Leveraging Operational Technology and the Internet of Things to Attack Smart Buildings

TL;DR

This paper investigates cybersecurity vulnerabilities in smart building automation systems, demonstrating how IoT and operational technology can be exploited to disrupt operations and introducing malware that persists within BAS networks.

Contribution

It presents the first BAS-specific malware leveraging OT and IoT devices, and analyzes attack vectors and vulnerabilities in modern smart building systems.

Findings

BAS networks are as critical as industrial control systems.

Simple attacks can disrupt BAS operations.

Proof-of-concept malware can persist within BAS networks.

Abstract

In recent years, the buildings where we spend most part of our life are rapidly evolving. They are becoming fully automated environments where energy consumption, access control, heating and many other subsystems are all integrated within a single system commonly referred to as smart building (SB). To support the growing complexity of building operations, building automation systems (BAS) powering SBs are integrating consumer range Internet of Things (IoT) devices such as IP cameras alongside with operational technology (OT) controllers and actuators. However, these changes pose important cybersecurity concerns since the attack surface is larger, attack vectors are increasing and attacks can potentially harm building occupants. In this paper, we analyze the threat landscape of BASs by focusing on subsystems which are strongly affected by the advent of IoT devices such as video surveillance systems and smart lightning. We demonstrate how BAS operation can be disrupted by simple attacks to widely used network protocols. Furthermore, using both known and 0-day vulnerabilities reported in the paper and previously disclosed, we present the first (at our knowledge) BAS-specific malware which is able to persist within the BAS network by leveraging both OT and IoT devices connected to the BAS. Our research highlights how BAS networks can be considered as critical as industrial control systems and security concerns in BASs deserve more attention from both industrial and scientific communities. Even within a simulated environment, our proof-of-concept attacks were carried out with relative ease and a limited amount of budget and resources. Therefore, we believe that well-funded attack groups will increasingly shift their focus towards BASs with the potential of impacting the live of thousands of people.