Lack of IOT HVAC control system cyber security and potential real-world impacts

Dec. 13, 2020
A new IOT valve/actuator from a major HVAC equipment supplier has no device security. A further look at the supplier’s catalog shows additional products that communicate using common insecure building communication protocols such as BACnet and Modbus. The ability to remotely control these valve/actuators allows for unauthorized control of a building’s environmental control systems without ever touching the Building Management System (BMS). The potential harm that can be done by these types of valves can be significant as they control the temperature and humidity from the air handling units. Temperature and humidity affect residence time/viability of viruses such as COVID-19. Increase the humidity, and you’ve just allowed the virus to remain viable for a longer time. It should be obvious that cyber security IoT in devices can be critical, yet are not being adequately addressed.

This is a joint post with Lyn Gomes of DPR Construction and Bob Hunter of AlphaGuardian.

Much has been written about the lack of cyber security in IOT devices. Much has also been written about the lack of cyber security in process sensors/actuators/drives (Purdue Reference Model Level 0,1 devices). Cybersecurity risk for buildings/facilities has been explicitly acknowledged by the electrical and control system community, recently in a December 3, 2020 Schneider Electric webinar on control system cyber risk. As buildings and facilities are ubiquitous, this can be a very expansive problem.

In another recent webinar for a new IOT (or IIOT- Industrial Internet of Things - depending on your definition) device from a major HVAC equipment supplier, Lyn learned about a new valve actuator device (Reference Model Level 0,1) with not only no device security but with a backdoor that cannot be bypassed similar to the backdoors in digital process sensors. These backdoors can create cyber issues in networks where the actuators are connected. This is an example of poor or non-existent security practices in control system/IOT devices used in critical building control applications. The new valve actuator/flow meter combination is used to control heating and cooling in air handling units and water coils. The device is marketed as being configurable (suggests a hardware backdoor for end-users and for vendor remote access for firmware upgrades) and with extra information available through the IoT interface.

The actuator webinar stressed that these devices could be installed not only at every air handler in a building (1-5+ units, depending on building size), but also at every Variable Air Volume (VAV) box and/or fan coil (20-200+ units, depending on building size). When the manufacturer was asked whether there was any authentication for this device, the answer was “no”. The manufacturer stressed that the device doesn’t have to be connected to the Internet. This explanation may provide context to why the vendor didn’t see lack of device authentication as an issue. Furthermore, the vendor stressed that the systems can be configured with a user password, but there are numerous examples of unchanged default or easy to guess passwords. The vendor appears to conflate user authentication with device authentication which are two very different things. If each of the devices were connected, there could be hundreds of points where a hacker could enter the network with minimal possible detection, increasing the attack surface dramatically. A further look at the manufacturer’s catalog shows additional products that communicate via wireless or wired network connections using common building communication protocols such as BACnet and Modbus. 

BACnet and Modbus are used extensively throughout the building controls industry.  Current BACnet standards industry offer only a 56-bit encryption for data even though 56-bit encryption is not difficult to break. A new standard is under development to add a higher level of encryption, but this is at least 2 years away.  Despite the trivial level of encryption, few BACnet systems implement a viable security option. Additionally, Modbus use in building controls generally is  unencrypted. The trivial level of encryption combined with no authentication allows a hacker of even modest skills to alter, stop, or sabotaged the process to the physical harm of others.

Valves, actuators and process sensors such as these are not “incidental” to cybersecurity.  Rather, the ability to remotely control these systems allows for unauthorized control of a building’s environmental control systems, without ever touching the Building Management System (BMS). All that is required to take over a building’s environmental systems is to gain control of its valves, actuators and sensors and feed incorrect data to the BMS. This makes the BMS believe everything is fine and just continues to run as if all were in a normal condition. But, while the BMS is blind to the valve, actuator and sensor takeover, a great deal of harm can be done to the occupants of that facility and whatever systems that could be sensitive to environmental changes. The concern is building controls cyber security is only at the BMS level. Consequently, these kinds of insecure devices are unanalyzed gaps in BMS cyber security.

The potential harm that can be done by these insecure devices can be significant. These types of valves control the temperature and humidity from the air handling unit. Temperature and humidity affect residence time/viability of viruses such as COVID-19. Increase the humidity, and you’ve just allowed the virus to remain viable for a longer time. More directly, the air handling unit hot water valve (especially with a man-in-the-middle attack that would spoof the flow signal) could be maliciously closed during a cold winter night and cause hundreds of thousands of dollars in damage not only to the unit, but potentially to the contents of the building.

Considering that air handling and related water controls are critical for minimizing COVID threats, this becomes a serious issue.  It is a very real threat that a person or group with malicious intent could take over an HVAC system to alter space humidity and, in the process, greatly increase the risk of transmitting COVID between occupants of that facility.  Unauthorized users could also increase the supply and return temperatures of the air or cooling water in an HVAC system, while disguising their changes to have the sensors contained in the valves and actuators report normally expected temperatures as if nothing were wrong (like Stuxnet).  All the while, temperatures in the building would be rising which could create further COVID vulnerabilities as people would complain of heat and remove their masks yet, the thermostats and all other systems would report temperatures being in normal ranges. Another possibility would be to overwrite the firmware of the device. The device could be reprogrammed closed or open, rendering space temperatures uncontrolled or even wiped clean, rendering it completely unresponsive to any commands (i.e. "bricked"). Costs for replacement and reprogramming for hundreds of actuators could be in the tens to hundreds of thousands of dollars. This is not an idle consideration. In the 2015 Ukrainian power grid cyberattack, the Russians “bricked” the firmware in the serial-to-Ethernet convertors effectively making the convertors useless pieces of metal.

It should be mentioned that these kinds of equipment vulnerabilities were not addressed in the December Schneider webinar. The Schneider webinar focused on risks associated with Internet connections found by Shodan and network computer viruses in the BMS.

To summarize, the overall vulnerabilities presented by these kinds of insecure devices are extremely high because:

  • They can connect to the Internet with no means for device authentication (e.g., anyone can connect to it)
  • The encryption in their communication is either trivial or nonexistent (e.g., anyone can send read/write commands sent to the valve or the data it provides to the BMS)
  • The vulnerabilities present a large attack surface (e.g., potentially hundreds of devices on a network)
  • The devices contain vulnerabilities that can leave minimal to no forensic trails (e.g., spoofing flow from the integral flowmeter)
  • These are configurable devices (e.g., ability to change device software)

I, along with my co-authors Lyn and Bob, hope this blog will give both manufacturers and designers/specifiers pause. Cyber securing IoT in devices is not trivial. As the cybersecurity joke goes – What’s the “S” in IoT for? Security! (That’s right, there is no “S” in IoT.) The capabilities unlocked by these devices are often not worth the security risk.

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...