An outdated building management system at Google Australia's headquarters has been pulled offline after flaws were found by researchers, highlighting the importance of having a thorough vulnerability management plan.
Google Australia's Wharf 7 building in Pyrmont, Sydney, previously utilised a building management system (BMS) from Tridium which was used to regulate temperature, air conditioning, ventilation and other elements of the building.
However, the system has now been canned after two researchers from information security company Cylance notified Google through the Vulnerability Rewards Program (VRP) that a vulnerability in the Tridium system could have exposed the company to outside threats.
Researchers Billy Rios and Terry McCorkle found a flaw in the BMS which could have let them access sensitive information, through the retrieval of a critical file which contained the specific configurations for the device and the usernames and passwords for all the users on the device.
This in turn would have enabled them to manipulate the Google Tridium Device and automation systems in the Wharf 7 building, and if they had chosen to root the device (which was also possible) they could even have gained access to a machine in Google's own network.
Instead, Mr Rios and Mr McCorkle alerted Google through the VRP – one can only imagine what could have happened if cyber criminals had taken advantage of this flaw instead.
In a blog post dated May 6, the researchers thanked Google for the VRP and the opportunity to raise awareness about this particular issue, saying they had discovered thousands of these types of systems which could potentially cause issues for any companies using similar devices.
"At the time of this blog post, this exact issue affects tens of thousands of devices on the Internet and thousands of different organisations," the blog post states.
"If Google can fall victim to an ICS attack, anyone can."
According to an article in ZDNet, a spokesperson for Google Australia said that they have taken the appropriate actions to resolve the issue.
If you are worried about the security levels in your own company headquarters, you may wish to consult a trusted security solutions provider to help you develop a thorough policy.
ICT networks and other systems can contain highly sensitive information, which is why a security audit is necessary to ensure that none of this sensitive data can be accessed without authorisation.