President's message: Showdown with Shodan

Data and network security is a growing issue in the world. In its 2020 report titled The Hidden Costs of Cybercrime,¹ McAfee reports cybercrime now costs the global economy approximately $1 trillion annually. As building owners and facility managers, we are responsible for the information technology and operational technology of our facilities. Cybercrime is a growing concern that should receive our growing attention. 

Securing building automation networks does not need to be an onerous or expensive process. The Pareto principle tells us a modicum of defensive effort (20 percent) goes a long way (80 percent) to minimize security vulnerability. Two simple, inexpensive initial steps you can take today are to change your internet-connected device’s default password and UDP port numbers. For Reliable Controls devices, this means using the Set Master Password dialog box in RC-Studio^® to change the master password, and using the MSet tool in RC-Toolkit^® to change the default BACnet UDP port numbers from 47808 to something outside the 47800–47823 range. Although these practices might be routine for today’s new installations, most older installations are likely to use the default master passwords and BACnet UDP port numbers.

As of August 2021, Reliable Controls is aware of nearly 2,000 internet-connected Reliable Controls devices that are installed using default BACnet UDP port numbers, making them the most vulnerable to hackers.

By now you might have heard about the website Shodan,² which tracks internet-connected devices. For a modest membership fee, anyone can obtain a Shodan account and search for all types of devices exposed to the internet. You can even search for building automation devices. For instance, once logged in, click Explore on the main menu, then select the Industrial Control Systems category. Here you can search over a dozen industrial control system vendors such as Modbus, Siemens, Tridium, and BACnet. Click Explore BACnet to return the configuration details of thousands of devices in the world that use the BACnet protocol configured with the default port number of 47808. The Shodan search tools allow you to further filter your search results by country, organization, and product. Filtering your BACnet search results by organization quickly displays all the BACnet internet-connected devices that are accessible on port 47808 for specific companies—possibly your company. The search results provide users with additional details such as device IP addresses, instance IDs, object names, locations, firmware versions, and model names. These are all key pieces of data that can help make a hacker’s job a lot easier when trying to penetrate and compromise the confidentiality, integrity, and availability of a building automation system.

If you find BACnet devices on the Shodan website that belong to your building, it is relatively easy to protect your facilities. Simply reconfigure your enabled BACnet/IP1 or BACnet/IP2 UDP port numbers using the MSet tool in RC-Toolkit to values outside the 47800–47823 range.

Of course, security by obscurity is only a single step that can help defeat exposure to automated probes from services such as Shodan. To further strengthen your defenses against more sophisticated risks, Reliable Controls strongly recommends you download the Reliable Controls Hardening Guide, available to all Reliable Controls users with credentials to the Customer Support Center. The guide can help you appreciate the best practices in the building automation industry so you can adopt a multilayered protection strategy to secure your building automation system. Your local Reliable Controls Authorized Dealer, too, is certainly a willing and able resource to help you achieve your cybersecurity goals. Go ahead and reach out to them today to help you develop a step-by-step plan to strengthen your operational technology security and reduce your risk to cybercrime.

1 https://www.mcafee.com/enterprise/en-us/assets/reports/rp-hidden-costs-of-cybercrime.pdf

2 https://www.shodan.io