QinetiQ white paper reveals vulnerability of BMS to cyber thieves
A new white paper has found that heating, lighting and security systems in hospitals are some of the most-vulnerable to cyber attack.
Devices that were never built for security are increasingly becoming connected to networks, and so becoming hackable
But, despite the dangers, the systems that control these applications remain some of the least secure, according to the paper from security and defence company, QinetiQ.
Based on analysis undertaken late last year, the report outlines the potential problems and details how facilities managers can mitigate these threats, including isolating systems from each other and more-effective training for installers.
The six-page paper, entitled Building Management Systems: the cyber security blind spot, explains that Building Management Systems (BMS) have evolved from technologies that are not designed to be connected. They are, therefore, often designed, installed and managed by people who have not been trained to understand the security implications. This creates vulnerabilities that could be exploited by those looking to damage an organisation or create panic. It could also help criminals physically break into buildings.
The challenge is that it crosses two previously-unconnected areas: facilities management and IT. But, as more BMS become connected, these departments either need to work more closely together, or facilities managers need to become security experts
The research found that systems were often simply switched on or plugged in, connecting them to insecure networks or leaving them accessible via Wi-Fi. In addition, default passwords were often left unchanged.
The paper recommends that installation of these systems must involve an understanding of how they are connected to the online world and how to restrict this. Installers and facilities managers setting up the systems should be trained and certified to ISO 27001 or equivalent, or consultants with these qualifications should be involved.
Andrew Kelly, principal consultant on cyber security at QinetiQ and co-author of the paper, said: “Devices that were never built for security are increasingly becoming connected to networks, and so becoming hackable.
“As the Internet of Things becomes more prevalent, BMS-connected devices have particular potential to wreak havoc as they control systems necessary for hospitals to function. Despite this, they have some of the laxest security, both in their design and in their installation and maintenance.
"This is a pressing issue. The challenge is that it crosses two previously-unconnected areas: facilities management and IT. But, as more BMS become connected, these departments either need to work more closely together, or facilities managers need to become security experts."
Click here to download the paper in full.