Risks of Centralized Management in Building Control

Share the Post:

Centralized building control allows organizations to achieve new levels of efficiency and productivity. And while centralizing these processes is something desirable, it comes with risks.

It’s common practice to seek centralized authority in building control, putting one device in charge of many others to accomplish greater efficiency. That is what, for example, Delta’s enteliBUS manager does for corporate and industrial settings, channeling orders and processes for many devices through a single controller.

Yet, the risk exponentially increases when management and control become centralized in this fashion. This is locating all power on a single device, one that is just as vulnerable as any other.

To adequately manage risk in scenarios like these, organizations must be highly aware of the challenge and do whatever it takes to protect devices such as Delta’s enteliBUS manager.

McAffee’s Experiment

McAfee conducted an experiment on the enteliBUS manager from Delta, which is responsible for managing a plethora of devices in building control environments. The enteliBUS manager is often used to control critical environment settings at server rooms, manufacturing facilities, office space, positive pressure rooms at hospitals, and many others.

What McAfee did was emulate a real-life network where the enteliBUS manager was in charge of centralized control and then proceed to attack the system by fuzzing.

Fuzzing is a testing technique consisting in providing random data to a program. What happens is that an automated process floods the software under stress, allowing testers to monitor for crashes and memory leaks.

After fuzzing the test environment, McAfee found a problem. After handling the excess of data, the mismatch in memory size created a buffer overflow vulnerability, one that was ideal for a malicious party to access the device.

The next stage of the experiment involved implementing Delta’s management devices with an HVAC controller and then again put it to the test. The results led to the same direction. After attacking the system, McAfee testers were able to attach custom malware that created a backdoor itself, remotely issuing commands to all devices, manager and managed.

An important detail was pointed out by McAfee: in scenarios similar to this one, knowing the IP address would allow malicious agents to easily attack the devices over the Internet, something that is often possible thanks to Shodan. How Internet-connected devices, visible on Shodan, are creating serious problems for thousands of organizations is something we have discussed on Julie Security blog on multiple occasions.

After the experiment, McAfee contacted Delta and the company proceeded to successfully patch the vulnerability, making this procedure ineffective for those trying to take control of the enteliBUS manager. Nonetheless, the lesson here is clear and evergreen: all network-connected devices must be adequately protected, no matter what. Every single piece in a system is a liability to some degree and a capable malicious party may find a way to get in.

But how to protect them?

Moving Forward with Our Recommendations

The Julie Security team has some recommendations for your organization to successfully protect your building control devices:

  1. Make sure your network-connected devices are not visible publicly on the Internet, findable through search engines such as Shodan.
  2. Implement the right tools for automated monitoring of traffic and its activity on the network, such as Julie Security.
  3. Segregate devices within the network as much as possible, making it impossible for malicious agents to move freely through devices.
  4. In case of working with outside contractors, implement and use a VPN when providing remote access to the network.
  5. Keep your devices’ software up to date as many vendors are constantly fixing vulnerabilities such as the one found by McAfee.

Related Posts

Colonial Pipeline Hack: What We Know So Far

On May 7th, Colonial Pipeline experienced a significant cyberattack that resulted in a total shutdown of its operations, leading to widespread fuel shortages. Shortly thereafter, it became evident that the incident involved ransomware, with reports indicating that the company made a payment of nearly US$5 million to the attackers, which contradicted their public statements. The cybercriminal organization, known as DarkSide, issued an atypical apology, asserting that their motive was profit rather than chaos. As Colonial Pipeline initiates the process of resuming operations, developments concerning DarkSide follow a surprising trajectory. Explore the complete narrative behind this critical cyber incident and its broader implications.

Read More

Ransomware attack halts Sierra Wireless Production Activities

Sierra Wireless, a leader in internet-of-things solutions, recently fell victim to a significant ransomware attack that brought its production activities to a standstill. The incident, which began on March 20th, not only disrupted manufacturing but also affected internal operations and the company’s website. As the team works diligently to restore systems, questions loom about the potential impact on customer data and the overall financial repercussions. With cybersecurity protocols in place, the company remains tight-lipped about the specifics of the attack. Discover how this incident reflects the growing threat of ransomware in today’s digital landscape.

Read More