John PescatoreThe Register recently reported on a Cisco security advisory about vulnerabilities in its Network Building Mediator product, which is used to integrate and remotely control a buildings HVAC and physical security systems over a network:
Multiple vulnerabilities exist in the Cisco Network Building Mediator (NBM) products. These vulnerabilities also affect the legacy Richards-Zeta Mediator products. This security advisory outlines details of the following vulnerabilities:
- Default credentials
- Privilege escalation
- Unauthorized information interception
- Unauthorized information access
NBM is part of a Cisco push to convince enterprises to run everything, including HVAC and physical access controls systems, over a single enterprise network. Sort of the way the HAL computer controlled everything in the spaceship in the movie “2001: A Space Odyssey”…
Gartner analyst Joe Skorupa recently published a research note “”Myth: A Single FCoE Data Center Network = Fewer Ports, Less Complexity and Lower Costs” pointing out a lot of the overhype around converged networks:
Key Findings
- Don’t assume that a single converged Fibre Channel over Ethernet (FCoE) network is desirable, or even feasible.
- Standards for building large, scalable, Layer 2, converged Ethernet backbones are at least a year away. Products proven to be interoperable are much further off.
- Combining storage area network (SAN) and local-area network (LAN) traffic on a single backbone network increases costs and complexity.
- Organizational issues often dwarf the technical issues surrounding network convergence.
- Staff reductions are unlikely to be feasible even if physical networks are converged.
- Maintaining two separate data center networks doesn’t mean you can’t use the same technology for both.
From a security perspective, segmentation and zoning have enormous and constantly proven advantages. In many cases, logical segmentation is fine but in the real world there are still a lot of good reasons for physical separation as well – not the least of which is the continuing stream of serious software vulnerabilities such as Cisco has announced. What looks elegant on the brochure isn’t always what leads to business benefit, let alone reasonable risk.
Category: Uncategorized Tags:
2 responses so far ↓
1 Joe May 27, 2010 at 11:59 am
John, I do not believe this has to do with converged or unconverged networks. Even if you are unconverged, the fact is most BAS systems do not have a good security posture and never disclose. Even if you do physical segmentation, the current BAS will succumb to attacks in its own segment or vlan as they do not uphold security best practices in their implementations.
Cisco is the first in the industry to do which is a major step forward. From an outsider, this shows firm commitment to ensure building systems comply to IT security. I love to see other BAS vendors follow the market leader.
2 John Pescatore May 27, 2010 at 12:03 pm
Agree that fixing vulnerabilities in BAS systems is a good thing, however by putting them on the same network as other IT systems and Internet connections, those vulnerabilities are getting much more exposed than if they were on physically separated networks of their own. Plus, data storms and DDoS on the IT network are also much less likely then to impact the BAS systems.
Leave a Comment