Industry reflection

Building control systems—the forgotten attack vector

Summary from Leif Nixon’s presentation at SCADA security, September 28 2021

Last week, it was at last time for this year’s SCADA security event in Stockholm, which this year focused on increasingly connected and intelligent control systems. Leif Nixon, security expert at Sectra Communications, gave a highly interesting presentation on Building control systems—the forgotten attack vector, which addressed the challenges presented by the complex IT systems at hospitals. Below is a summary of his lecture.

Leif concluded his lecture with a very significant key takeaway: “The building control systems in healthcare are literally vital to life; if the oxygen supply disappears, for example, it could have dire consequences and could result in deaths. Unfortunately, the security in these systems is rather neglected. But it’s actually not that difficult to make things much better—not perfect but much better.”

To understand Leif’s concluding quote, we need to go back to the beginning and first of all understand hospital IT systems and how they are connected with what is known as the property control system. And the question that is perhaps on all of our minds—what is the threat scenario that hospitals must defend themselves against?

Ransomware—not only a crime

Ransomware is a type of virus that contains harmful code that encrypts files and computers. The purpose of a ransomware attack is to enable an attacker to demand a ransom to ensure that access to your systems is restored. Leif points out that ransomware is not only a crime these days, but can actually be a matter of national security.

“We have adversaries who wouldn’t hesitate to attack hospitals for political or financial gain. It is these types of individuals that we need to defend ourselves against. People who sink so low that they attack hospitals. This is today’s threat scenario.”

What is the structure of a hospital IT system?

The traditional perception is of a system divided into two parts.

The administrative side with desktop computers where employees carry out their daily administrative tasks, such as handling e-mail.

The medical technology side with infusion pumps, MS scanners and similar equipment, which have built-in computers and may or may not undergo continuous security updates.

A hospital ideally wants to keep these systems separate, but on closer inspection, you can see the challenges involved and then reflect on the patient data systems. These systems are designed to process patient data, including journals, which straddled both sides of the system. This creates complexity in the system.  But that is not all. If we take a typical hospital clinic, how much is computer-controlled and nonetheless cannot be sorted into the administrative side or the medical side?

Leif Nixon

A hospital is not a building—it is a computer-controlled machine with rooms inside

Who or what actually controls the electrical sockets, lighting, ventilation, water and other critical functions in a hospital? The answer is the third, and almost hidden, system: the building control system.

The image below contains several critical functions that are crucial for a hospital to be able to conduct the necessary care of patients. The common denominator for all of these functions is that they are run by a control system.



“Take electrical sockets, for example. A hospital must have electricity/auxiliary power 24/7 and this is run by a control system. Gas outlets and the distribution of oxygen, nitrogen gas and breathing air are required every day. Lighting. The switch on the wall is not just a switch. It is the remote control for the lighting. This means that it is also computer-controlled.”

“What happens if, for example, the ventilation in a hospital breaks down? It will become a little stuffy, but it also means that no surgical procedures can be performed and operating rooms must be closed if they have no ventilation. The same applies to water. Medical care cannot be provided without clean hot and cold water. ”

All of these functions are nothing less than vital to a hospital.

The network and all of its connections

If you look at how the architecture of a building control system is structured, you can see a flat network that is connected to everything. This is not good from a security perspective because there are several points of entry for malicious individuals to access the critical systems.

The networks in hospitals has been built up over many years and only 15 years ago, the system was completely separate. The number of computers involved was very limited, but in recent years, the systems have become much more digitized and more and more external connections have gradually been added to the operating network. Below are two examples of external connections:

  • The personnel who operate and are responsible for the property control systems must be able to move freely in a hospital and, at the same time, have remote access to the control systems. This means that they must always have a laptop and some form of connection to the system. The challenge here is to ensure that the connection between the laptop and the sensitive operating network is reasonably secure.
  • The suppliers of the equipment needed in a hospital often want to provide maintenance for the systems they have supplied, which means that they want to have their own connections to the operating network. This gives rise to a further challenge since it creates yet another way in for a potential attack against the network.

More challenges

To complicate the situation even further, it is difficult, if not impossible, to keep track of all of the random people who may be present at a hospital. It is not easy to have physical security around a network that is everywhere including “public” areas. Another challenge is that the building control systems in each building continue on with the building itself, which means that when a new building is added in a hospital area, it receives a new generation of property network.

There is a whole spectrum of various types of technology in a single hospital. In addition, the suppliers of building control systems are often relatively young in terms of security. It’s getting better, but it is not progressing very fast.

Leif Nixon

Suggested measures

In different customer assignments in which Leif is involved, there are actually a number of rather basic measures that a hospital can take to increase the security of the property control systems.

  1. Documentation: Draw network maps and ensure that you have procedures to keep the information updated. Ensure that you are not dependent on specific individuals and that you have a procedure for documenting knowledge, particularly knowledge that, in practical terms, is only known to certain employees and is therefore not documented in writing. Such important knowledge must not be lost.
  2. Segment the network: To prevent the spread of incidents and reduce the consequences of attacks, it is important to place information systems with different functions in separate networks.
  3. Look over the remote access to the control systems. Is it only the necessary people who has the access needed? This is important for both internal access as well as remote access from suppliers.
  4. When a new project, such as a renovation or modernization of the different systems, are made within a hospital, it is important to include security as a natural part and to choose suppliers with good competence in security.
  5. Logging: Ensure that all functions are logged and that the information goes to a central log server. It is also important to continuously review the logs or at least know how they work, in case something goes wrong, so that it is possible to check the logs afterwards and find out what happened.
  6. Monitoring: when the organization starts to achieve a certain level of maturity in terms of security, it will be possible to start monitoring the network in the form of network and log monitoring.

Related reading

Related products