In 2021, the U.S. Department of Energy (DOE) invested $61 million in 10 pilot projects that would use new technologies to transform residential homes, commercial buildings, and federal facilities into state-of-the-art, energy-efficient buildings contributing to a net-zero-carbon economy. The advanced building control systems integrated into these projects, known as Connected Communities, enabled such a bold vision. To date, the buildings industry has not adopted such leading-edge approaches to the development and deployment of networked systems that perform core functions—such as lighting, heating, cooling—let alone those that utilize Internet-of-Things (IoT) devices. One deterrent might be the increased risk of cyberthreats that accompanies the benefits of incorporating networked systems into buildings.
After witnessing the prevalence of malware targeting industrial control systems (ICSs), researchers at the international cybersecurity company Forescout embarked on an internal project: building malware with a final payload that could persist at the automation level. Forescout executed these exploits on its malware test bed in 2020 to demonstrate how an adversary could do the same on real-world deployed systems. Its project discovered previously unknown vulnerabilities in devices such as controllers and gateways and concluded that building automation systems (BASs) may be as vulnerable as ICSs in terms of safety and security—despite receiving a lot less attention from the security community.
Generally speaking, IoT systems are not considered secure. Instead, they are viewed to be the lowest-hanging fruit through which adversaries can pivot into other valuable assets residing on the same network. Palo Alto Networks’ 2020 Unit 42 IoT Threat Report states that 57% of the devices tested via its internal research were vulnerable to medium- or high-severity attacks, and 98% of device traffic was unencrypted.
Building system security assessment methods
A variety of tools is becoming increasingly available to assess system security prior to its installation. Available either as free, publicly accessible, or through a license, these tools include static application security testing (SAST) and dynamic application security testing (DAST), which check software for misconfigurations that could lead to a common vulnerability and exposure (CVE). In addition, penetration testing—also known as red teaming—by a cybersecurity professional acting as an adversary can examine the resilience and exploitability of networked services and assets.
However, designing systems that meet cybersecurity requirements is always better than evaluating systems after procurement or, worse yet, after installation and configuration. More holistic approaches have been developed and are starting to see adoption. One example is the previously described Connected Communities pilot project: All Connected Communities cohort members are required to submit a cybersecurity plan detailing implementation and configuration details for their networked systems.
More holistic approaches are useful to building owners, IT personnel, and third-party services that manufacture and provide cloud-based services for their products, which will ultimately create an ecosystem of connected devices. One such approach is outlined below.
- Threat modeling creates a system abstraction and then identifies design-level issues via a threat profile.
- Attack surface management (ASM) tools host repositories of publicly exposed devices and facilitate device queries to identify correlations between known vulnerabilities and device types or properties.
- Behavioral frameworks classify cyber adversary behaviors as tactics and techniques and can help to identify where potential gaps exist within planned or deployed systems and assets.
- Adversarial methodologies are mapped by vulnerability type, functionality gained, and techniques used, and can be useful for aligning cybersecurity controls with anticipated system attacks based on system functionality and owner.
Ideally, building owners and building system designers in the MEP or IT/OT space would incorporate these approaches into their design processes. However, designing for cybersecurity when design practices do not flesh out operational and system integration details is difficult. In today’s building development practices, the make and model of equipment, as well as the software and control strategies that will operate the equipment, are often not fully determined until the building is under construction. In many cases, software and control strategy configurations are not finalized until the building is well into operation.
Research to increase the security of building systems
Decarbonization of the electric grid will likely require sophisticated buildings that take advantage of flexible and highly integrated building systems, such as lighting and HVAC; and distributed energy resources (DERs), such as photovoltaic panels and battery storage or battery energy storage systems. The development of such buildings will likely require more sophisticated system design practices that take greater advantage of digital tools and workflows that support modeling and simulation throughout the building development process—starting at the design development phase, if not earlier. Such design practices will be well-suited for the adoption of emerging, more holistic design-for-cybersecurity approaches.
With this future in mind, researchers at the Pacific Northwest National Laboratory (PNNL) have been thinking about how practitioners might adopt these approaches. In 2022, PNNL published A Cybersecurity Threat Profile for a Connected Lighting System, which described and demonstrated how threat modeling can identify potential cybersecurity vulnerabilities in the design phase. Using the Microsoft Threat Modeling Tool (MTMT), we modeled multiple connected lighting systems with different system architectures of an on-premise server versus a cloud server—and identified how those choices affected the potential for cybersecurity threats and the system attack surface. Finally, we developed mitigation strategies for the threats associated with these design choices and offered recommendations for stakeholders, from manufacturers of lighting systems to end users.
Zeroing in on existing installations
After initially focusing on the potential for introducing threats, we decided to look at cybersecurity risk from the opposite end of the spectrum—by taking an adversarial reconnaissance approach and exploring the existence of known, but uncontrolled vulnerabilities in real-world building systems. We searched the Shodan repository of publicly exposed devices, looking for lighting and other building operational technology (OT) devices and systems. Figure 1 shows an example of a Shodan banner, or fundamental unit of data, returned following the execution of a query, containing a wide variety of information about ports, services, and other properties.
The highlighted banner properties were found to be useful in crafting fingerprints for specific devices or systems, such as a programmable logic controller or a lighting management server. We developed 18 queries targeting specific building system vendors or protocols. These queries returned over 1.4 million banners, and the custom fingerprints were used to identify 56,061 OT devices or systems and assign them to one of five asset classes (Figure 2).
The databases that Shodan and other cyber-risk management tools generate also contain information about CVEs already known to exist within widely deployed devices and technologies. The “vulns” property in banners returned by Shodan was parsed to identify CVEs in eight of the 18 queries. Figure 3 shows both the total and vulnerable numbers of devices found by each query.
A total of 16,672 instances of 200-plus identified CVEs (CVE-IDs) were found in the 56,061 exposed assets. Many of the same CVE-IDs were found in multiple assets, so the total vulnerabilities found include repeated instances of these same 200-plus CVE-IDs. About 95% of the CVE-IDs are medium and high severity, which means that exploiting these vulnerabilities could potentially have a high impact. Based on the location assigned to the IP addresses, the exposed devices we identified with at least one CVE appeared to be located within 527 buildings globally, with 74 of them residing in the United States. This set of known vulnerabilities found in exposed real-world systems associated with a specific industry can be used to prioritize the application of cybersecurity controls, perhaps in consideration of their ease of implementation and overall impact. Additional details for this analysis will be published in a report, which is expected to be available on the DOE website by the end of this year.
Assessing the threat landscape
Finally, we used the eyes of an adversary to take a second look at our findings of uncontrolled vulnerabilities in real-world systems. The CVEs identified in the Shodan analysis were mapped to adversarial behaviors that could be used to exploit them via the MITRE ATT&CK matrix, a commonly used behavioral framework that classifies cyber adversary behaviors as tactics and techniques. We mapped 12,806 discoverable devices with CVEs, resulting in a threat landscape comprised of 12 tactics, 44 techniques, and 34 sub-techniques. About 59% of all discovered vulnerabilities are attributable to just three techniques, shown in Figure 4. Additional details for this analysis will also be published in a forthcoming DOE report.
The three analyses presented here can be combined to create a cybersecurity threat landscape assessment that can be proactively used by system manufacturers, designers, and operators. Rather than looking at post-mortem data, one can assume an adversarial posture by scanning for vulnerabilities that exist within deployed systems and identifying what tactics and techniques could be employed to exploit the targeted products and protocols. This approach mimics the initial reconnaissance phase employed by many adversaries prior to a cyberattack.
Defining the threat landscape in the same way allows system operators to see their assets from the perspective of their potential adversaries, rather than relying on their own, often misleading perspectives. A correlation of threats, uncontrolled vulnerabilities, and potential adversarial actions can enable system designers and operators to target potential gaps in coverage and provide their offensive and defensive cybersecurity teams with a common way of identifying the highest priority tactics, techniques, and vulnerabilities for mitigation.
An extended discussion of this threat landscape approach can be found in our paper “Connecting the Dots: An Assessment of Cyber-risks in Networked Building and Municipal Infrastructure Systems," published in the Proceedings of the 56th Hawaii International Conference on System Sciences, which took place in January 2023.
To summarize, building owners and operators as well as system designers and architects should:
- Develop threat profiles in the design phase of systems not yet deployed to identify attack surfaces and threats that can be mitigated with strategically deployed controls.
- Scan assets similar to those to be deployed that are already in operation in other buildings to get an idea of what vulnerabilities currently exist for that asset type, and what tactics and techniques adversaries might use to attack those assets.
- Scan all assets in systems currently in operation to identify publicly exposed and vulnerable devices using one of the increasingly accessible and easy-to-use tools, such as Shodan or others listed on the Cybersecurity and Infrastructure Security Agency’s website.
- Run scans quarterly or as new devices and technologies are deployed to get an updated snapshot of exposures and potential vulnerabilities on the network.
- Take a proactive approach from an adversarial perspective rather than a reactive approach from an inward-looking perspective.
Stakeholders that do not want to develop the ability to take these preventative measures should consider hiring a trusted third-party service that demonstrates an understanding of mission critical business functions, frameworks, and regulations that apply to their operating environment; can deliver measurable outcomes and documentation; and can identify reasonable controls that are proven to mitigate targeted vulnerabilities.
Finally, we see an opportunity to save time and money through the use of common or standardized means for creating semantic models of buildings and building systems. The adoption of such an approach could reduce the time required to create a threat model by allowing for the ingestion of a design model and facilitating the integration of the described tools and techniques into a streamlined workflow. Such an integrated workflow might allow those without security teams in place to perform the work of an analyst and provide actionable insights that could be immediately incorporated to make the deployment or maintenance of their systems more resilient to outside attacks.
Dos Santos, Daniel; Speybrouck, Clément; and Costante, Elisa (2020). Cybersecurity in BAS. Forescout. https://www.forescout.com/resources/bas-research-report-the-current-state-of-smart-building-cybersecurity-2/.
Francik, Paul; Ashley, Travis; and Poplawski, Michael (2023). “Connecting the Dots: An Assessment of Cyber-risks in Networked Building and Municipal Infrastructure Systems.” https://scholarspace.manoa.hawaii.edu/items/7adb5c56-d797-4f5e-acab-b49963f79269.
Francik, Paul; Poplawski, Michael; Gourisette, SRI Nikhil Gupta; O’Connell, Patrick; Younkin, Chance; Ashley, Travis; and Seppala, Garrett (2022). “A Cybersecurity Threat Profile for a Connected Lighting System.” https://www.osti.gov/biblio/1859678.
Unit 42. (2020). 2020 Unit 42 IoT Threat Report. Palo Alto Networks. https://unit42.paloaltonetworks.com/iot-threat-report-2020/.
U.S. Department of Energy. (2021, October 31). Connected Communities Funding Program. Energy.gov. https://www.energy.gov/eere/solar/connected-communities-funding-program.