In this episode of the Security Ledger Podcast (#126): Die Hard has finally been embraced as the bloody, violent, feel-good Christmas movie its always been. But the film, which turns 30 this year, is about more than the power of ordinary guys to stand up to evil. Did you know it’s also a (very) early warning about the dire insecurity of building automation systems? We speak with Ang Cui of the firm Red Balloon Security about the dire risk of cyber attacks on building automation software and company’s work to secure this often-overlooked critical infrastructure.
Yipee Ki Yay, Process Controller!
Die Hard, the 1988 blockbuster made Bruce Willis’s career and cemented Alan Rickman’s sneering, erudite Hans Gruber in the pantheon of Hollywood villains. But behind the performances of Willis, Rickman, and Reginald Vel Johnson as beat cop and everyman Sergeant Al Powell, there’s critical and often overlooked character on the screen: Nakatomi Plaza, the Los Angeles high rise where Willis’s character, John McClane, battles it out against Gruber’s murderous band of criminals. Of particular interest to Gruber’s men: the state of the art building automation software that runs pretty much every aspect of the high rise’s operation, from its doors and elevators to its ventilation and doors. The building automation system is, in fact, one of Gruber’s first victims. It falls to the nimble hands of Theo, the gang’s resident hacker, in one of the movie’s opening scenes.
Of course, that was 30 years ago. Surely the building automation systems in use today are much more robust and secure than those deployed in the 1980s, when Internet use was still limited to government research labs and universities, right? Don’t be so sure. Building automation systems are even more prevalent now than they were thirty years ago, and – like most everything else – they’re much more likely to be connected to the Internet. In fact, the FBI this month issued a warning about a widespread vulnerability affecting building automation systems. Major universities, state governments, and communications companies are at risk of having their building-system data exposed, the bureau said in an industry advisory.
How real is the threat to building automation systems? “Very real,” says our guest this week. Ang Cui. He is the CEO of cyber security start up Red Balloon security and an expert on the subject who has done research for the Department of Homeland Security. These days, the hardware and software running modern office buildings and high rises might be of the same vintage as the systems running Nakatomi Plaza in Die Hard. And while the software that runs them may be a bit younger than the software Theo hacks so easily in Die Hard, it almost certainly isn’t much more secure, Cui told me.
You might also be interested in: Black Box Device Research reveals Pitiful State of Internet of Things Security
In this podcast, Ang and I talk about how and how it is that building automation system software came to be so insecure, why there haven’t been more attacks targeting these systems and what is the best approach to securing them.