By Chris Topham, Abtec Building Technologies.
Attacking industrial control protocols and building management systems (BMS) is nothing new. Over the last 18 months however, the number of reported attacks on such systems appears to be growing. The common thread between some of the more notable cases is Internet Protocol (IP) networks. The trend in deploying building control projects over IP networks has the potential to make those systems less secure – due, in large part, to our lack of IP networking security knowledge.
Whether you specialise in the residential or commercial market, if your clients get hacked, it is your reputation that suffers. You might question why someone would want to hack a residential environment, but the answer is simple: it is often easier and provides a training ground for larger projects.
Unfortunately, there is no one method to block hackers that attack over IP networks, which is why we use a layered approach to security, both to deter and block. Implementing these steps can help to protect your clients, your projects and your brand.
The first step in protecting ourselves is to understand the nature of the attacks. Obviously if you are reading this, your specific interest is in the KNX protocol, so Part 1 of this two-part series will examine attacks on KNX, while Part 2 will explore methods of protecting your BMS generally.
In recent years, KNX and its members have invested considerably in data security, including KNX over IP links, but unless the systems integrator takes advantage of secure methods of deployment, the system could be vulnerable.
There are three primary types of attack that might happen against the KNX protocol;
• Telegram interception.
• KNX telegram injection.
• Halting KNX traffic over a network.
These attacks can render the KNX network inoperable, and if used effectively, can surrender control of the network.
Steps to Protection
The key to protecting KNX projects is to make it as difficult as possible to connect to the IP network. Like an opportunistic burglar, hackers will often focus their efforts on projects with the lowest levels of security. For residential projects, here are some simple steps to take, assuming that the client’s network is managed by a Wi-Fi router:
• Stronger password – ensure that the client’s Wi-Fi router has a strong WPA2 password activated.
• Change the default SSID – this is the unique name of the client’s wireless network access point. The default SSID is usually the name of the Wi-Fi router. Hackers will prioritise connecting to routers with known vulnerabilities.
• Hide SSID and MAC filtering – although these two will not stop a determined hacker, they could deter an opportunistic one. Most wireless routers give the option to stop broadcasting their SSID, making the network more difficult to find. Many routers can filter access to the network by cross-checking devices against an approved device list.
• Add a firewall – for larger residential projects, it would be worth investing in a small hardware firewall. This will help stop hackers accessing the KNX project via the Internet.
Commercial Project Protection
It is worth consulting an IT networking specialist for larger commercial projects, as they will be able to work with the client’s IT team to ensure its security regime is adhered to. Here are some pointers to mitigate some of the obvious security issues:
• Managed switches – if you are connecting networking equipment to the client’s network, make sure that the network administrator is aware. Also make sure that it is managed (rather than unmanaged) switching equipment.
• Create a VLAN for KNX – VLANs are secure ‘virtual’ networks that run over an IP network. These self-enclosed networks shield KNX telegrams from eavesdroppers.
• Email filtering and anti-virus – rogue applications, or malware, can sniff out network vulnerabilities and create ‘backdoor’ network entry points. These are often propagated by phishing emails. A good email filtering and anti-virus service will block many of these.
• Consider 802.1x wireless protocol – this protocol improves the security of wireless access points. Access is controlled with a combination of digital certificates, passwords and network domain settings.
The threat of cyber attack is constantly evolving, so it is important to keep up to date with security news. A full statement by the KNX Association on security can be found here and the Association also provides a useful security checklist.
For larger business projects, it is worth consulting with an IT networking specialist. They should be able to advise and suggest secure methods of deployment, and some will even work on the project on your behalf. When choosing a specialist, make sure that they hold good networking certification, such as Cisco CCNP in security, and understand the KNX protocol.
If you would like to learn more about deploying KNX and BMS projects over IP networks securely, I have created a CIBSE-accredited training package.
In Part 2, we will look at attacks on BMS and supervisor applications, and will visit a website that should send shivers down any building automation engineer’s spine!
Chris Topham is Head of Marketing for Abtec Group. The Abtec Group includes Abtec Building Technologies Ltd, a building automation organisation and Abtec Network Systems Ltd, an IT networking specialist for the construction industry.