Skip to main content
  • Feature Story

Modern-day cyber pirates phish portals, not high seas

Building control systems are a new target for criminal hackers. UL’s Louis Chavez details how to safeguard life safety and security products against cyber attacks.

Mass of hooded computer criminals with various internet attacks and criminal activities in red text with a binary code background

January 15, 2019

The fish tank looked ordinary to visitors of the U.S. casino. Certainly, nothing that screamed “future crime victim.” International hackers, however, saw something different; an exploitable vulnerability that could allow them to steal data through the fish tank’s remote climate monitoring system.

Using the aquarium’s thermostat, the hackers accessed the casino’s high-roller database and pulled its information from the casino’s network into the cloud.

A plot device from the creative minds of Hollywood’s top screenwriters?

Unfortunately, no. Building owners and managers, facility engineers and physical-security specialists beware: this very real scenario illustrates an increasingly malicious form of modern-day piracy – cyberattacks made possible by IoT (internet of things) vulnerabilities. On average, IoT devices are hacked once every two minutes.

In commercial settings, businesses rely on life safety and security products, such as security alarm control panels, access control systems, intrusion detection units, smoke and fire alarm control units, mass notification systems and more, to monitor and control building operations. These building control systems (BCS), however, can also provide cybercriminals with a portal that enables them to gain both physical access to facilities and virtual access to IT systems and data.

“By deploying connected devices (IoT), the user can expose building systems to attacks that would otherwise require local on-site access. This can leave a building control system vulnerable to attack from malicious actors residing anywhere on the earth,” said Louis Chavez, principal engineer for life safety and security products within UL’s Building and Life Safety Technologies business unit.

“You’re basically leaving open a door to the product where someone can maliciously manipulate it or use the product in a way that it wasn’t intended, potentially leading to the compromise of the broader system,” said Chavez.

Safeguarding Building Systems from Cyberattacks

Whether to deter cybercriminals from remotely disarming a security system, taking control of surveillance cameras and mobilizing them as bots to attack another part of the system or deactivating fire and smoke alarm systems designed to keep building inhabitants safe, implementing proper security measures and controls can help mitigate the cybersecurity vulnerabilities of connected BCS products.

Chavez recommends the following approaches for safeguarding building systems against cyber attacks:

  • View the system holistically, not just as a series of individual products. While the safety and security of individual products must still be addressed, it’s important to analyze and test how securely those products communicate with each other once connected to the larger system.

“Take an access control system for example,” Chavez explained. “We can test and certify it on its own, but then an important next step is to assess and better understand the safety and security of additional systems that it might connect into, like a fire alarm control unit or building lighting control system.”

  • Say no to default passwords. Always change the default passwords, such as “1234” or “admin,” set by manufacturers before the product is shipped.

“One of the biggest avoidable mistakes is using products such as security cameras straight out of the box without changing default passwords and properly securing them before installation,” Chavez said. “Users of connected devices should always follow manufacturers guidance on how to set up and configure the device, such as changing default passwords, compatibility information, etc.”

  • Consider ALL devices connected to the internet, not just the BCS products at hand. Even the most secure life safety and security products can be at risk if they are sharing an internet connection with less secure devices.

“That smartphone or other consumer product an employee brings to work and connects to the network might allow someone to hack into and manipulate the life safety and security systems connected to the same network,” Chavez said.

  • Be certain your remote connection isn’t an open call for cyber attacks. The rise of connected technologies has increased the capability of monitoring building control systems remotely, and many BCS products are now monitored by users via smart devices, smartphones or computers. This remote access may include the ability to download software updates to keep a BCS product current. But if the connection used by an operator to download upgrades or monitor systems remotely from a home or public network isn’t secure, then the convenience of remote monitoring can leave a building system’s entire network highly susceptible to attack.

“Smartphones have enabled an always-on environment, but you really have to consider how that device is connected to the internet, who is properly authorized to make updates to software from a smartphone and what potential vulnerabilities you are inadvertently exposed to by using remote connections,” Chavez said.

  • Have your products tested and certified to help improve security. As the newest addition to the UL 2900 series of cybersecurity standards, UL 2900-2-3 was developed to address cybersecurity for life safety and security products, providing a foundational set of cybersecurity criteria that manufacturers of network-connectable products can use to establish a baseline of protection against known vulnerabilities, weaknesses and malware. Products certified to UL 2900-2-3 are compliant for 12 months, and UL recommends consideration for all applicable cyber controls to help ensure that products working together within the larger system do so securely.

As the IoT market races toward a projected 20.4 billion connected products in use by 2020, the need to address preventive measures and build cybersecurity into products is key.

“Manufacturers have begun to realize the critical importance of embedding cyber protection into their products,” said Chavez. “It’s more costly and time-consuming, but in the end, it’s necessary to help keep today’s network connected buildings and equipment physically safe and secure while benefiting from the new capabilities of IoT devices.”