Building Systems at Risk Due to Cisco Bug

Cisco warned today of vulnerabilities in their Cisco Network Building Mediator products. These products are used to remotely connect building systems to an IT controled monitoring panel. The system controls building lighting, HVAC, security and energy systems.

According to an article on The Register:

No authentication is required to read the system configuration files, making it possible for outsiders to take control of a building’s most critical control systems.

“Successful exploitation of any of these vulnerabilities could result in a malicious user taking complete control over an affected device,” a Cisco advisory stated. The notice also warned that the vulnerabilities are present in the legacy products from Richards-Zeta, the Cisco-acquired company that originally designed the system. The bugs were discovered during internal testing.
When I worked at an electrical engineering company, these devices were just coming out. The ones that I saw were simpler and only read data, they did not allow remote control. They were interesting because management could see realtime on their desktop what the building energy supply and loads were. The were great for forecasting energy use and supply.
Allowing control of these systems via computer was the next logical step, but bugs allowing a hacker remote control of your electric and lighting is a serious issue, especially in large metropolis buildings.