Hacking America

Hackers’ next target? Maybe your facility’s control systems

Sabrina Korber
The Mercedes-Benz Superdome after a sudden power outage during Super Bowl XLVII.
Getty Images

Flash back to Super Bowl XLVII when the entire Superdome was plunged into darkness. Did someone merely flip a switch? Forget to pay the bill? Or was it something more serious? In our post-9/11 world, terrorism immediately comes to mind. In the end, Entergy New Orleans, a unit of Entergy that supplies power to the Superdome, said a relay device had failed, calming most conspiracy theories.

Even though the incident was limited to mechanical failure, cybersecurity experts say the Super Bowl blackout is the closest public example of the consequences of when industrial control systems fail, or even worse, fall into the wrong hands.

In an exclusive report obtained by CNBC, independent cybersecurity researchers Billy Rios and Terry McCorkle, along with Michael Schell, global industrial control system representative for Cylance, warn that thousands of public and private facilities nationwide are vulnerable to cyberattack through the very systems that control a building's operations, known as industrial control systems (ICS) or building management systems (BMS).

They say though a malicious hacker's intent may not always be to create a scenario like the Super Bowl blackout, or worse; targeting an ICS or BMS is more likely an effort to find an alternative way into an organization's network.

(Read more: Car hacking: The next global cybercime?)

Hackers' next target? Maybe your facility's control systems

"These systems are what we call cyber-to-physical systems, it's one of the small places where you can use a computer to actually have a physical effect on something," said Rios, co-author of the report.

It's not just the nation's critical infrastructure cyberexperts obsess about securing, it's also your company's headquarters, your neighborhood fire station, the community hospital, schools and even some of our nation's largest recreational venues.

Why? Because these systems control things like access control systems, security cameras, elevators, HVAC and lighting systems, and while it may not seem like tampering with such systems, if hacked into, could cause substantial damage, Rios and McCorkle say the potential economic damage from a malicious attack on a BMS system is the real concern.

"Every Fortune 1000 company is affected by this. If they have a corporate campus they're going to be affected by this in some way. So whether that means [someone] could shut down their data center which essentially shuts down their business or whether that means [someone] could create an annoyance for their employees by turning the air conditioning off or turning the lights off at inopportune times, we know that impact is very wide," Rios said.

The report, which has been submitted to the Department of Homeland Security for review, names five large sports stadiums running industrial control system software, which both cybersecurity experts and the DHS have confirmed has known vulnerabilities.

(Read more: Defense networks vulnerable to cyberattack: Expert)

How secure are health care exchanges?

In a statement to CNBC, the DHS said: The Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) "has been working directly with software manufacturers as well as with potentially affected facilities to develop and implement mitigation strategies as necessary. As part of DHS' ongoing efforts to enhance the security and resiliency of the nation's critical infrastructure, ICS-CERT actively collaborates and shares information with public and private sector partners every day in the face of constantly evolving cyber threats to the nation's critical infrastructure."

Vulnerabilities in software are flaws that can allow a hacker to infiltrate a network. Software vendors will issue "patches," or a fix, once the vulnerability is discovered but this can sometimes take months. These vulnerabilities, Rios and McCorkle say, make building management systems more prone to a possible breach and cyberattack for any relatively experienced hacker with the right tools.

Part of the problem, cyberexperts say, is that when it comes to building management systems there are many parties involved in selling, implementing and maintaining the systems, leading to a complicated web of responsible parties.

CNBC found this to be true when we sought comment from each of the five sports stadiums and their third-party contractors mentioned in the report. Several did not return calls for comment, while others acknowledged the software vulnerability we were inquiring about and were able to provide comment in time for publication.

WattStopper, a third-party integrator of BMS for two of the stadiums mentioned, told CNBC it has been working over the past several months with all of its customers to upgrade their systems and continues to advise customers about their security options and best practices.

Thomas Samson | AFP | Getty Images

(Read more: Hackers sell Social Security info)

WattStopper also tells CNBC that it "worked with the project team at Bryant-Denny Stadium [at The University of Alabama] for several weeks to upgrade their system and that work has been completed." Calls seeking confirmation of the upgrade from representatives at Bryant-Denny Stadium were not returned.

Marlins Park, home of the Miami Marlins, also mentioned in the report, told CNBC, "The Marlins have installed security measures protecting all Marlins Park systems from Internet vulnerabilities." WattStopper made recommendations to the Marlins on upgrading their systems.

So what would a cyberattack on one of these systems actually look like? Many experts, including Rios and McCorkle, are reticent to offer details of an attack that succeeded in compromising a facility's system. Privacy concerns and fears of exposing an organization to even more cyberattacks keep most successful breaches in the dark and out of the press.

But such attacks have happened, according to the DHS' U.S. Computer Emergency Readiness Team (US-CERT) that tracks and reports on cyber-incidents and software vulnerabilities.

(Read more: Protecting the markets from hackers)

Earlier this year it was reported in the ICS-CERT monitor newsletter that hackers penetrated the building energy management system of a New Jersey manufacturing company in late 2012. Intruders successfully exploited a weak credential storage vulnerability to access the organization's EMS, controlled by Tridium's Niagara software.

Tridium has since issued several security patches for its software, but experts say many more vulnerabilities continue to exist across various brand names of BMS software, and hackers, whether it's just out of idle curiosity or malicious intent, are unrelenting in their attempts to try and break in.

But because the vast majority of critical infrastructure in the U.S. is owned and operated by private companies, a larger framework for cooperation between both the public and private sectors is needed.

McKenney's, a third-party integrator of building management systems, has been working to raise awareness of BMS vulnerabilities through its training center in Atlanta.

As part of the effort, the company maintains a demonstration center equipped with decoy BMS software, also known as a honeypot, which is connected to the Internet to both demonstrate how an attack could take place and also to monitor how often hackers are attempting to penetrate an Internet-facing log-on screen.

"We implemented the honeypot in March, under the direction of Rios and McCorkle. We built a system that looks to be like any small data center and we put a piece of monitoring software on there that we wrote. Since we implemented it, we've been hit over 30,000 times" by unauthorized attempts to breach the system, said Fred Gordy, technology evangelist-enterprise intelligence at McKenney's.

(Read more: Six charged in biggest credit card hack on record)

Gordy says it categorizes hacking attempts as "aggressive" by looking at the username and password combinations the adversary tries to get in with—most common being "admin," "admin" and "demo," "demo."

"If they go over about three attempts we consider that somebody who's actively probing [the system], and if they exploit a known vulnerability in the software to bypass security, we consider that aggressive," Gordy added.

(Image source: McKenney's
Green dots on the map show where active attacks on McKenney's decoy BMS system are coming from, with the majority coming from China, Russia, Amsterdam and Iran, according to Fred Gordy, technology evangelist-enterprise intelligence at McKenney's.)

As for where the attacks are coming from, based on IP address look-up tools, Gordy said the countries that consistently surface include Russia, China, the Netherlands and Iran.

The alarming part is that the honeypot, or decoy screen, looks no different than the real thing. McCorkle said he is not surprised at what looks like an increasing number of attempts to breach the decoy BMS system.

(Read more: Teaching children to hack safely)

"If you look at the corporate structure and how good information technology has gotten at putting security measures in place, attackers have had to get really good to get around that. Whereas, if you look at the building management space the technology is much further behind and it becomes pretty trivial for an attacker to then change their focus on these, and the vulnerabilities that exist in them are fairly easy to exploit at that point," said McCorkle.

Nothing is safe in vyberspace: Pro

Gordy, along with other experts CNBC spoke with, says as cyberthreats against corporate and government networks continue to escalate, hackers of all types are looking for any entry point into a network that they can then use as a bridge into even more critical systems such as a company's data center where valuable intellectual property, customer data or other nonpublic information may be stored.

Experts agree a few small measures can go a long way to securing a facility's system. A good place to start is implementing strict controls on who has access to them and taking them off the Internet.

"Most of the time, people don't even realize they're online. They may know that they have the system, but honestly people don't think about these as critical systems. They don't think about a building management system as something that's that critical to operating a business and ultimately, critical to the bottom line," said McCorkle.

—By Sabrina Korber, CNBC.