How Can Attacks Cause Harm

If your system is attacked what’s the worst that can happen? How easy is it to cause? to stop? Cyber attacks can cause harm. The harm can be extreme such as when permanent damage is caused to equipment or when they cause a cascading effect - to the electrical grid for instance. They have even been used to stop Iran from completing its nuclear program - that attack was known as the Stuxnet Virus. We can expect terror cyber attacks and we can expect them to attack important institutions and infrastructure.   First, understand the harm and the risk. After that, we can look at how BACnet opens the door to attack.

Source of Risks -

• Purposeful attacks: Hacker, malicious attack, competitor attacks/spying, ex-employees, disgruntled employees, Autonomous robots. These attacks can be coordinated and scheduled.
• Accidental: deletion of data, flood the market, improper installation of cables, Unprepared installing of new equipment.

---

In CAS’s opinion the most serious vulnerabilities allow for attacks which can be broadly categorized as  1) Denial of Service Attacks (DOS)  2) Reinitialization Attacks and 3) Seizing Control.

Denial of Service attacks are those in which the network is flooded with messages which cause collisions preventing control and monitoring messages from being transmitted between devices. By flooding a device’s microprocessor with commands and tasks one can limit the ability of the device to operate normally. Do this on a large enough scale and you can shut down a campus, a factory etc. Attacks like these can be coordinated. Risk Profile = Moderate harm (eg. In-operable building, water damage) easily achieved. Reinitialization Attacks  are those that cause devices to restart which in itself presents a number of attackable vulnerabilities. If a device’s configuration or firmware can be altered prior to the re-initialization then the device could permanently lose its ability to operate or could be turned into a Zombie device and perform other attacks. Done on a large enough scale or to systems which are no longer supported, these attacks could take the target systems out for weeks and even months. Recovery may be dependent on the quality of backups. Risk Profile = Possible extreme effect (Bricking devices, provide pathways for viruses to spread, lost configurations) achieved with a moderate challenge, Moderate harm can easily be caused. Control Seizure attacks are those that exploit BACnet’s Peer to Peer system allowing any device to write at the highest priority to writable objects in other devices. These objects may control physical equipment such as motors, generators …It is easy to cause permanent damage  to some equipment by making it operate outside its design limits.  Alarms can be suppressed, data can be changed, Sequences of operation can be broken. Systems can be made inoperable presenting a risk profile of moderate harm easily achieved.

The 18 attack types below outline the harm and severity that attacks can cause using the vulnerabilities of BACnet.

(On a different page we discuss which BACnet features make it vulnerable and expose these risks of harm.) Energy-demand shock

Turning on a large number of energy-consuming devices (eg. Heating/cooling/lights) at the same time by direct command or by altering schedules, can dramatically increase the load on an electrical grid causing disconnects or even grid failure in extreme cases. Could your institution shut down your entire city or state ?

Building made uninhabitable on a temporary basis preventing use

A building's HVAC system can be driven to a state where there is no heating or cooling. Pipes may burst and other damage can occur.  This presents commercial and reputational risk. Your hotel brand is damaged and you have no room revenue for a few days because the HVAC won't work.

Building made uninhabitable on a temporary basis requiring evacuation

A building's HVAC system can be driven to a state where there is no heating or cooling. Pipes may burst and other damage can occur.  In hospitals, for example, safety protocols may require evacuation of patients.

Building driven to extreme temperatures - no heat , max heat, condensing humidity to cause equipment malfunction and possible permanent damage

If external temperatures are very low (Boston in Winter) or high (Arizona in summer) and HVAC system is driven off or to max heating the ambient temperature may be outside the operating range of equipment in the building or even to the point where equipment is damaged.  In humid environments, a system can be driven to be heavily condensing – water damage and short circuits could occur.

HVAC failure causing computer / super computer / server farms shutdown

Computer equipment is extremely temperature sensitive. Mildly elevated temperatures can cause decreases in performance.  Temperature extremes can cause failures and shutdowns. Many data centers are located in extremely cold places (Facebook – Sweden) to save on cooling energy costs. HVAC failures will drive interior ambient temperatures to low points.

HVAC failure causing computer / super computer / server farms damage

Temperature extremes can cause damage to CPU’s. Burst pipes can cause water damage.

Changing protection settings and limits

Many electrical devices have settings and operation limits used to protect the device from being operated in a way which will damage the device. For example, a motor controller may haveoperations which set the maximum speed. Changing the settings can cause devices to shut down or failing to protect themselves resulting in damage.

Driving pumps and motors and other devices to failure states

Many electrical devices have settings and limits which prevent the device from being operated in a way in which damage can occur. For example, a device may shut down or limit operation to ensure that it doesn’t run too hot. Changing these types of settings can allow devices to be damaged by normal operation. Motors can be driven to speeds which cause damage to equipment. Alarm set points can be changed so that alarms are not generated.

Synchronized failure

By changing schedules, equipment can be turned on / off en masse.

Data theft

Critical data from sensors and other equipment can be monitored.

Data corruption

Sensors may provide important or even critical data to control systems or management systems. False data can be served. False alarms can be generated. Alarms can be acknowledged before humans become aware of them.

Out of service

Sensors and Control devices can be put out of service. That is – to stop sensors reporting the measured values or to stop a control device responding to commands such as set point changes.

Command contention

BACnet has a priority system to resolve command contention. It is possible to drive devices to states at a higher priority than the normal operation is configured for, thus preventing the control system from operating equipment until the problem is identified and resolved. A fair degree of expertise is required to identify this problem.  Whoever commands last, wins.

Gateway failure

Communication protocol gateways connect subsystems and allow them to inter-operate. Driving these devices to a failed state can result in overall control / monitoring system failure.

 Firmware update / corruption

Some devices allow firmware to be delivered using the file transfer services supported by BACnet. It is conceivable that on such devices the firmware can be corrupted making the device inoperable  and difficult to recover to an operable state. If such a device is no longer manufactured or supported there may be no path to recovery other than implementing a new system.

It is also possible that devices can be turned into zombie devices - i.e play some new, destructive role.

Configuration update / corruption

Some devices allow configuration to be delivered using the file transfer services supported by BACnet. It is conceivable that on such devices the behavior of the device can be changed or that the device is made inoperable until the configuration is restored. It is rare to have backups that are current in HVAC systems..

False alarms

False alarms can cause automated systems to shut down processes. False alarms can divert operator attention and mask real alarms.

 Network attacks – Denial Of Service

Generating false alarms. Oversubscribing for change of value, alarm and event notifications and misconfiguration. BACnet BBMD devices can cause message deluges which consume all the bandwidth and which can cross sub-nets.

Critical infrastructure attacks

Lights Off, Fuel Pumping Systems, Standby Generator Shutdowns, Transfer Switch Operation etc.

It may be possible to operate transfer switches disconnecting buildings from the grid and at the same time change settings to prevent standby generators from starting.

It may be possible to operate breakers and shut systems down.

Next:  How is BACnet Vulnerable?