In the past week or so, I have seen many interesting articles about vulnerabilities in control systems. Just last week I came across one about security issues in the Cisco Network Building Mediator, a product from Cisco’s acquisition of Richards-Zeta. There was another interesting piece about exploiting vulnerabilities in the modern automobile networks.
Cisco issued a warning that its Network Building Mediator products have multiple vulnerabilities. It’s expected that other products from Richards-Zeta may have security flaws as well. According to the Dark Reading article:
“Cisco warned users of its Network Building Mediator products to patch the vulnerabilities, which could allow access to obtain administrative passwords and read system configuration files, making it possible for hackers to take control of a building's most critical control systems.”
Cisco issued a patch to take care of the issue, but this will only take care of the problem for the time being. It does not address the problem that exists in many similar components that connect our critical infrastructure to IP-based networks. Many of these tools, including building information management and other control equipment, could bring forth a new set of vulnerabilities that your IT and security teams may not have considered before. You may ask yourself, as a security professional, if it is your job to track the packets that flow through these mediator devices as they traverse the data from HVAC systems to the data centers and out to the smart grid. It’s apparent from this new incident that you have to look into these security issues until these tools come with better access controls built into the protocol and code stack.
Now to other news – hacking the automobile. It’s certainly an eye-opening experiment. According to the article, car and vehicular networks consist of many components like Electronic Control Units (ECUs), Controller Area Networks (CAN), Global Positioning Systems (GPS), and Central Lock Systems (CLS). All these components share information as they relay data about the operation and condition of a vehicle. Moreover, they may connect to vehicular management systems like GM’s OnStar. There are inherent vulnerabilities in the protocol stacks of these systems. Most of them don’t even have authenticator fields in the stack, hence lacking an ability to recognize the identity of the user or its source. Recently, GM announced its partnership to use Google’s Android apps to connect with its vehicle communication network. The news is exciting, but given the vulnerabilities exposed by this research and others in the past, such apps must be properly tested for weaknesses. Unfortunately, there are no specific standards to test and build security into the development of these apps because they connect to a widespread network. But we should start to educate our staff and organizations about their adverse impact on the corporate networks since they can cause security breaches.