Penetration Testing on the IoT Front Lines
Hackers in the Heating Ducts
Every respectable action movie hero in recent decades has snuck into at least one building through a ventilation shaft. Today’s hackers know it’s still a go-to move.
In fact, one of cybersecurity’s historic wake-up calls was the 2014 theft of more than 110 million credit card records from retail titan Target. Nearly every consumer heard about that one. But many people don’t know that the hackers’ path into the system ran through the contractor handling Target’s HVAC (heating, ventilation, and air conditioning) system. After using a phishing scheme to dupe one of the contractor’s employees, hackers got a login credential for Target’s network and went hunting for valuable records.
Since then, the growing ubiquity of the Internet of Things (IoT), has added dozens of devices with their own IP addresses to most building control systems. That makes physical plants target-rich environments for hackers seeking their own Target-style conquest—and it turns the company handling your office’s thermostat into a frontline cyber defender.
That’s a familiar position for Baker Group, which has established itself as a leader in installing and servicing some of the Midwest’s most advanced building systems. Founded in 1963 as a plumbing company and now based in the Des Moines suburb of Ankeny, Baker Group has grown to more than 650 employees focused on the design, installation and servicing of commercial, industrial and institutional building systems. Teams within the company specialize in HVAC, electrical, plumbing, security systems, facility maintenance and operations and more.
‘You Can’t Ignore It’
When Blake Brown, Baker Group’s IT director, started looking for a vendor to perform a vulnerability scan and penetration test, his own understanding of the ever-growing threat landscape delivered plenty of motivation. But the company’s vendors and customers added their own urgency by stepping up their requirements for cybersecurity validation. “I saw this was going to become more frequent,” Brown says.
The devastating brand implications of a potential breach like Target’s also pushed the vulnerability scan/pen test to the top of the priority list. The 2020 IBM Cost of a Data Breach Report shows that lost business accounts for nearly 40% of the cost of a security incident. Brown knew that number would be even more significant if a breach hit a company known for installing security systems.
“We have a lot of clients where we manage their networks connected to the internet,” Brown says. “Looking at past history with other breaches that were related to mechanical contractors, it can turn into quite a negative PR event for us. That was a major driving force behind it. You can’t ignore it.”
When it came to choosing a vendor for the tests, Brown says, “Pratum was a pretty easy choice.” The companies first teamed up on a 2019 presentation where Pratum leaders showed Baker Group customers how easy it was to hack proximity card readers and other security systems. “We knew a lot of that,” Brown says, “but it still was an eye opener.” After checking references and finding Pratum’s pricing competitive, Baker Group scheduled their tests.
In the first stage, Pratum’s Jason Moulder, an Offensive Security Certified Professional, ran an automated vulnerability scan on dozens of Baker Group IP addresses. “We’re trying to identify low-hanging fruit in an environment,” Jason says. “We’re looking for known vulnerabilities, the installation of patches from Microsoft and others, etc. We’re making sure they’re following that process.”
Then comes the pen test. Jason says, “That’s the manual process of looking for ways we can make the system better,” with a focus on three key factors: People, process and technology (known as PPT).
Reacting to the Results
When the results came in, Brown says he was pleasantly surprised by two things. First, the test revealed fewer vulnerabilities than he expected. Second, Pratum’s list of recommended next steps positioned Brown’s team to quickly address the shortcomings.
I thought they were just going to give us test results. But Pratum included what we needed to do to resolve the problems. That helped tremendously. I didn’t have to go do all my own research.Blake Brown Director, Information Technology - Baker Group
Brown says the tests provided a clear reminder to follow the best practices most companies know, but often don’t enforce. When Pratum’s tests revealed vulnerabilities in a few legacy systems lingering within the company, Brown had fresh evidence to make another pitch for upgrade funding. The tests also provided a reminder that keeping systems properly patched and configured eliminates a lot of vulnerabilities.
“When they show you a report that has red on it, you get focused pretty quickly. Fortunately, there wasn’t much red on ours.”
Another big takeaway: The solutions to serious problems don’t always require a lot of time and money. During the pen test, Jason was able to create new user accounts. With a few minutes of work on permissions, Brown closed the company’s biggest vulnerability. “When you do a test, I would be prepared to work on mitigating as soon as possible,” Brown says.
A Newfound Partnership
After working with Pratum on their own test, Baker Group has formed a partnership to add Pratum’s expertise to its service lineup for Baker Group customers.
“We’re engaging Pratum to create a competitive edge,” says Daryld Karloff, Executive Vice President, Building Services. “We want to bring all the hardware and software tools, and we want to show customers that with Baker Group, you get this added advantage.”
Along with supporting its own clients, Baker Group is working with Pratum to educate the overall industry. Daryld has recruited Pratum’s experts to speak on cybersecurity at events such as conferences hosted by InsideIQ, the Building Automation Alliance.
Brown says, “Over the last several years, we’ve been hired as our customers’ physical security provider, and we know we can keep improving on how we integrate all of our systems. Now that we have Pratum as our source of information security expertise, we’ll update how we present and handle that.”