As is usually the case, the greedy and incompetent sock puppets running American capitalism are looking for scapegoats. An obvious target in the damn Gummint isn't yet apparent.
...Target made a critical error in that it reportedly offered no separation between its store cash registers and its computerized heating and cooling controls. According to Mr. Krebs, once hackers obtained access to the heating and cooling controls they basically received administrator privileges on cash registers sufficient to install malware programs silently.
As usual, lip service to the "guests".
"I know that it is frustrating for our guests to learn that this information was taken and we are truly sorry they are having to endure this," said Gregg Steinhafel, chairman, president and chief executive officer, Target.
Which gets me pondering. Some years ago I worked, briefly, on the other side of Pennsylvania for a mechanical contractor that did commercial jobs, stores and malls and such; one that was a Trane dealer. Then, perhaps still I don't know, Trane had independent dealers who still had to be exclusive to Trane. Looking at one of Fazio's off sites (the main site is erroring, surprise), it claims to be a Trane dealer, although it lists competitors. Whether Fazio is a maintenance contractor rather then bid/installation? Again, don't know. In any case, since such commercial HVAC tends to be bundled by the vendor, Trane in this instance, providing an innterTubes control system. While Fazio is named in the DailyTech piece, the manufacturer is the deep pockets. Were I to guess who built the software to run Trane (or any commercial HVAC system) over the innterTubes, it would be Trane. Or they contracted it from a software house. But it almost surely wasn't Fazio. Whoever built the HVAC and the innterTubes software for Target's stores, and I'd bet it was Trane/Carrier or the like, is the next stop down the rabbit hole.
[update]
Well, curiosity got the better of me, so off to research HVAC control systems. Turns out they're both HVAC manufacturer systems and those bought in by said manufacturers (and possibly vendors). Turns out there is a "standard", called BACnet which many (most?) of these systems follow. And, wouldn't you know, a decade ago the Gummint did a threat study of these innterTubes aware systems:
Considering these attack vulnerabilities and scenarios it is clear that the typical BCS is not a desirable target. System resources are limited (storage space, CPU power, common OS and software packages, etc.), and valuable information is limited to the BCS system itself (configuration data, router tables) but no financial or personal information. However, this may change: as the BCS is connected to more and more service providers - giving access to more information either stored locally or providing a secured path to outside service providers' networks; and as the overall intelligence contained on the BCS network increases to accommodate smarter distributed controls and sensors. It is with this in mind that this document has been prepared, and for this reason that we look at general IT threats.
OK, so that was in 2003. Must be better today, right? Well, may be not:
The fact of the matter is that for IT our BAS box (controller) is a pain in the A@@. Half the time it isn't LDAP compliant, we sneak our network into the building like some third-rate ninja, and then it sits on a self-created bastardized network that resembles something between bailing wire hooked into a hub and a Sub-Saharan DSL line. As if that wasn't enough to make our IT counterparts cry uncle, even when IT does finally get to run some SNMP trapping and network monitoring on our devices we refuse to let them patch our systems because of Java or Windows .Net compliance. Look Mr. IT I know Java 3.0 has issues and you're using Java 7.x but if you upgrade Java on my box our User Interface won't run.
The Internet of Things is looking more like a Frankenstein's assembled body.
More to come, I'd wager.
No comments:
Post a Comment