A large cyberattack locked a building automation engineering company out of the BAS it had built for an office building customer. The German firm lost touch with hundreds of its Building Automation System (BAS) devices, including light switches, shutter controllers, motion detectors, and others.
The company revealed that three-quarters of the BAS devices in the office building system network had inexplicably been stripped of their “smarts” and locked down with the system’s own digital security key, which was now in the hands of attackers. To turn on the lights in the building, the business had to return to manually turning on and off the main circuit breakers.
The attackers essentially bricked the BAS devices, which regulate and run lights and other services in the office building. According to Thomas Brandstetter, Co-Founder and General Manager of Limes Security, whose industrial control system security company was contacted in October by the engineering firm in the aftermath of the attack, “everything was removed… completely wiped, with no additional functionality” for BAS processes in the building.
Brandstetter’s team, coordinated by security specialists Peter Panholzer and Felix Eberstaller, recovered the stolen BCU (Bus Coupling Unit) key from memory in one of the victim’s bricked devices it required some ingenuity. The engineering team was then able to reprogram the BAS devices, restoring power to the building’s lighting, window shutters, motion detectors, and other systems.
The attack, however, was not an isolated incident. Since then, Limes Security has received reports of similar cyberattacks on BAS systems based on KNX, a widely used Building Automation System technology in Europe. Last week, Limes Security was approached by another engineering business in Europe that had been victimized by an attack that was disturbingly identical to the German firm’s — on a KNX BAS system that had also shut it out.
KNX, for one, recommends in its product support material that the BCU key security feature for the Engineering Tool Software (ETS) should be used with caution. According to a statement on the KNX Association vendor’s support page, “Use this option with care; if the password is lost, those devices shall be returned to the manufacturer. Forgotten BCU Key in the devices cannot be changed or reset externally because this would make the protection in ETS meaningless (of course, the manufacturers know how to do this).”
But, as Panholzer points out, most makers of these devices cannot recover stolen BCU keys. The German engineering business initially sought assistance from its BAS device providers, who notified the company that they could not access the keys.
So far, no leads can be traced back to the perpetrators. Since BAS systems aren’t set up with logging capabilities, the attackers don’t leave any digital traces. As no ransom notes or traces of ransomware were left behind, it’s unclear what the attacks’ goal was.
Meanwhile, the Limes Security researchers have built up a honeypot system to see if they can trick the attackers into attacking their false BAS to gain information on where the attacks are coming from. But no one has grabbed the bait thus far.