Building Security - SQUARED! Securing critical transportation infrastructure in Germany

Yes, specifically transportation. So did you, did you have anything to do with the strike yesterday? Fortunately not, because I live in a very, very small village.

I, I call it the Smurf Village. It's actually on the roadside where there is a big O oak tree. And everybody who knows the Smurfs, they, they live at the third Oak to the right. That's where I live. Like there is like, there is internet and we get a bus like three times a day. So if you don't have a car where I live, you're screwed.

So no, I fortunately did not have anything to do with the strikes, but this is actually something where we definitely see some connection because, well it's, it's infrastructure, it's transportation infrastructure and regarding the point of view of the German authorities, that transportation infrastructure is part of the critical infrastructure. And that also holds true for the stations that these trains usually stop in naturally. Not the stations in the small town that is the, the larger parish part of, of the small village I live in, because that's just a one trek KU sort of station.

But the larger ones, like, like here in in Frankfurt or like Berlin, Hal Bonoff. So they are part of the critical infrastructure and unfortunately all of these buildings are well quite old. And as you may know, depending on this one Ha, it works and just making sure that we're all on the same page.

It's, it's not that much about the stations themselves, but the buildings and the building automation that is there and especially those components that are there for us humans to be able to survive there. So it's about heating, ventilation, air conditioning, because, well this is a room without direct outside windows, we are reliant on the HVAC to actually work. And I don't know who, who of you has, has followed 24 that, that that crime series?

Yeah, there were many, many terrorist attacks that were targeting like hitting ventilation, air conditioning, right. So it's some, some sort of critical, same goes for if you have building areas that are facing the outside, all the shades, all the blinds, they are typically automated. And the same holds true for anything that moves people. So escalators, elevators, lifts, whatever you want to call them if you are able to mess with them. Oh well that is a big problem.

So yeah, just as we learned from our previous presenter, it's all about having an asset inventory and yeah, it's operational technology. It's operational technology that we use to run those buildings like the, the lights going down and up and everything that we have here. And sometimes that technology absolutely looks a bit weird.

And who, who of you has worked with OT or, or who is responsible for OT security? Only 1, 2, 3, 4 people maybe.

Okay, good. So usually OT is something where you say, okay, that's a production hall that, that's like manufacturing automation technology, that, that's where we have in mind operational technology. Like you have some, some sort of manufacturing hall, you have those nice little recs hopefully where you have those PLCs in Germany we say SPS to that you have like automotive manufacturing. And the thing about those is people are mostly absent. Like I spent my first years in OT security actually in the automotive industry.

And when you were dressed like this and you were walking through the production hall, well if you got lucky you had like five minutes until some people in blue colors were surrounding you with like screwdrivers and stuff in their hands. So what are you guys doing here and where's your visitor badge and why are you close to my automation? Right? So it is harder to get your hands on that OT technology to manipulate it hands on, right? Because it's so far away. But for building automation that might be a little bit different.

So you have those panels where there is HVAC controls and I think the ones that will we regulate here are pretty similar to what I have on the screen here. But the problem is in larger environments, in larger buildings that building automation was all the nice panels sometimes is actually outside the building because, well that is a building from the 18 hundreds, early 19 hundreds and they just didn't have room inside the building to get all the 1990s, 2000 building automation systems in there.

So they just put an oversee container ahead of it and well that's outside the building so it's outside the parameter, the security parameter of that. So you might get easy access and for those of you wondering what we we did to sort of approach that whole thing, I gave you a little bit of context information here.

Yes, OT security, IEC 62 4 4 3 is definitely a thing for us here in Germany. The chu bu the basic protection stuff you'd say this is NIST SP 800 stuff in in the US Yes, we have that. And we found out that the BSI, the bundes arm for in and from its own technique has issued many, many really interesting new documents. And if you just Google BSI and like in underscore, under underscore two, underscore one, you'll find directly these documents and they are pure gold. Really it's well, well-defined documents that will help you get an approach to to, to securing that.

The problem here is that the building automation systems that are part of the critical infrastructure sometimes are even further outside the building. And then the critical infrastructure not only extends to the building itself, but it sometimes is close to the tracks right outside the station. So this is actual photos taken this year where those automation systems seem to be well in a dangerous area because hey, no, nobody wants to cross tracks where high speed trains might cross, but unfortunately those are only like five meters away from the platform.

You could go there and just manipulate. And the same holds true for everything that is Trek infrastructure. So that is one of those locations where you could actually have influence on where the train goes and it's literally two steps off the road if you have access to this year.

Well, you might need some equipment for that, but you can manipulate it, you can cut it short and then stuff happens. Well the talk is about building automation security and who have you arrived here always using trains regularly, like 50%. Okay. This is more or less a, an invitation if you are getting to your next larger station, be an observer and try to figure out where stuff is hidden because most of the time it's hidden in plain sight.

So I happened to be at one of the larger train stations in Northwestern Germany this weekend and fortunately they had a construction going on, massive restructuring of the station. So most of the cabling, most of the building automation could actually be seen. And this is one of those examples, well you, you see some of the wires go in there and it's, it's a bit dark so you have to believe me, those are sort of the small boxes that, that do the sensing and do the edge analysis of certain parameters doing, doing stuff.

And the bad thing is it's directly above your hat and just a few meters down the road you would see those boxes and they were like 20 centimeters above your hat. It's directly on the platform. You could have access to that. And the same holds true for those little buggers here. So the big problem is that you have OT that might have severe impact on the safety of people like person transportation systems, escalators, elevators, whatnot. If it's a closed building, even heating, ventilation, air conditioning, that might be quite easily accessible.

And that definitely poses a threat because yes, we do have video surveillance, quite tight video surveillance in all of the newer stations, but the older stations that are, you know, from the 18 hundreds, 19 hundreds, they have dark corners where there is no video coverage and sometimes in these dark corners, well they put the automation systems because nobody goes there usually. But if you know what you're doing then we have a problem.

And yeah, so just as a fun thing to add, it's high time to act on that. Yeah, well there's going on it's N two, those stations are definitely part of the critical infrastructure and we need to do something. Do you see something on on that photo?

Yeah, that's, that's one of the things. But take a look at the clocks, Right? This is a brand new station. Brand new station. And guess what? None of them had the correct time. One was our aha, one was our behind and check out that clock in the background. It actually says half past eight or seven I think.

And we're, well you see there's, there's stuff we we need to take care about and this is brand new. This is really, really fresh and we have our issues. The problem is, and I mentioned that the technology is really, really, really old that you face there and we have to get going. It's not that old, but these are real photos. Can anyone tell what the photo on the right hand side is? Okay. It's a catch panel for former Telephone.

It's, it's the physical telephony system. And yes, most of the railway operators do still have their own landline phones for a reason. They do not want to be part of the all IP infrastructure. That is part of the fallback, but unfortunately these are physically not so well protected. And the other one, as you might tell from the yellowish color of, of the technology that that is actually an operational system and ah, damn, trust me on that, it's 23, it's summer 23.

It's an operational system that actually prints out all the deviations that the heating, ventilation, air conditioning system has, like, you know, exceed temperature, flow of heart fluid below, whatever, right? That that is.

Yeah, it's, it's a matrix printer, right? And that is part of the technology they are using right now. Okay. Some of that is a bit newer and I guess these components we could actually get into our systems like we just saw from the previous speaker because, well they may or may not have an RJ 45 connector. They may or may not be able able to talk industrial ethernet or something, have a Mac address and, and and you know, could be reachable. But the problem is that the buildings we surveyed are really old.

And even if you find the devices, it's all nice, you try to look them up and you figure out they are from a time where we had mail order catalogs. You, you can't even find a fact sheet about that product. You will find something online that says, oh, nice that you've been looking for this and that by the way, the second generation of that has been issued in 1995. And you can order it here, but you will find nothing about that. So building your asset inventory is a good thing, but no it technology in the world can help you with that. You will actually have to do walking assessments.

You have actually have to do site surveys where you spend time walking through all of the dark sellers and caves and under the roof of those stations to find out what kind of technology we have there. And especially the information where that technology is located is really, really important.

You know, what's that called? Bru?

KLA and, and like technology that you used to get rid of smoke in the case of fire or, or or something. Those especially are working fine, they're from the eighties. It's like heat sensor, smoke sensor and if boats go off, oh well that just opens some, some kind of lock and, and then you get rid of the smoke. So it's really, really hard. And I felt like I, I spent 1999 the New Year's Eve in my office at Siemens because we were all expecting the world to end. And we all knew that people who had done the, the old school cobalt programming, they were all hurdled back into the organizations.

You need that today. You need those old veterans to tell you, oh yeah, this is x, y, Z xta technology and it does this and it usually has that, that usage and and whatnot. And then you need to rewrite those component fact sheets, put photos on it and give that to other people in the other locations so they have it easier. And unfortunately all of those buildings have been built with individual tenders. So there was no absolutely no standardization. So you could have the same functionality in 10 stations using 12 different vendors, 12 different PLCs. It's a nightmare.

So yeah, clustering, classification, asset dependencies and all from thin air right there, there is like, yeah it's, it's APLC, it's an HVAC PLC, that's it. You don't know make and model, you have to find that. So unfortunately building automation security is a marathon. So you have to look forward stuff that you have on site right now is 30, 40 years old and you better work on getting your ducks in a row for the future.

So doing something like creating purchasing requirements, asking vendors to come up with technology that will actually support your standardized management just like we saw in the previous presentation and giving them some sort of hardware requirements. Okay, we need these interfaces, we need that functionality. Yes we need some stuff like certificate management standardization, we, we need to have certain abilities to do updates and actually get information back from those controllers. That is really, really, really important.

And the problem that we are starting to see here are even Backnet is one of those protocols that that we're using here and there is backnet SC secure communication, it's supposed to use some TLS technology but all the vendors are barely able to put certificates on the devices. Not even talking about the CPUs and RAM able to, to, to, to work with that. But having that in a manageable way, not a chance like doing centralized PKI doing centralized certificate exchange, it's nothing. Yes they, they can do that, but only in their own little realm. Only vendor lock-in.

So yeah, no centralized certificate management, no secure communication. We all need to put that as requirements into the FCSS RFPs and RFIs and make the vendors add that. And fortunately the organization is definitely one that is large enough to put that together and say, okay, if you don't come up with these technologies, we won't buy you in five years. You will get like a minus in in the RFPs for the next four years. But then if you don't have it, we, we don't see that, okay, where do we need to go? What's the next station we need to secure?

I found that one, which I find pretty nicely and those of you who are aware of the Chu's handbook, the basic protection catalog, it had an entry about physical access control for space stations. It's that not applicable, but it was there.

So yeah, if that was a little bit food for thought, I invite you to get in contact with me. I hope you enjoyed that little presentation here, which was definitely more on the entertaining side, but I hope you got the bits and pieces that will only starting there and the journey is going to be until I will be not in the workforce anymore. Thanks so much. Well.