November 2019

[an error occurred while processing this directive]
(Click Message to Learn More)

Cyber Attack! Cyber Attack! BAS CYBER ATTACK!!!!!!!!!!!!!

Imagine… you’re a controls contractor. You get a call from a customer saying their corporate business server has been hacked, and that they got in through your BAS server. The FBI wants to talk to you...

Scott Cochrane
Scott Cochrane,
President and CEO
Cochrane Supply & Engineering

Contributing Editor

BAS Cyber Attack

New Products
[an error occurred while processing this directive]
Site Search
[an error occurred while processing this directive]
Past Issues
[an error occurred while processing this directive]
[an error occurred while processing this directive]

Imagine… you’re a controls contractor. You get a call from a customer saying their corporate business server has been hacked, and that they got in through your BAS server. The FBI wants to talk to you...   


THE ATTACK! The Attack

The building owner approached the controls contractor with some news… 

The owner’s IT department noticed one of their servers had become encrypted and received an email stating that they’ve been attacked by malware placed on their server. The malware went through their hard drive to encrypt the data, affecting approximately 18GB worth of data that was being held ransom. The owner was told that if they wanted to get their data back, they’d have to pay 7 Bitcoin, or approximately $55,515.  

The attack was on a business server that was on the same network as the BAS server, which was used as the entry point into the network. The BAS server had a remote IP address exposed on the internet, which was given to the controls contractor for remote access. The contractor simply had to enter their BAS software credentials and log in—they did not have to log in to a VPN first. The hacker found the exposed IP address of the BAS server, incorporated the malware onto the server that used the server operating system to give it access to the rest of the network. It’s here where the hacker found the business server it had been hoping to find. Their network was a flat topology, so once they got into one server, they had the keys to the city. The BAS software itself was not hacked into, nor was there any damage done to the BAS system.  

The owner’s IT department fortunately had recent backups of the affected server and was able to perform a rebuild within four hours of the malware attack. This mitigated paying the ransom or any significant damage to business operations.

The contractor, owner and FBI got together to evaluate what had happened and how to mitigate it going forward. The BAS software was rebuilt on a completely different physical server, was set up with a VPN, and all remote access going forward would be done via remote desktop and the VPN. The FBI recommended a new server for the BAS system because malware, while IT experts can get most of it out of the server, there’s no way to know it’s all out. And you don’t want to risk leaving any of it in there—the only way to know for sure it’s removed is to rebuild it from scratch.  

All operating system software and BAS software was brought to the current standards and the contractor used backups from their local host—not from the building’s machines as they didn’t want to sneak something in there inadvertently. Backups were then setup on a timely basis in case a rebuild would have to take place again.  

According to the FBI, you’d be amazed how many companies cannot enforce diligent backups and don’t do so regularly as a result. They might do it once a week or once a month or it’s just sporadic and they do it when they have time. When those companies get held ransom, they’ll pay it. The downside of this is that you’ll get a ransom for $40,000, they’ll un-encrypt part of your data to prove they can do it, and then demand more money again. You’re dealing with crooks. So good luck.  

[an error occurred while processing this directive]The function of the business server that got encrypted was their day-to-day operations of all of their engineering and accounting. The FBI was very adamant that you need to compartmentalize this data. Keep your engineering separate from your accounting, separate from you customer lists, separate from outside sales. Keep all these departments on software separate from one another so people can’t see entire businesses if they get into one system. They might get a piece of it, but that’s all they know. 

The FBI’s main interest was trying to figure out where the malware was coming from. The contractor gave them their BAS server to dismantle it and collect the information needed to assist their efforts. They stated most malware now is coming from Russia or China and they are working to track patterns of such attacks.   

If you have remote access to a site through a simple IP address with no VPN or security gateway, you are setting yourself up for disaster.  Owners need to take the right steps to make sure that remote access is either being done with a VPN or with other cyber security measures that are monitored and maintained. Contractors should recognize that if they are logging in remotely via just an IP address, that BAS server is now a beacon on the internet asking hackers to come in and create a problem for the contractor, owner and anyone who relies on the network being hacked.  

We see this scenario happening in buildings every day—it’s a BAS industry epidemic. But…IT’S AVOIDABLE! We need to be aware, understand what it looks like and how to fix it.
“I thought I was playing it safe… I thought we were protected. I was wrong...”                    
-Controls Contractor 


[an error occurred while processing this directive]
[Click Banner To Learn More]

[Home Page]  [The Automator]  [About]  [Subscribe ]  [Contact Us]


Want Ads

Our Sponsors