Schools in the UK are vulnerable to hackers, according to the security research company Pen Test Partners (PTP).
The heating systems in many schools across the country are connected to the internet, making it easy for hackers to cause temperatures to plummet from afar.
PTP’s founder Ken Munro said:
It would be really easy for someone with basic computer skills to have switched off a school’s heating system — it’s a matter of clicks and some simple typing. It’s a reflection of the current state of internet-of-things (IoT) security.
Installers need to up their game, but manufacturers must also do more to make their systems foolproof so they can’t be set up this way.
Munro’s company used the IoT search tool Shodan to look for a specific model of building management system controllers made by Trend Control Systems.
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below formBy GlobalData
The model, released 14 years ago, can be hacked when exposed directly to the internet. It took PTP employees less than 10 seconds to find more than 1,000 examples where the model was being used.
While pulling out and replacing the network cables is an option, Munro wants to see more electricians and engineers who install building management systems to have a better understanding of cyber threats.
Trend Control Systems responded to criticism, saying that it always advises its customers to use skilled IT workers.
A company spokesman Trent Perrotto said:
Trend takes cyber-security seriously and regularly communicates with customers to make devices and connections as secure as possible. This includes the importance of configuring systems behind a firewall or virtual private network, and ensuring systems have the latest firmware and other security updates to mitigate the risk of unauthorised access.
He added, however, that the company would “assess and test the effectiveness” of its current practices.
Not just schools
Munro said it is not just schools that are vulnerable to a cyber attack, pointing to cases involving retailers, government offices, businesses and military bases.
Steven Murdoch, a security researcher in the computer science department University College London (UCL), said that at present the threat is contained:
“The risk is limited because criminals have little incentive to carry out such attacks, and even if they did it should be possible for building managers to notice what is happening and manually override.
However, these problems do show the potential for far more dangerous scenarios in the future, as more devices get connected to the internet, whose failure might be harder to recover from. And we still need manufacturers to design secure equipment, because even if a device is not directly connected to the internet, there almost certainly is an indirect way in.