Lights out: Cyberattacks shut down building automation systems

A building automation engineering firm experienced a nightmare scenario: It suddenly lost contact with hundreds of its building automation system (BAS) devices — light switches, motion detectors, shutter controllers, and others — after a rare cyberattack locked the company out of the BAS it had constructed for an office building client.

The firm, located in Germany, discovered that three-quarters of the BAS devices in the office building system network had been mysteriously purged of their “smarts” and locked down with the system’s own digital security key, which was now under the attackers’ control. The firm had to revert to manually flipping on and off the central circuit breakers in order to power on the lights in the building.

The BAS devices, which control and operate lighting and other functions in the office building, were basically bricked by the attackers. “Everything was removed … completely wiped, with no additional functionality” for the BAS operations in the building, explains Thomas Brandstetter, co-founder and general manager of Limes Security, whose industrial control system security firm was contacted in October by the engineering firm in the wake of the attack.

Brandstetter’s team, led by security experts Peter Panholzer and Felix Eberstaller, ultimately retrieved the hijacked BCU (bus coupling unit) key from memory in one of the victim’s bricked devices, but it took some creative hacking. The engineering firm then was able to reprogram the BAS devices and get the building’s lighting, window shutters, motion detectors, and other systems back up and running.

But the attack was no anomaly. Limes Security has since been getting reports of similar types of attacks on BAS systems that run on KNX, a building automation system technology widely deployed in Europe. Just last week, Limes Security was contacted by another engineering firm in Europe that had suffered an eerily similar type of attack as the German firm — on a KNX BAS system that locked it out as well.

“What was interesting … is the attackers here misused what was supposed to be a security feature, a programming password [the BCU key] that would lock out an adversary from manipulating the components,” Panholzer says.

“Luckily for us and the [BAS] operators so far in each of the incidents we have been involved with, the attackers set the same password for all components” in the victims’ respective BAS networks, Panholzer says. “In theory, there could be a different password for each and every component, and that would actually make recovery much, much harder.”

For its part, KNX warns in its product support information that the BCU key security feature should be deployed carefully for the engineering tool software (ETS): “Use this option with care; if the password is lost, those devices shall be returned to the manufacturer. Forgotten BCU Key in the devices cannot be changed or reset externally because this would make the protection in ETS meaningless (of course, the manufacturers know how to do this),” the KNX Association vendor says on its support page.

But in reality, most manufacturers of these devices are unable to retrieve pilfered BCU keys, Panholzer notes. The German engineering firm initially went to its BAS device vendors for help, but the vendors informed the firm they were unable to access the keys.

There have been other indirect reports of similar attacks on KNX-based systems, he says. “There seems to kind of an attack wave. We’re not fully aware how” widespread it is, however, he says.

“What is apparent is that it came out of nowhere: Suddenly, there were many attacks happening that we are aware of,” says Panholzer, who plans to present the case – which the company calls KNXlock – at the S4x22 ICS security conference next month in Miami. Limes Security declined to identify the victim organizations that have been hit in the attacks for confidentiality reasons.

There are no clues so far to trace back to the attackers. BAS systems aren’t configured with any logging functions, so the attackers don’t leave behind any digital footprints per se. Their attacks left no ransom notes nor signs of ransomware, so it’s unclear even what the endgame of the attacks was.

To read the complete article, visit Dark Reading.