Figure 1 - uploaded by David Holmberg
Content may be subject to copyright.
A conceptual BACnet secure network configuration; SR = secure router, SD = secure device. All BACnet devices on untrusted network are secure.
Source publication
This technical report addresses inter-networked building automation and control systems (BAS or BCS) using the BACnet protocol [ANSI/ASHRAE, 2001]. The report deals with threats from known sources due to communication connections to the corporate LAN and the public Internet as well as physical threats to the building automation equipment and attach...
Contexts in source publication
Context 1
... secure services built into the BACnet protocol, new kinds of network configurations are likely. Figure 1 presents a conceptual secure configuration. There are secure devices (SD) and some of these are secure routers (SR). ...
Context 2
... shown in Fig. 1 are some elements of the network that complicate security efforts. There may be a corporate firewall or network address translation (NAT) features that will require communication between the building services staff and IT staff, but will also provide greater protection against IT threats. There may be other external connections from a ...
Context 3
... the network scenario of Figure 1, there will be web interfaces (routers and serv- ers), BACnet/IP controllers (connected to interesting devices that are network accessible), and operator workstations that may have vulnerable OS as well as configuration files and other interesting data and resources. ...
Context 4
... possibilities for a simpler security mechanism that will provide at least basic security, that does not require significant changes to the way BACnet communicates, and which is relatively easy to set-up and administer. Along with this, secure network configuration is being discussed. The concepts of secure routers and secure networks of Fig. 1 are discussed in more detail in [Robin, ...
Context 5
... in various ways to suit the security needs of various size networks. Perhaps a single packet filtering router is sufficient for a small network with minimal security, whereas a large higher security facility would have multiple routers (allowing a semi-secure area between routers) with a proxy server and IDS (see below). In the case shown in Fig. 1 earlier, there is a corporate firewall that will filter out much of the harmful network traffic before it reaches the building control sys- tem. It may be deemed unnecessary to use an additional firewall at the BCS entry point. However, it may also be found that a BBMD/firewall/router (BFR), as discussed earlier in 4.2.2 and 6.1, or ...
Similar publications
Designing a network is not just about placing routers, firewalls, intrusion detection system, etc in a network but it is about having good reasons for placing such hardware in its place. The world has gone beyond just designing a network alone for the sake of achieving a functional inter-connected LAN or WAN for doing business. The threat to organi...
These days network security applications can be found everywhere due to the increasing size and number of Local Area Networks (LAN), and Internet connections. This paper critically examined several research works on techniques used in building Intrusion Detection System (IDS). We considered the Fuzzy ART technique for designing and building our pro...
Network security has become more of a concern with the rapid growth and expansion of the Internet. While there are several ways to provide security in the application, transport, or network layers of a network, the data link layer (Layer 2) security has not yet been adequately addressed. Data link layer protocols used in local area networks (LANs)...
The security problems of network equipment are becoming more and more important with the fast development of the Internet. Aiming at the security, stability and protocol consistency of network security equipment, a user extensible network security device testing framework is proposed, and a user extensible network packet generator is designed based...
Computers and Networking have become inseparable by now. A number of confidential transactions occur every second and today computers are used mostly for transmission rather than processing of data. So Network Security is needed to prevent hacking of data and to provide authenticated data transfer. Distributed firewalls secure the network by protec...
Citations
... Unlike IT-based networks, automation-level network devices are less equipped with state-of-the-art intrusion detection systems or firewalls. Moreover, the current implementations of BAS protocols lack basic authentication and encryption, which makes it possible to perform snooping attacks, network rerouting attacks, malicious data injection, and replay attacks (Holmberg & Evans, 2003). These protocol-specific threats are reviewed in Section 3.2.2. ...
... BACnet is designed with Internet connection capability, thus BACnet networks can be exposed to remote attackers. The generic protocol design vulnerabilities of BACnet were discussed in (Holmberg & Evans, 2003, Kaur, et al., 2015. These vulnerabilities are mostly caused by the lack of authentication and encryption. ...
... Table 3. Typical scenarios of BAS attacks (Holmberg & Evans, 2003, Kaur, et al., 2015. ...
Modern Building Automation Systems (BASs), as the brain that enable the smartness of a smart building, often require increased connectivity both among system components as well as with outside entities, such as the cloud, to enable low-cost remote management, optimized automation via outsourced cloud analytics, and increased building-grid integrations. As smart buildings move towards open communication technologies, providing access to BASs through the building's intranet, or even remotely through the Internet, has become a common practice. However, increased connectivity and accessibility come with increased cyber security threats. BASs were historically developed as closed environments with limited cyber-security considerations. As a result, BASs in many buildings are vulnerable to cyber-attacks that may cause adverse consequences, such as occupant discomfort, excessive energy usage, and unexpected equipment downtime. Therefore, there is a strong need to advance the state-of-the-art in cyber-physical security for BASs and provide practical solutions for attack mitigation in buildings. However, an inclusive and systematic review of BAS vulnerabilities, potential cyber-attacks with impact assessment, detection & defense approaches, and cyber resilient control strategies is currently lacking in the literature. This review paper fills the gap by providing a comprehensive up-to-date review of cyber-physical security for BASs at three levels in commercial buildings: management level, automation level, and field level. The general BASs vulnerabilities and protocol-specific vulnerabilities for the four dominant BAS protocols (i.e., BACnet, KNX, LonWorks, and Modbus) are reviewed, followed by a discussion on four attack targets and seven potential attack scenarios. The impact of cyber-attacks on BASs is summarized as signal corruption, signal delaying, and signal blocking. The typical cyber-attack detection and defense approaches are identified at the three levels. Cyber resilient control strategies for BASs under attack are categorized into passive and active resilient control schemes. Open challenges and future opportunities are finally discussed.
... In Addition, we will work on integrating all different components of IIoT-ARAS into one structured system, introduce socket programming to be able to connect the tool to real physical networks, create more simulated network attacks for testing, and work on enhancing assets discovery by adopting enhanced version of known protocols like uPNP, SNMP, SolarWind's Ping Sweep and others. Furthermore, we will work on creating a simulation framework for BACnet protocol being one of the most common ICS used protocols [17]. As a next phase, we consider introducing Machine Learning principles to IIoT-ARAS to aid self-decision and protection by utilizing in-memory objects. ...
IoT is undoubtedly considered the future of the Internet. Many sectors are moving towards the use of these devices to aid better monitoring, controlling of the surrounding environment, and manufacturing processes. The Industrial Internet of things is a sub-domain of IoT and serves as enablers of the industry. IIoT is providing valuable services to Industrial Control Systems such as logistics, manufacturing, healthcare, industrial surveillance, and others. Although IIoT service-offering to ICS is tempting, it comes with greater risk. ICS systems are protected by isolation and creating an air-gap to separate their network from the outside world. While IIoT by definition is a device that has connection ability. This creates multiple points of entry to a closed system. In this study, we examine the first automated risk assessment system designed specifically to deal with the automated risk assessment and defining potential threats associated with IT/OT convergence based on OCTAVE Allegro- ISO/IEC 27030 Frameworks.
... Unlike IT-based networks, automation-level network devices are less equipped with state-of-the-art intrusion detection systems or firewalls. Moreover, the current implementations of BAS protocols lack basic authentication and encryption, which makes it possible to perform snooping attacks, network rerouting attacks, malicious data injection, and replay attacks (Holmberg & Evans, 2003). These protocol-specific threats are reviewed in Section 3.2.2. ...
... BACnet is designed with Internet connection capability, thus BACnet networks can be exposed to remote attackers. The generic protocol design vulnerabilities of BACnet were discussed in (Holmberg & Evans, 2003, Kaur, et al., 2015. These vulnerabilities are mostly caused by the lack of authentication and encryption. ...
... Table 3. Typical scenarios of BAS attacks (Holmberg & Evans, 2003, Kaur, et al., 2015. ...
Modern Building Automation Systems (BASs), as the brain that enables the smartness of a smart building, often require increased connectivity both among system components as well as with outside entities, such as optimized automation via outsourced cloud analytics and increased building-grid integrations. However, increased connectivity and accessibility come with increased cyber security threats. BASs were historically developed as closed environments with limited cyber-security considerations. As a result, BASs in many buildings are vulnerable to cyber-attacks that may cause adverse consequences, such as occupant discomfort, excessive energy usage, and unexpected equipment downtime. Therefore, there is a strong need to advance the state-of-the-art in cyber-physical security for BASs and provide practical solutions for attack mitigation in buildings. However, an inclusive and systematic review of BAS vulnerabilities, potential cyber-attacks with impact assessment, detection & defense approaches, and cyber-secure resilient control strategies is currently lacking in the literature. This review paper fills the gap by providing a comprehensive up-to-date review of cyber-physical security for BASs at three levels in commercial buildings: management level, automation level, and field level. The general BASs vulnerabilities and protocol-specific vulnerabilities for the four dominant BAS protocols are reviewed, followed by a discussion on four attack targets and seven potential attack scenarios. The impact of cyber-attacks on BASs is summarized as signal corruption, signal delaying, and signal blocking. The typical cyber-attack detection and defense approaches are identified at the three levels. Cyber-secure resilient control strategies for BASs under attack are categorized into passive and active resilient control schemes. Open challenges and future opportunities are finally discussed.
... Cyber-attacks on HVAC control systems (i.e., corruption of temperature sensor readings to affect critical control programs) are becoming possible due to increasing connectivity of buildings to external networks for supporting remote management and cloud-based analytics. For example, Building Automation and Control Networks (BACnet) [24], the most popular communication protocol for buildings, has been reported to have multiple vulnerabilities that can be used to launch cyber-attacks on building control systems [11]. Moreover, HVAC systems still need to provide services when under faults or attacks, as diagnosing the problems and fixing the sensors often takes a significant amount of time. ...
As people spend up to 87% of their time indoors, intelligent Heating,Ventilation, and Air Conditioning (HVAC) systems in buildings are essential for maintaining occupant comfort and reducing energy consumption. These HVAC systems in smart buildings rely ‘on real-time sensor readings, which in practice often suffer from variousfaults and could also be vulnerable to malicious attacks. Such faulty sensor inputs may lead to the violation of indoor environment requirements (e.g., temperature, humidity, etc.) and the increase of energy consumption. While many model-based approaches have been proposed in the literature for building HVAC control, it is costly to develop accurate physical models for ensuring their performance and even more challenging to address the impact of sensor faults. In this work, we present a novel learning-based frameworkfor sensor fault-tolerant HVAC control, which includes three deeplearning based components for 1) generating temperature proposalswith the consideration of possible sensor faults, 2) selecting oneof the proposals based on the assessment of their accuracy, and3) applying reinforcement learning with the selected temperatureproposal. Moreover, to address the challenge of training data in-sufficiency in building-related tasks, we propose a model-assistedlearning method leveraging an abstract model of building physicaldynamics. Through extensive experiments, we demonstrate that the proposed fault-tolerant HVAC control framework can significantly reduce building temperature violations under a variety of sensor fault patterns while maintaining energy efficiency.
... The modeling of active threats with human in the middle mainly focuses on cyber-attacks launched on the communication network of a cyber-physical system. Many researchers have identified and classified vulnerabilities in the BACnet protocol, including snooping, application service attack, network layer attack, network layer Denial of Service (DoS) and application layer DoS [19,20]. Researchers in [21,22] have implemented a range of attacks against BACnet using the detailed specific vulnerabilities using customized BACnet simulation environments. ...
Grid-interactive efficient buildings (GEBs) have been considered as an important asset to support the power grid reliability by utilizing the demand flexibility offered by GEBs. GEBs are enabled by advances in sensors and controls, and the communication between building equipment, whole buildings, and the grid. The integration of different building technologies and network-based communication system makes GEBs vulnerable to passive threats such as equipment failure and active threats such as cyber-attacks. Modeling and simulation is an effective way to evaluate the impact of threats on the system performance. This paper proposes a generic and flexible threat injection framework for commonly-used building energy simulators such as EnergyPlus and Modelica to support threat modeling and
evaluation. This framework leverages functional mock-up unit (FMU) to develop a general modeling interface for threat injection and simulation. A numerical case study using Modelica as a building energy simulator is conducted to demonstrate the capability of the framework for supporting single/multiple-order threat modeling and simulation of a GEB. Four threats and their combinations are injected on a Modelica-based threat-free building energy and control system, including operating supply fan at its full speed, remotely cycling the chiller on and off, blocking the chiller from receiving the chilled water supply temperature setpoints, and hijacking the global zone air temperature setpoint. Simulation results show that the cyber-attack that leads to short-term signal blocking has small effects on the system operation due to the ”self-healing” feature of the heating, ventilation, and air-conditioning (HVAC) interactive control system. The threat that takes control of resetting the global zone air temperature setpoints has the most adverse impact on the system energy use, peak power demand, thermal comfort and the provision of demand flexibility. The combination of four threats have aggregative effects on the system but the effects are less than the additive effects of the individual threat.
... An analysis in 2003 by the Department of Commerce found some threats to building automation protocols such as BACnet. While most systems were not connected to the Internet, there was still backdoor access via modem connections to controllers [159]. The study also noted various attacks on passwords, confidentiality, integrity, DoS, spoofing, and eavesdropping within a BACnet installation. ...
As technology becomes more widely available, millions of users worldwide have installed some form of smart device in their homes or workplaces. These devices are often off-the-shelf commodity systems, such as Google Home or Samsung SmartThings, that are installed by end-users looking to automate a small deployment. In contrast to these “plug-and-play” systems, purpose-built Enterprise Internet-of-Things (E-IoT) systems such as Crestron, Control4, RTI, Savant offer a smart solution for more sophisticated applications (e.g., complete lighting control, A/V management, security). In contrast to commodity systems, E-IoT systems are usually closed source, costly, require certified installers, and are overall more robust for their use cases. Due to this, E-IoT systems are often found in expensive smart homes, government and academic conference rooms, yachts, and smart private offices. However, while there has been plenty of research on the topic of commodity systems, no current study exists that provides a complete picture of E-IoT systems, their components, and relevant threats. As such, lack of knowledge of E-IoT system threats, coupled with the cost of E-IoT systems has led many to assume that E-IoT systems are secure. To address this research gap, raise awareness on E-IoT security, and motivate further research, this work emphasizes E-IoT system components, E-IoT vulnerabilities, solutions, and their security implications. In order to systematically analyze the security of E-IoT systems, we divide E-IoT systems into four layers: E-IoT Devices Layer, Communications Layer, Monitoring and Applications Layer, and Business Layer. We survey attacks and defense mechanisms, considering the E-IoT components at each layer and the associated threats. In addition, we present key observations in state-of-the-art E-IoT security and provide a list of open research problems that need further research.
... As neither these legacy protocols nor the applications that use them support or implement authentication or encryption mechanisms, an adversary can take control of a device and cause physical, possibly catastrophic, damage by sending targeted, well-formed packets [136], or simply too many packets [149]. For at least one protocol used in building automation and control (BACnet), a detailed threat analysis [90] and summary of known protocol-level attacks [157] is readily available. Additionally, as many ICS devices are designed to be configured via the ICS protocol, Programmable Logic Controller (PLC) code or other configuration data can be directly downloaded or uploaded via the ICS protocol port [177,217]. ...
Cyber Physical Systems (CPS) couple digital systems with the physical environment, creating technical, usability, and economic security challenges beyond those of information systems. Their distributed and hierarchical nature, real-time and safety-critical requirements, and limited resources create new vulnerability classes and severely constrain the security solution space. This dissertation explores these challenges, focusing on Industrial Control Systems (ICS), but demonstrating broader applicability to the whole domain. We begin by systematising the usability and economic challenges to secure ICS. We fingerprint and track more than 10\,000 Internet-connected devices over four years and show the population is growing, continuously-connected, and unpatched. We then explore adversarial interest in this vulnerable population. We track 150\,000 botnet hosts, sift 70 million underground forum posts, and perform the largest ICS honeypot study to date to demonstrate that the cybercrime community has little competence or interest in the domain. We show that the current heterogeneity, cost, and level of expertise required for large-scale attacks on ICS are economic deterrents when targets in the IoT domain are available. The ICS landscape is changing, however, and we demonstrate the imminent convergence with the IoT domain as inexpensive hardware, commodity operating Cyber Physical Systems (CPS) couple digital systems with the physical environment, creating technical, usability, and economic security challenges beyond those of information systems. Their distributed and hierarchical nature, real-time and safety-critical requirements, and limited resources create new vulnerability classes and severely constrain the security solution space. This dissertation explores these challenges, focusing on Industrial Control Systems (ICS), but demonstrating broader applicability to the whole domain. We begin by systematising the usability and economic challenges to secure ICS. We fingerprint and track more than 10,000 Internet-connected devices over four years and show the population is growing, continuously-connected, and unpatched. We then explore adversarial interest in this vulnerable population. We track 150,000 botnet hosts, sift 70 million underground forum posts, and perform the largest ICS honeypot study to date to demonstrate that the cybercrime community has little competence or interest in the domain. We show that the current heterogeneity, cost, and level of expertise required for large-scale attacks on ICS are economic deterrents when targets in the IoT domain are available. The ICS landscape is changing, however, and we demonstrate the imminent convergence with the IoT domain as inexpensive hardware, commodity operating systems, and wireless connectivity become standard. Industry's security solution is boundary defence, pushing privilege to firewalls and anomaly detectors; however, this propagates rather than minimises privilege and leaves the hierarchy vulnerable to a single boundary compromise. In contrast, we propose, implement, and evaluate a security architecture based on distributed capabilities. Specifically, we show that object capabilities, representing physical resources, can be constructed, delegated, and used anywhere in a distributed CPS by composing hardware-enforced architectural capabilities and cryptographic network tokens. Our architecture provides defence-in-depth, minimising privilege at every level of the CPS hierarchy, and both supports and adds integrity protection to legacy CPS protocols. We implement distributed capabilities in robotics and ICS demonstrators, and we show that our architecture adds negligible overhead to realistic integrations and can be implemented without significant modification to existing source code. In contrast, we propose, implement, and evaluate a security architecture based on distributed capabilities. Specifically, we show that object capabilities, representing physical resources, can be constructed, delegated, and used anywhere in a distributed CPS by composing hardware-enforced architectural capabilities and cryptographic network tokens. Our architecture provides defence-in-depth, minimising privilege at every level of the CPS hierarchy, and both supports and adds integrity protection to legacy CPS protocols. We implement distributed capabilities in robotics and ICS demonstrators, and we show that our architecture adds negligible overhead to realistic integrations and can be implemented without significant modification to existing source code.
... Cyber-attacks on HVAC control systems (i.e., corruption of temperature sensor readings to affect critical control programs) are becoming possible due to increasing connectivity of buildings to external networks for supporting remote management and cloud-based analytics. For example, Building Automation and Control Networks (BACnet) [24], the most popular communication protocol for buildings, has been reported to have multiple vulnerabilities that can be used to launch cyber-attacks on building control systems [11]. Moreover, HVAC systems still need to provide services when under faults or attacks, as diagnosing the problems and fixing the sensors often takes a significant amount of time. ...
As people spend up to 87% of their time indoors, intelligent Heating, Ventilation, and Air Conditioning (HVAC) systems in buildings are essential for maintaining occupant comfort and reducing energy consumption. Those HVAC systems in modern smart buildings rely on real-time sensor readings, which in practice often suffer from various faults and could also be vulnerable to malicious attacks. Such faulty sensor inputs may lead to the violation of indoor environment requirements (e.g., temperature, humidity, etc.) and the increase of energy consumption. While many model-based approaches have been proposed in the literature for building HVAC control, it is costly to develop accurate physical models for ensuring their performance and even more challenging to address the impact of sensor faults. In this work, we present a novel learning-based framework for sensor fault-tolerant HVAC control, which includes three deep learning based components for 1) generating temperature proposals with the consideration of possible sensor faults, 2) selecting one of the proposals based on the assessment of their accuracy, and 3) applying reinforcement learning with the selected temperature proposal. Moreover, to address the challenge of training data insufficiency in building-related tasks, we propose a model-assisted learning method leveraging an abstract model of building physical dynamics. Through extensive numerical experiments, we demonstrate that the proposed fault-tolerant HVAC control framework can significantly reduce building temperature violations under a variety of sensor fault patterns while maintaining energy efficiency.
... For this purpose, one possibility for the attacker is to declare to an SM that they have the best path towards the data concentrator [149], which is also known as a "hello flood attack". The BACnet protocol can also fall victim to this kind of threat because of I-am-router-to-network messages [150]. If the hello flood attack is made prior to a selective forwarding, the latter is easier and more harmful [151]. ...
During the last decade, the smart grid (SG) concept has started to become a reality, mainly thanks to the technical progress achieved in telecommunications, informatics and power electronics, among other domains, leading to an evolution of the traditional electrical grid into an intelligent one. Nowadays, the SG can be seen as a system of smart systems that include cyber and physical parts from different technologies that interact with each other. In this context, intelligent buildings (IBs) constitute a paradigm in which such smart systems are able to guarantee the comfort of residents while ensuring an appropriate tradeoff of energy production and consumption by means of an energy management system (EMS). These interconnected EMSs remain the objective of potential cyber-attacks, which is a major concern. Therefore, this paper conducts a survey, from a multidisciplinary point of view, of some of the main security and privacy issues related to IBs as part of the SG, including an overview of EMS, smart meters, and the main communication networks employed to connect IBs to the overall SG. Future research directions towards a security enhancement from both technical and human perspectives are also provided.
... An analysis in 2003 by the Department of Commerce found some threats to building automation protocols such as BACnet. While most systems were not connected to the Internet, there was still backdoor access via modem connections to controllers [161]. The study also noted various attacks on passwords, confidentiality, integrity, Denial of Service, spoofing, and eavesdropping within a BACnet installation. ...
As technology becomes more widely available, millions of users worldwide have installed some form of smart device in their homes or workplaces. These devices are often off-the-shelf commodity systems, such as Google Home or Samsung SmartThings, that are installed by end-users looking to automate a small deployment. In contrast to these "plug-and-play" systems, purpose-built Enterprise Internet-of-Things (E-IoT) systems such as Crestron, Control4, RTI, Savant offer a smart solution for more sophisticated applications (e.g., complete lighting control, A/V management, security). In contrast to commodity systems, E-IoT systems are usually closed source, costly, require certified installers, and are overall more robust for their use cases. Due to this, E-IoT systems are often found in expensive smart homes, government and academic conference rooms, yachts, and smart private offices. However, while there has been plenty of research on the topic of commodity systems, no current study exists that provides a complete picture of E-IoT systems, their components, and relevant threats. As such, lack of knowledge of E-IoT system threats, coupled with the cost of E-IoT systems has led many to assume that E-IoT systems are secure. To address this research gap, raise awareness on E-IoT security, and motivate further research, this work emphasizes E-IoT system components, E-IoT vulnerabilities, solutions, and their security implications. In order to systematically analyze the security of E-IoT systems, we divide E-IoT systems into four layers: E-IoT Devices Layer, Communications Layer, Monitoring and Applications Layer, and Business Layer. We survey attacks and defense mechanisms, considering the E-IoT components at each layer and the associated threats. In addition, we present key observations in state-of-the-art E-IoT security and provide a list of open research problems that need further research.
