The previous issue's column discussed vulnerability disclosures and security researchers, a discussion that focused on physical security industry products. However, as buildings become more automated, their control systems (such as lighting, HVAC, facility access, intrusion detection, electronic signage and landscape irrigation) use the same network infrastructure to enable interoperability of systems - and along with the tremendous operational benefits, come additional security and safety concerns.
Q: Some folks in IT have been reading about security convergence, and are asking me, the facility security manager, about any notifications or disclosure information that I'd like to get from them. Why would I want to know about electronic threats or vulnerabilities to IT systems or networks? How could that information help me in my physical security role? What would I do with it?
A: Responsible disclosure allows systems managers to put temporary counter measures in place until permanent fixes can be applied. But such disclosures also provide inspiration for updating the threat model and response scenarios. So, it is not just incident notification that is needed, but sharing of vulnerability identification in a way that lets threat models and response scenarios be updated appropriately.
Would you schedule a fire drill that put people in a landscaped area for the same time when the lawn and garden sprinklers were set to go off? Of course not. But suppose a disgruntled former employee or contractor took control of building systems, and forced a night-time evacuation into areas where all lighting has been shut off and the grounds had been overwatered. Injuries could occur in addition to lost productivity.
Thus, security and safety managers would want to know about a building control system vulnerability, which could cast a new light on sudden unexplained malfunctions in multiple building systems. If lighting could be affected, an emergency lighting plan review might be called for, to update it based on current building occupancy and usage, as well as recently identified potential threats. This aligns with the concept of continuous improvement, something that is a business strategy for many companies. Sometimes only incremental security or safety improvements are called for when risk models change; it is prudent to update security and safety measures as conditions change over time.
Responsible Disclosure Example
I have had a number of readers ask for an example of what a vulnerability disclosure looks like. These are often also called security advisories, and I based my response to this issue's question around a recent security advisory from Cisco that was released in May 2010 and updated in June. See http://tinyurl.com/example-security-advisory.
This advisory provides an example of the kind of disclosure content that enables system users and those with related security responsibilities to take appropriate action.
In this case, the vulnerabilities found could allow adversaries to easily obtain administrative passwords, thus making it possible for outsiders to take control of a building's most critical control systems. The advisory states, "Successful exploitation of any of these vulnerabilities could result in a malicious user taking complete control over an affected device." The notice also warned that the vulnerabilities are present in the legacy products from the Cisco-acquired company that originally designed the system. The advisory offers several workarounds and common-sense configuration settings.
The bugs were discovered during internal testing. In other words, Cisco could have kept the information to itself but did not - because that would not be the responsible thing to do. Doing the right thing for the customer does not mean doing so just when it bumps revenue dollars up. It means doing it regardless of the short-term impact. In the long term, that strategy is a win-win situation for any well-run and well-intended company.