Schools in the UK are vulnerable to hackers, according to the security research company Pen Test Partners (PTP).
The heating systems in many schools across the country are connected to the internet, making it easy for hackers to cause temperatures to plummet from afar.
PTP’s founder Ken Munro said:
It would be really easy for someone with basic computer skills to have switched off a school’s heating system — it’s a matter of clicks and some simple typing. It’s a reflection of the current state of internet-of-things (IoT) security.
Installers need to up their game, but manufacturers must also do more to make their systems foolproof so they can’t be set up this way.
Munro’s company used the IoT search tool Shodan to look for a specific model of building management system controllers made by Trend Control Systems.
The model, released 14 years ago, can be hacked when exposed directly to the internet. It took PTP employees less than 10 seconds to find more than 1,000 examples where the model was being used.
While pulling out and replacing the network cables is an option, Munro wants to see more electricians and engineers who install building management systems to have a better understanding of cyber threats.
Trend Control Systems responded to criticism, saying that it always advises its customers to use skilled IT workers.
A company spokesman Trent Perrotto said:
Trend takes cyber-security seriously and regularly communicates with customers to make devices and connections as secure as possible. This includes the importance of configuring systems behind a firewall or virtual private network, and ensuring systems have the latest firmware and other security updates to mitigate the risk of unauthorised access.
He added, however, that the company would “assess and test the effectiveness” of its current practices.
Not just schools
Munro said it is not just schools that are vulnerable to a cyber attack, pointing to cases involving retailers, government offices, businesses and military bases.
Steven Murdoch, a security researcher in the computer science department University College London (UCL), said that at present the threat is contained:
“The risk is limited because criminals have little incentive to carry out such attacks, and even if they did it should be possible for building managers to notice what is happening and manually override.
However, these problems do show the potential for far more dangerous scenarios in the future, as more devices get connected to the internet, whose failure might be harder to recover from. And we still need manufacturers to design secure equipment, because even if a device is not directly connected to the internet, there almost certainly is an indirect way in.
Verdict deals analysis methodology
This analysis considers only announced and completed cloud-deals deals from the GlobalData financial deals database and excludes all terminated and rumoured deals. Country and industry are defined according to the headquarters and dominant industry of the target firm. The term ‘acquisition’ refers to both completed deals and those in the bidding stage.
GlobalData tracks real-time data concerning all merger and acquisition, private equity/venture capital and asset transaction activity around the world from thousands of company websites and other reliable sources.
More in-depth reports and analysis on all reported deals are available for subscribers to GlobalData’s deals database.