Information about DDOS attack against Finnish building management / automation systems
We are only maintaining these buildings and the systems affected we not owned by us. As far as I know, we were the first to found the attack locally.
Finnish communications regulatory authority (or FICORA) has just released some new information about this. You can read it from a public service broadcasting company “YLE”:
http://yle.fi/uutiset/osasto/news/communications_watchdog_criminals_behi...
The main point is, that the attack was not mainly targeted to "Fidelix" automation systems, like we saw it last week. Instead, these systems were used as part of bigger attack towards "big European enterprise". Results are yet unknown.
The manufacturer (Fidelix) said, that Dynamic DNS service was attacked and from there it hit the automation systems. There are about 2000 similar automation devices in public Internet in Finland. Anyway, some of the affected systems were not using Dynamic DNS services, so I can't really say how the targets were chosen. It's quite normal procedure to publish these automation stations to public Internet, because username and password protection should be enough - which it isn't.
In our case, we got communication alert and soon after some technical alerts from one building automation system. Remote connection was not working, so we went on-site for more inspections. Automation system kept rebooting every 5 minutes, because inbuilt failover procedure in system. That caused all functions to stop each time and eventually the substation didn't boot anymore. In this case, it was controlling the heating, ventilation and domestic hot water and all these settings got stuck in last controlled position - so the building didn't actually shut down, just controls were disabled.
We found it was network regarding issue and disconnecting the internet fixed the problem. In that point we got also message from Fidelix, that they have found some DDos activity in their equipment. It was around 1 hour from alarm, when we got systems running again, no major affect for residents.
Fidelix automation system / substation is just like devices from other manufacturers: Automation controlled HVAC system, nowadays mostly Windows CE based systems. There may be additional servers and/or SCADA desktop computers in bigger environments, but usually these are individual systems. Another story is bigger and more complex buildings, like hospitals and shopping centers, which are driven through monitoring systems and SCADA. This attack was found mainly from individual systems.
Some smaller public buildings, day care centers and hospitals may be vulnerable. Some of these building owners don’t have a clear plan, how to protect their building automation systems. The damage can be much bigger in that case.
Main reasons to have remote connection for building automation are remote control and alarms. If you don't have a suitable alarming system, it would take a long time to find water leaks, broken heating or malfunctions in ventilation. The damage could easily expand and costs can be much higher. Also, sometimes the systems are far away from technical resources. If you can make basic adjustments and look reports online, it will save enormous amount of time.
Problem is, that secure aspect is not taken care. This if first time in history, when something like this happens. Suitable firewall system costs around 300-500 euros installed and before this day, there haven't been any serious risks or reasons to get one. Usually not the manufacturer nor reseller have requested any security options at installation. End users don't have enough acknowledge to demand such things.
We (Valtia) are also service operator in remote controlled systems and connections. Our main principle is to offer secure connections and minimize the risk of cyberattack. Maybe this incident will open the eyes for demanding better security.
All questions regarding to actual devices should be sent to manufacturers directly.
Valtia is Finnish building automation technology orientated small business, located in South-East Finland, Lappeenranta. We design, sell and install automation systems. Valtia offers also remote surveillance and maintenance for such systems.
Best reagards,
Simo Rounela
CEO
Mobile +358 20 734 7792
simo.rounela@valtia.fi