Co-authored by control systems cybersecurity expert Joseph M. Weiss, Lyn Gomes of DPR Construction (and BCxA International Board member), and Bob Hunter of AlphaGuardian.

Much has been written about the lack of cyber security in IOT devices. Much has also been written about the lack of cyber security in process sensors/actuators/drives (Purdue Reference Model Level 0,1 devices). Cybersecurity risk for buildings/facilities has been explicitly acknowledged by the electrical and control system community, recently in a December 3, 2020 Schneider Electric webinar on control system cyber risk. As buildings and facilities are ubiquitous, this can be a very expansive problem.

In a recent webinar for a new IoT device from a major HVAC equipment supplier, Lyn learned about a new valve actuator device (Reference Model Level 0,1) with not only no device security but also creates a backdoor.

This is just an example of poor or non-existent security practices in control system/IOT devices used in critical applications. The new valve actuator/flow meter combination is used for control of heating/cooling in air handling units and water coils. It is marketed as being configurable (implies a hardware backdoor for end-users and also for vendor remote access for firmware upgrades) and with extra information available through the IoT interface. The webinar stressed that these devices could be installed not only at every air handler in a building (1-5+ units, depending on building size), but also at every Variable Air Volume (VAV) box and/or fan coil (20-200+ units, depending on building size).

When asked whether there was any authentication for this device, the answer was no. The manufacturer stressed that the device doesn’t have to connected to the Internet. This explanation may provide context to why the vendor didn’t see lack of device authentication as an issue. Furthermore, the vendor stressed that the systems can be configured with a user password, but there are numerous examples of unchanged default or easy to guess passwords. In addition, the vendor conflates user and device authentication which are two very different things. If each of the devices were connected, there could be hundreds of points where a hacker could enter the network with minimal possible detection, increasing the attack surface dramatically. A further look at the supplier’s catalog shows additional products that communicate via wireless or wired network connections using common building communication protocols such as BACnet and Modbus.

BACnet and Modbus are used extensively throughout the building controls industry. Current BACnet standards industry offer only a 56-bit encryption for data even though 56-bit encryption is not difficult to break. A new standard is under development to add a higher level of encryption, but this is at least 2 years out. Despite the trivial level of encryption, few BACnet systems even bother to implement a viable security option. Additionally, Modbus use in building controls is completely unencrypted. The trivial level of encryption combined with no authentication allows a hacker of even modest skills to alter, stop, or sabotaged the process to the physical harm of others.

Valves, actuators and process sensors such as these are not “incidental to cybersecurity” as some might think. Rather, the ability to remotely control these systems allows for unauthorized control of a building’s environmental control systems, even without ever touching the Building Management System (BMS). All that is required to take over a building’s environmental systems is to gain control of its valves, actuators and sensors and feed incorrect data to the BMS. This makes the BMS believe everything is fine and to just continue to run as if all were in a normal condition. But, while the BMS is blind to the valve, actuator and sensor takeover, a great deal of harm can be done to the occupants of that facility and whatever systems that could be sensitive to environmental changes.

The potential harm that can be done by this type of valve can be significant. These types of valves control the temperature and humidity from the air handling unit. Temperature and humidity affect residence time/viability of viruses such as COVID-19. Increase the humidity, and you’ve just allowed the virus to remain viable for a longer time. More directly, the air handling unit hot water valve (especially with a man-in-the-middle attack that would spoof the flow signal) could be maliciously closed during a cold winter night and cause hundreds of thousands of dollars in damage not only to the unit, but potentially to the contents of the building.

Considering that air handling and related water controls are critical for minimizing COVID threats, this becomes a serious issue. It is a very real threat that a person or group with malicious intent could take over an HVAC system to alter space humidity and, in the process, greatly increase the risk of transmitting COVID between occupants of that facility. Unauthorized users could also increase the supply and return temperatures of the air or cooling water in an HVAC system, while disguising their changes to have the sensors contained in the valves and actuators report normally expected temperatures as if nothing were wrong (like Stuxnet). All the while, temperatures in the building would be rising which could create further COVID vulnerabilities as people would complain of heat and remove their masks yet, the thermostats and all other systems would report temperatures being in normal ranges. Another possibility would be to overwrite the firmware of the device. The device could be reprogrammed closed or open, rendering space temperatures uncontrolled or even wiped clean, rendering it completely unresponsive to any commands (i.e., bricked). Costs for replacement and reprogramming for hundreds of actuators could be in the tens to hundreds of thousands of dollars. This is not an idle threat. In the 2015 Ukrainian power grid cyberattack, the Russians “bricked” the firmware in the serial-to-Ethernet convertors effectively making the convertors useless pieces of metal and plastic.

It should be mentioned these types of equipment vulnerabilities were not addressed in [a recent] Schneider presentation, as Schneider focused on Internet connections found by Shodan and network computer viruses.

To summarize, the overall vulnerabilities presented by this, and possibly other similar devices, are extremely high-risk because:

·         They can connect to the Internet with no means for device authentication (e.g., anyone can connect to it).

·         The encryption in their communication is either trivial or nonexistent (e.g., anyone can send read/write commands sent to the valve or the data it provides to the BMS).

·         The vulnerabilities present a large attack surface (e.g., potentially hundreds of devices on a network).

·         Contains vulnerabilities that have minimal to no forensics (e.g., spoofing flow from the integral flowmeter).

·         It is a configurable device (e.g., ability to change device software).

We hope this blog will give both manufacturers and designers/specifiers pause. Security IoT in devices is not trivial. As the cybersecurity joke goes – What’s the “S” in IoT for? Security! (That’s right, there is no “S” in IoT.) The capabilities unlocked by these devices is often not worth the security risk.