

ISPs for Exposed BAS 9% 8% 5% 3%

Comcast AT&T Verizon CenturyLink

75%

Other

While the exact number of BAS within ISP address blocks is unknown, based on data collected by WhiteScope, over 50% of all exposed buildings are within a commercial ISP IP address space. 9% of all exposed buildings on the Internet can be found within Comcast IP address blocks. 8% of all exposed buildings on the Internet can be found within AT&T IP address blocks. Having BAS within commercial ISP address blocks as opposed to organizational IP address blocks represents one of the most challenging aspects to finding and enumerating exposed Internet facing buildings. Even organizations with robust continuous perimeter monitoring solutions in place will find exposed automation systems can represent a significant blind spot within their security programs. WhiteScope encourages organizations to work closely with their automation integrators in order to prevent inadvertent exposure of their buildings. Additionally, organizations wishing to monitor building related exposures must consider monitoring of commercial ISP IP address blocks as well as their own organizational IP address blocks.

Understanding Building Automation Exposures - October 2015 http://smartbuildingsecurity.com - [email protected] WhiteScope, LLC - © October 15th, 2015 All Rights Reserved

6

Exposed Building Demographics

Of the 34,075 systems reachable on October 15th, 10,850 systems had clearly identifiable meta data which could be used to associate the device with an industry or specific organization in an automated fashion. This association was determined through a generation of keywords and brands associated with a particular industry. The keywords used to make these associations are provided in Appendix B. The industries identified by WhiteScope include: Government

Financial

Sporting

Retail

Religious

Medical

Law Enforcement

Infrastructure

Housing

Hospitality

Education

A general description of facilities for each of these industry categories is provided below. Please see Appendix B for the specific terms used to assign an industry. Government - Facilities associated with federal agencies, defense agencies, military installations, embassies, and defense contractors Financial - Facilities associated with banks, credit unions, investment firms, bank branches, and insurance organizations. Sporting/Recreational - Stadiums, casinos, parks, fields, arenas, swimming pools, gymnasiums, country clubs and golf courses. Retail - Shopping malls, shopping centers, car dealerships, restaurants, brewery, diners, and warehouses. Understanding Building Automation Exposures - October 2015 http://smartbuildingsecurity.com - [email protected] WhiteScope, LLC - © October 15th, 2015 All Rights Reserved

7

Law Enforcement - Police stations, fire stations, court houses, prisons, detention centers, attorney, and legal centers. Medical - Hospitals, clinics, surgery centers, pharmacies, and healthcare organizations. Religious - Churches, ministries, chapels, synagogues, and mosques. Infrastructure - Airports, ports, fuel centers, monuments, SCADA, ranches, community centers, city centers, theaters, and plazas. Housing - Apartments, condos, penthouses, nursing homes, manors, and daycare centers Hospitality - Hotels, lodges, resorts, and hostels. Education - Schools, school districts, universities, colleges, libraries, fraternities, sororities, academies, campuses, dormitories, and youth centers. Based on the indentifying data collected from BAS devices and the industry definition signatures in Appendix B, WhiteScope identified the following breakdown of worldwide BAS exposures.

Internet Facing BAS Demographics

6%

Sporting Retail

19% 40%

Religious Medical 5% 5%

Law Enforcement Infrastructure Housing Hospitality

11%

5%

Government 3%

3%

2%

Financial Education

1%

Understanding Building Automation Exposures - October 2015 http://smartbuildingsecurity.com - [email protected] WhiteScope, LLC - © October 15th, 2015 All Rights Reserved

8

Understanding the Role of the Integrator in BAS Cyber Security System integration is a critical component for deploying, operating, and maintaining a robust BAS deployment. Integrators play a critical role in selecting technologies, commissioning deployments, configuring devices, operating complex systems, troubleshooting issues, and maintaining automation systems. Given the enormous operational responsibilities placed on BAS integrators, many cyber security responsibilities will fall squarely on the integrators shoulders. Many BAS deployments are simply too complicated for end users to understand. Even organizations which have robust facilities departments typically find themselves dependent on external integrators for various BAS processes, operations and maintenance. In some instances, the end user may have no visibility into the deployment and configuration of BAS devices in their environment. For example, the majority of BAS systems WhiteScope has been asked to audit have been located in a commercial ISP IP address space and not the IP address space of the owning organization. This type of remote access is typically deployed by integrators and not the end user's facilities department. In most cases, the end user organization had no idea their facilities were online and Internet facing within a commercial ISP IP address space. Given the operational responsibilities associated with integrators, your organization's relationship with your integrator can be complicated. On one hand, your organization may depend on integrators for the efficient functioning of a critical set of equipment supporting a critical business function. On the other hand, given the critical nature of the work integrators are responsible for, it is important to verify that the integrator isn't putting your business at unnecessary risk. In these circumstances, the age old advice applies: Trust, but verify.

Understanding Building Automation Exposures - October 2015 http://smartbuildingsecurity.com - [email protected] WhiteScope, LLC - © October 15th, 2015 All Rights Reserved

9

If your organization is looking to "trust, but verify" the cyber security practices associated with your integrators, WhiteScope recommends the following: Step 1 - Obtain a list of all integrators supporting your organization. It is highly likely that your organization is utilizing external integrators to operate and maintain your BAS. Obtaining a list of all the integrators supporting your organization is vital to any BAS security project. Your facilities department and your datacenter operations departments are excellent places to start this process. If these departments fail you, try your procurement or accounts payable department. Step 2 - Enumerate business processes associated with each integrator. Once you have identified the integrators supporting your organization, it is important to understand what business processes each integrator supports. You may find that one integrator is responsible for datacenter energy management while a different integrator is responsible for environmental controls. In some cases, you will find that a single integrator is responsible for a variety of operational processes. Stack rank the integrators based on business risk. Those devices and integrators supporting the most critical functions within your business should be the priority for cyber security reviews. Step 3 - Enumerate the software and devices being utilized by the integrator. It is important to understand what software and hardware is being used by the integrator. Ask the integrator for a list of software and hardware that was installed in your environment, then compare this list with a enumeration project done by a third party. A comprehensive list of software and devices in your environment is the foundation for BAS vulnerability management, secure configuration, security policy, monitoring, and incident response. Step 4 - Develop security guidance, requirements, policy, and procedures for the software and hardware being used by the integrator. Poor security within BAS deployments is often a result of poorly communicated expectations from the end user to the integrator. Do not assume cyber security will be "baked in" to your BAS deployment. Even simple cyber security expectations such as, "all user accounts shall have a password" and "default passwords will be changed" must be communicated to the integrator. If you can get these requirements into your procurement language, the expectation will be set from the start. Step 5 - Verify that the integrator is following your BAS security requirements. Once your security requirements are developed and you have provided your security expectations to your integrator, you must verify that your integrator is meeting your expectations. Use an external third party to verify your security policies are being met. Understanding Building Automation Exposures - October 2015 http://smartbuildingsecurity.com - [email protected] WhiteScope, LLC - © October 15th, 2015 All Rights Reserved

10

Understanding BAS Device Security Risks

Given the nature of the enumeration conducted for this report, WhiteScope was unable to determine whether these BAS are connected (or bridged in anyway) to a corporate or other internal network. It is common for BAS networks to have some interconnectivity with other internal networks. If BAS networks are connected to or bridged with other networks (such as internal corporate networks), an attacker could have an opportunity to leverage the BAS to access resources on the corporate network. Organizations that are concerned with attackers leveraging BAS to pivot to internal corporate assets should conduct assessments to determine the level of effort required to pivot from BAS to corporate assets. For those corporations which have stringent requirements for remote access to corporate assets (such as two factor authentication or secure VPN), the cable modems and cellular modems often connected to BAS can offer a means to circumvent these remote access security requirements. BAS which is connected to the Internet via cable or cellular modem can also offer the attacker a data exfiltration point which may not be monitored by corporate egress monitoring. In addition to network traversal, an attacker who exploits a BAS device typically has full (SYSTEM/ROOT) level access to the underlying operating system of the device, as well as direct access to any attached devices. Privileged access to the operating system and/or direct access to attached devices typically provides the ability to bypass software safety and operating mechanisms. Attackers who gain privileged access to these BAS devices typically have the ability to cause catastrophic damage to the device and will have the ability to disrupt processes supporting operations at the affected facilities.

Understanding Building Automation Exposures - October 2015 http://smartbuildingsecurity.com - [email protected] WhiteScope, LLC - © October 15th, 2015 All Rights Reserved

11

Conclusions

Building automation can offer an organization tremendous cost savings and efficiencies. These same automation systems can also present a significant risk for an organization, especially if those systems support a business critical facility or process. Common deployment practices found in building automation deployments can undermine existing corporate security controls and monitoring. Organizations concerned with the security posture of their facilities and corporate assets should develop an extensive understanding of the exposures associated with BAS deployed in support of their facilities. As organizations look to automation to enable cost savings and look to IoT for the creation of new opportunities, we anticipate the problem of discovery and enumeration will become even more difficult. As devices and deployments transition away from custom BAS protocols (BACnet, MSTP, LON) in favor of more traditional IT protocols (TCP, UDP, HTTP), we also anticipate that Internet facing exposures will likely become more common. Better discovery/enumeration tooling and tools for centralized management of BAS and IoT devices is needed to help organizations better control their automation exposures. Until these technologies improve, we will continue to find ourselves blind to many of the risks automation introduces in our facilities.

Understanding Building Automation Exposures - October 2015 http://smartbuildingsecurity.com - [email protected] WhiteScope, LLC - © October 15th, 2015 All Rights Reserved

12

Appendix A Collection Methodology

Data collection begins with extracting data from three primary sources: Shodan (http://shodan.io), Scans.io (https://scans.io), and custom scanning. Data is extracted from shodan through the use of custom BAS signatures. Scans.io offers a complete snapshot of all Internet facing web servers listening on port 80 at a given moment. Custom scanning refers to custom scanning infrastructure and software created by WhiteScope BASec project. The worldwide BAS enumeration service consumes the JSON formatted result sets from Shodan queries and the entire dataset of banners for every web server on the Internet from scans.io. The raw results from Shodan and scans.io make up the data used to determine the "total number of Internet facing BAS devices". Once the raw Shodan and scans.io data is loaded into the worldwide enumeration software, WhiteScope custom scanning infrastructure verifies the IP addresses are still alive and queries each IP address for "identifying information". These queries only request data from public, open ports. No attempt provide credentials to the BAS is made. No exploits against BAS IP addresses are attempted. These queries attempt to determine the device owner, integrator, facility name, and software versions in use by the BAS. Once identifying information is collected, the identifying information is analyzed by the backend software within the worldwide enumeration service. Facilities are sorted by industry types.

Understanding Building Automation Exposures - October 2015 http://smartbuildingsecurity.com - [email protected] WhiteScope, LLC - © October 15th, 2015 All Rights Reserved

13

Appendix B Industry Keywords

The following key words were used in backend automation to assign discovered BAS to specific industries. It is important to note that BAS devices which fit into two or more industries via keyword match were assigned to the first matching industry: Financial - 'bank', 'credit', 'wellsfargo', 'wells fargo', 'wells_fargo', 'financial', 'finance', 'merrilllynch', 'merrill lynch', 'merrill_lynch', 'wamu', 'capital partners', 'finacial', 'insurance', 'liberty mutual', 'liberty_mutual', 'investment', 'capitalone', 'morgan_stanley', 'morgan stanley', 'morganstanley', 'equities', 'equity', 'mortgage', 'bnymellon','bny mellon', 'bny_mellon', 'bancorp', 'hsbc', 'pnc', 'icbc', 'bnpparibas', 'bnp paribas', 'bnp_paribas', 'barclays' Healthcare - 'health', 'hospital', 'clinic', 'medical', 'surgery', 'radiology', 'orthopedics', 'kaiser', 'bluecross', 'blueshield', 'blue cross', 'blue shield', 'aetna', 'pharma', 'rehab', 'doctor', 'nurse', 'physician', 'medicine', 'neurology', 'orthopedic', 'cigna', 'surgical', 'ambulatory', 'cancer', 'ambulatory', 'endoscopy', 'oncology', 'fertility', 'hosptial' Religious - 'baptist', 'church', 'fellowship', 'lutheran', 'diocese', 'chapel', 'synagougue', 'mosque', 'presbyterian', 'methodist', 'episocpal', 'jewish center', 'immaculate conception', 'our lady of', 'ministries', 'bible' Housing - 'apartment', 'penthouse', 'nursing home', 'manor', 'day care', 'daycare', 'day_care', 'condo'

Understanding Building Automation Exposures - October 2015 http://smartbuildingsecurity.com - [email protected] WhiteScope, LLC - © October 15th, 2015 All Rights Reserved

14

Education - 'school', 'university', 'college', 'library', 'elementary', 'sorority', 'fraternity', 'elem', 'auditorium', 'academy', 'campus', 'dorm', 'youthcenter', 'youth center', 'youth_center', 'universite','education', ' isd ', 'youth camp', 'youth_camp', 'polytechnical', 'alumni', 'art institute', 'art_institute' Hospitability - 'hotel', 'hyatt', 'hilton', 'marriott', 'marriot', 'ramada', 'sheraton', 'holidayinn', 'holiday inn', 'ritz carlton', 'tower', 'lodge', 'embassy suite', 'embassy_suite', 'embassysuite', 'four seasons', 'fourseasons', 'four_seasons', 'regency', 'residence inn', 'novotel', 'resort', 'hostel', 'doubletree', 'hampton inn', 'hampton_inn', 'waldorf astoria', 'waldorf_astoria', 'waldorfastoria', 'westin' Retail - 'mall', 'restaurant', 'westfield', 'cadillac', 'ford', 'chevy', 'toyota', 'harley davidson', 'harley_davidson', 'tesla', 'office', 'warehouse', 'datacenter', 'data center', 'data_center', 'realty', 'complex', 'pricesmart', 'resturante', 'brewing', 'shopping center', 'shopping_center', 'buick', 'food', 'bosch', 'chevrolet', 'walgreens', 'walmart', 'wal-mart', 'shopping', 'verizon', 'pepsi', 'bloomingdales', 'ikea', 'mercedes_benz', 'mercedes benz', 'mercedesbenz', 'brewery', 'dining' Law Enforcement - 'fire', 'rescue', 'police', 'detention', 'attorney', 'law', 'judge', 'court', 'jail', 'prison', 'armory', 'justice', 'correctional', 'judiciary' Government - 'army', 'navy', 'usmc', 'airforce', 'air force', 'defense', 'afb', 'dhs', 'fbi', 'secret service', 'dshs', 'federal', 'gsa', ' irs ', 'customs', ' epa ', 'military', 'national guard', 'national_guard', 'immigration', 'national press club', 'government', 'va care', 'va_care', 'veterans', 'uscg', 'aerospace', 'aviation', 'lcbo', 'lockheed martin', 'lockheed_martin', 'lockheedmartin', 'embassy', 'consulate', 'northrop grumman', 'northrop_grumman', 'northropgrumman', 'boozallen', 'booz-allen', 'booz allen' Infrastructure - 'airport', 'port', 'town center', 'towncenter', 'fuel', 'city hall', 'community center', 'city of', 'cityof', 'city_of', 'centre', 'plaza', 'village', 'villiage', 'coliseum', 'conference center', 'conference_center', 'water', 'square', 'pavilion', 'theater', 'residence', 'mansion', 'municipal', 'expo', 'ranch', 'meter', 'scada', 'munciple', 'town of', 'town_of', 'shipyard', 'ship_yard', 'farm', 'theatre', ' zoo ', 'state fair', 'state_fair', 'museum', 'wharf', 'fairgrounds', 'conservatory', 'civic center', 'civic_center', 'convention center', 'convention_center', 'conventioncenter', 'ballroom', 'opera', 'metro center', 'metro_center', 'cinema', 'town_hall', 'town hall', 'townhall', 'community_center', 'community center', 'communitycenter'

Understanding Building Automation Exposures - October 2015 http://smartbuildingsecurity.com - [email protected] WhiteScope, LLC - © October 15th, 2015 All Rights Reserved

15