Security: the pitfalls of being hacked and how to avoid them using basic IT skills KNXtoday – KNXtoday

KNX professionals Andy Ellis and Julio Daz Garca point out the pitfalls of an unsecure system, and how to avoid them by investing in basic IT skills.

If your KNX system isconnected to the outside world, are you sure its secure? If not, what are thepossible consequences? First, we talk to Andy Ellis about his experience of a recentevent where a KNX installation was hacked. We follow this with Julio Diazadvice on how to avoid this situation by employing proper IT mechanisms forcommunication.

What happens if yoursystem is not secure?

Andy Ellis: The first thing you would think of interms of a breach in security is the hackers ability to capture data from theKNX bus. I question what someone would do with this information, but the factis, without a secure KNX system, external sources may have access to thisdata.

Secondly, in an unsecure system, the possibility exists for a third party to send data to the system. With this comes potential for the programming to be corrupted, or worse still, for a particular component or components to be corrupted. Here I think it relevant to relay my experiences of recent events.

We had a call from a site that had lost all lighting control and, as it happens, heating as well. The site was well over ten years old and had been operating just fine before the event. Although a copy of the ETS file was available, there was no other documentation from the previous installer.

Establishing where the problem lies

Our first attempt to diagnose was over the phone and by email, and early indications were that there was a possible power supply or bus issue. A visit was required to take things further. A quick visual inspection showed that there were no mains breakers tripped, room controllers and switches were powered (they had active screens and or LEDs lit). The main distribution boards also had relays and dimmers with LEDs on in various states. Hmmm. So maybe its not a power supply problem. After checking the bus voltage and then powering down the power supply and isolating, it appears that the bus power is fine. Curious.

So what is connected to the bus? Perhaps there is a short, or some form of corruption. Further investigation shows an active IP interface and a third-party logic module (Ethernet-connected) and connection to a third-party automation system which has lighting and heating control available on its displays. Physical disconnection of these devices has no effect on the state of the system.

ETS diagnostics

So are we able to plug a laptop in and use ETS diagnostics? Well yes and aline scan shows quite a number of active components. Upon closer inspection ofthe properties of individual components, we find that certain items the onesthat are not working such as room controllers switches and dimmers have nogroup address table! Well that will be why they dont work then!

Further analysis reveals that these faulty components will not accept a programdownload as they have BCU pass enabled (but its not enabled in the program,and to the best of anybodys knowledge, never has been). The ONLY way tore-program these items is to perform a factory reset. And guess what? Amajority of the individual KNX components cannot be factory reset. The endresult is a site that is totally inoperable and requires many thousands ofpounds worth of new components to fix, plus of course the engineers/programmerslabour.

So what caused this catastrophic failure? I dont know, and in all probabilityI will never know. However, there is a very high probability that as the systemhad an IP interface with remote connection, some form of remote attack tookplace.

Lessons learnt: firstly, does your KNX system need to be connected to theoutside world? If you are considering this then what are the benefits? And ifyou do proceed with an IP connection, my advice would be to research andunderstand the full implications of a secure system. It may be that remoteaccess into your system to retrieve data is not as concerning as malevolent remoteaccess into your system with a view to altering the data in some way.

Howto make your system is secure if you have to connect your KNX system to theoutside world

JulioDaz Garca: First,I must underscore the principle that KNX is an open and secure technology.However, we must ensure that we apply the appropriate criteria and the toolsthat KNX Association and the ETS tool make available to us to guarantee thisprinciple. Being able to access facilities remotely is an advantage that KNXoffers and a necessity in many cases. In homes, for example, it makes life mucheasier for users in many aspects including supervision, remote modification ofsetpoints, reception of alarms and warnings, etc. For buildings, it can allow a24/7 remote maintenance when the manager, the proprietor or the integratorneeds to manage their facilities without traveling unnecessarily.

Ensuring safe access

Before commenting onwhat we can do to achieve a secure and remotely accessible installation, I haveto stress what should NEVER be done: allowing remote access through UDP port3671. This point is known to hackers and is equivalent to a red carpet forthese unwanted guests.

Another toolavailable to the integrator is the BCU Key, available for many years for allKNX devices (except the very old System-1 devices). My advice is that devices shouldalways be programmed with a BCU key since the attacker would have to guess thepassword among 4.29 billion possibilities. Using the BCU key is not a nuisance for theintegrator as the ETS never asks for it, if the original ETS project is beingused.

To allow safe accessto a KNX installation there are several possibilities:

1) Configure a VPNconnection on the installation router. This is the best option but can sometimesbe complex for regular integrators.

2) Use KNX IP gatewaysthat allow the configuration of VPN secure services such as OpenVPN, ZeroTier etc.

3) Use KNX IP accessdevices with encrypted communication.

4) Use KNX TP deviceswith IP (non-KNX standard) cloud connection.

5) For medium and big installations use a BMS platform witha KNX native driver that enables the secure integration and monitoring ofmassive KNX installations.

These methods areaimed at avoiding the scenario described by Andy at the beginning of thisarticle, which in my opinion is the most dangerous and currently the easiestfor hackers if the appropriate measures are not taken. Additionally, the use ofKNX IP Secure and KNX Data Secure devices in the facilities will solve anyadditional threat scenario that may arise.

Open, Secure andConnected

KNX Association offersa variety of information about the security of installations in the form ofbrochures, videos and webinars. In addition, KNX Training Centres offer KNX Partnersand others a range of helpful courses, including KNX Advanced training and thenew KNX Refresher training which include a chapter dedicated to dealing withall of the above topics. All of this is designed to ensure that KNXinstallations continue to be state-of-the-art, all over the world, whilstremaining open, secure and connected.

Andy Ellis isthe founder and managing director of Household Automation Ltd, and its sistercompany Knxion Ltd, providers of building automation consultancy, design,installation and aftercare services to clients who are involved in buildingresidential and commercial properties.

http://www.household-automation.co.uk

http://www.knxion.co.uk

Julio Daz is an Industrial Engineer and the owner of SAPIENX AUTOMATION, a Spanish company dedicated to engineering and consulting and a KNX++ Certified Training Centre with 25 years of experience in home and building automation and BMS solutions.

http://www.sapienx.es

Follow this link:
Security: the pitfalls of being hacked and how to avoid them using basic IT skills KNXtoday - KNXtoday