How vulnerable building management systems can be hit me ten years ago when working at an expensive Sydney harbourfront home a decade ago.
The householder – a rich banker – had spent millions on physical security to insulate his family from the outside world. Yet anybody could dial in and monitor what was happening in the house through the building’s CCTV and management systems.
Not only were the building’s CCTV and management systems were open to the net, but that the system’s serve ran on an antiquated and unsecured version of Windows 2000 that shared the home network with a couple of enthusiastically downloading teenagers.
It was a matter of time, perhaps hours, before the system was compromised with worm or virus. The security implications were enormous.
Even the banker’s business was vulnerable as a targeted hack into the home would allow people to monitor traffic on the network and intercept work related messages.
What was really shocking however was how the system vendor and integrator who’d installed it simply didn’t care about the client’s security problems.
So the news that one of Google’s Sydney offices BMS is exposed to the net shouldn’t be a surprise. Building Management Systems, as we saw with the rich banker’s house, are notorious for their poor security.
For Google this security breach is embarrassing although the responsibility for this flaw lies firmly with the building owner who should have made sure their systems are locked down and properly secured. You can’t throw this problem over the fence.
One wonders just how widespread these problems are with other industrial systems like SCADA devices and other remotely operated equipment.
Internet connected systems have been around now for twenty years, there are no longer any excuses for not taking these issues seriously.