ALGORITHMIC WARFARE CYBER
‘Hack the Building’ Spotlights Vulnerabilities
The Defense Department has long been sounding the alarm on the increased need for enhanced cybersecurity measures across its programs to protect data and communications. It has promoted better cyber hygiene among its employees and is now preparing the defense industrial base to begin hardening its networks through its Cybersecurity Maturity Model Certification regulation.
However, less attention has been paid to the physical side of cybersecurity — securing buildings, manufacturing centers and other infrastructure from exploitation via their surveillance cameras, thermostats and other gadgets and smart systems.
To tackle that, the Maryland Innovation & Security Institute, or MISI, and Dreamport — a partnership between MISI and U.S. Cyber Command — recently held an inaugural “Hack the Building” event near Annapolis, Maryland. The objective? Have remote and on-site teams try and break into a fully-equipped 150,000-square foot “smart” building, which posed as a fictitious defense company known as “BCR Industries.”
The nation’s most critical operations occur in facilities, said Armando Seay, director and co-founder of MISI and the organizer of Hack the Building.
“Everyone wants to talk about the network,” he said. “Everyone wants to talk about the weapons systems. Where are those things being developed? Inside of a building.”
There is often a disconnect between those who run a company’s network security and physical security, he said.
“The fire alarm isn’t the responsibility of the cyber person, neither is the elevator, neither is the access control — it’s left to facilities,” Seay said. “All of those systems that I just mentioned, the surveillance cameras included, are all subject to cyber attack. But they don’t really work together. It’s two separate disciplines that don’t intersect nine times out of 10 in most government [facilities] and even in the corporate world.”
In one infamous example, a massive cyber breach into retail giant Target’s computer network in 2013 was conducted via an HVAC system, he noted.
“It’s easier to get in via that HVAC system that’s got a little antenna or device that’s communicating with a network inside the building than it is to try to attack the network inside the building,” he said.
Organizers held the Hack the Building event at the former headquarters of an internet service provider. It had a data center, a security operations center, old surveillance cameras and even backup batteries in the basement that emitted noxious gases and were reliant on exhaust fans to remove them from the building.
“It was crazy. We were like, ‘This is perfect,’” Seay said.
The event differed from other similar cyber gatherings, he noted.
“Everyone simulates it,” he said of cyber attacks on physical infrastructure. “They do tabletops, and that’s better than nothing, but they’re not as effective as doing the real thing ... where you get literally a sensory reaction.”
Given the rising importance of securing controlled unclassified information — which the Pentagon aims to do with its CMMC regulation — organizers of Hack the Building included fake CUI in the networks, Seay said.
Because of the pandemic, the event was held physically and virtually. There were about 30 teams which came from industry, federal labs, academia and government agencies. Groups participating on-site out of the building’s parking lot were limited to two people, he said. The event was livestreamed on Twitch.
“Attacks were coming from all over the country,” Seay said. “The density of the ... fictitious adversarial attack was huge. It wasn’t one team.
It wasn’t two teams. There wasn’t a lab environment. There were people from all over the country, different teams, collegiate teams, military teams, commercial teams, attacking the building anyway they could.”
Some of the teams focused on breaking into the building’s IT systems, Seay said.
“They were completely missing the target,” he said. “They would spend so much time trying to hack a Linux system or Windows system.”
The groups that took that approach didn’t realize there were faster and more stealthy ways to accomplish their objective, he said.
“That’s one thing that we learned from the event was, wow, the nation needs more education, more realistic exercises around this topic, because ... everyone focuses on the IT,” he said.
However, there were teams that shined during the event such as Carnegie Mellon University, Johns Hopkins University and George Mason University, he said.
Successful teams “didn’t waste their time on frivolous attacks against IP assets or tools that would not have met their objective,” he said.
“They pivoted directly to the ... interconnected devices immediately and they were good at it and they were fast.”
In the future, organizers plan to break up Hack the Building — which was a four-day event, including a conference — into smaller exercises that will take place every few months, Seay said.
During the first quarterly event, participants will begin in the “lobby” of a building, he said. If they can get through it, they can qualify for the next exercise which will be on the second floor, and so forth.
“One of the things we realized is that we had a lot of people that did not know what they were doing,” he said. “I don’t believe there’s anything wrong with that. … Part of the exercise was to learn. But the leading, mature people who really know this, ... we don’t want to get mixed in with kindergartners. Put them in another room and let them play there.”