To raise security awareness, researchers spent months hacking mock building systems

“Only having a patch is not enough,” a ForeScout researcher told CyberScoop. “We need to create awareness to warn the community.”
cybersecurity regulation

Security experts have in recent months warned that building-automation lags behind other critical infrastructure sectors when it comes to awareness of cyberthreats and appreciation of their potential impact.

Now an 18-month research project, which tested malware and exploits on gear made by top vendors, is trying to change that.

“In the 18 months that we’ve been working on this, we’ve engaged with a lot of stakeholders from the domain,”  Elisa Costante, a senior director at Forescout Technologies, told CyberScoop. “And now we really see that the reception has changed and everybody has realized the impact can be actually more critical” than many realized.

After all, she said, the building-automation sector doesn’t just mean office buildings, but also includes hospitals, airports, and other critical infrastructure.


Forescout researchers assembled a lab of building-automation equipment, threw their custom malware at it, and then documented how effectively their code manipulated the gear. The project culminates Tuesday, when Costante will present her team’s work at the S4 Conference in Miami Beach, an annual pilgrimage for industrial control system gurus.

One key takeaway from the research, Costante said, is how cheap a targeted attack on building-automation devices can be. Her team spent $11,000 on assembling the test bed and other aspects of the project – chump change compared with the resources available to a nation-state.

“The main message is that this is something that can be done easily and is not even that expensive,” she told CyberScoop.

There is a sense of urgency to the work: The FBI last month privately alerted industry about an insecure port for communicating with control systems in buildings. The port was broadcasting network information that could be useful for hackers looking to exploit unpatched devices, the bureau said. There have not been any public cases of hackers exploiting that access, but the concern is that attackers could collect data on a building network to eventually gain further access to the system.

Lack of ownership


Commercial buildings contain a range of specialized equipment that is far different from home-automation devices.  It’s “a completely different beast,” Costante said, so her team built a lab with a network of realistic equipment, ranging from control systems managing heating, cooling and lighting, to surveillance cameras and video recorders.

Researchers then hunted for vulnerabilities on the network, using open-source information to write exploits targeting devices such as the cameras. One of the end products was “modular” malware, which is versatile in its ability to attack different systems. The malware exploited a buffer overflow in a programmable logic controller (PLC). With the ability to remotely execute code on the access-control PLC, an attacker could, in theory, control physical access to parts of a building using that PLC.

The researchers also found a hardcoded function for storing passwords for the PLC that could allow an attacker to obtain user credentials. The exploits worked on older versions of a framework used by the PLC, and the vendor has issued patches for both vulnerabilities. But a patch is only as good as its application. Using the Shodan and Censys search engines, the research team said they found 7,980 devices like the access-control PLC that were vulnerable to those two attacks.

“Only having a patch is not enough,” Costante said. “We need to create awareness to warn the community.”

Additionally, the researchers said they found “severe misconfigurations” on a workstation for managing building automation devices that could allow an attacker to remotely execute code and obtain administrator privileges on the targeted operating system. The vendor claimed the systems integrator was responsible for these issues.


Costante said that this lack of ownership of the problem – between the vendor of the equipment and the systems integrator that hooks it up – is not uncommon.

“In building automation we are witnessing the convergence of IT and OT,” she said.

Internet of Things devices are now part and parcel to buildings that also rely on legacy operational technology. How building owners and vendors manage that merger will make all the difference for cybersecurity in the sector.

One positive sign of progress: Costante said that, after being notified of the vulnerabilities in their products, the vendors   collaborated closely with researchers to address the issues.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts