Cyber-security Company, Pan Test Partners, have warned that schools
with building management systems that are linked to the Internet could face the risk of hackers turning the school heating system off - or worse.
The problem is that many electricians and engineers may be lacking in knowledge about cyber security and / or may have linked a school’s HVAC system to Internet controls against the manufacturer’s guidelines. Also, many smart school heating systems may have vulnerabilities in them that hackers may find easy to exploit.
The researchers at Pan Test Partners tested for potential hacking risks by looking for building management system controllers made by Trend Control Systems via IoT search tool Shodan. This online tool (see https://www.shodan.io) provides a public API and enables anyone to discover which devices are connected to the Internet, where they are located and who is using them.
In a test, it was revealed that it took less than 10 seconds to find more than 1,000 examples of a 2003 model of a school heating system known to be vulnerable when connected to the Internet. The visibility of a known vulnerable system via a public website is a clear example that the risk of school heating systems being controlled remotely by hackers is real.
Not Just Schools
The same / similar heating systems may also be used in buildings used by retailers, government offices, businesses and even military bases, thereby highlighting a much wider potential risk.
Security commentators have pointed out that there would be very little incentive for hackers to access school systems because many hacks are carried out for financial gain.
The risks could, however, increase in future as more devices and systems become part of the IoT.
What Does This Mean For Your Business?
It is possible that some businesses may be in buildings where the heating systems are exposed to a hacking risk. Risks could be reduced if companies used skilled IT workers who are aware of the potential risks and if systems are checked properly after installation.
To make heating systems really secure they should also be configured behind a firewall or virtual private network, and they should have the latest firmware and other security updates.
It is also important to note that some responsibility rests with the manufacturers of heating and other smart building systems to design security features into them because even if a device is not directly connected to the internet, there may be an indirect way to access it.
This story also highlights the wider challenge of tackling security for IoT devices and products. There have been many occasions in recent years when concerns about the security / privacy vulnerabilities in IoT / smart products have been publicly expressed and reported. The truth is that the extent of the current vulnerabilities are unknown because the devices are so widely distributed globally, and many organisations tend not to include them in risk assessments for devices, code, data, and infrastructure. Home / domestic users have no real way of ascertaining the risks that smart / IoT devices pose, probably until it’s too late.
It has also been noted that not only is it difficult for businesses, including manufacturers of smart products, to ascertain whether all their hardware, software, and service partners are maintaining effective IoT security, but there is also still no universal, certifiable standard for IoT security.
For businesses, it’s a case of conducting an audit and risk assessment for known IoT devices that are used in the business. One basic security measure is to make sure that any default username and passwords in these devices are changed as soon as possible. For home users of smart products (who don’t run checks and audits), it appears that others (as in the case of the German Federal Network Agency) need to step in on their behalf and force the manufacturers to take security risks seriously.