by John Worrall
Want to know how to hack a building’s HVAC system? Normally, we would tell you to Google it – but in this instance, you can simply ask Google about their experiences.
Researchers recently uncovered that the industrial control system used to control Google’s Australian offices had several security vulnerabilities that would let hackers adjust the heating and cooling controls in their offices. Subsequent research showed that hundreds of businesses across Australia can relate – they have similar vulnerabilities in their building control systems as well.
If these vulnerabilities sound familiar, it’s because they’ve plagued US critical infrastructure for several years now. Here’s our recent take on the topic in AOL Energy.
The problem that Google and the thousands of other businesses using industrial control systems and other operational technologies have is that these systems were built to be segregated – they were not built to address the security issues that arise when you connect to a network or the Internet. Simple security protocols like changing the default passwords of these systems have been largely ignored. Unfortunately for the industry, these chickens have come home to roost. 
Now, to compound matters, attackers can find these connected and vulnerable systems through simple internet searches through search engines like Shodan. And here is where ultimately, the problem lies – attackers know about these vulnerabilities and continually exploit them in almost every attack. But, the majority of organizations don’t even know they exist! A recent survey we conducted and have been blogging about highlights that most companies are simply not aware of how many privileged accounts they have, or where they exist.
Ask yourself this – do you really want to expose your company to the same vulnerability that history’s most devastating virus exploited to take down an entire country’s nuclear and energy infrastructure? I’m guessing most executives would say no.
