bacnet security smart building botnets n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
BACnet Security & Smart Building Botnets PowerPoint Presentation
Download Presentation
BACnet Security & Smart Building Botnets

Loading in 2 Seconds...

play fullscreen
1 / 38

BACnet Security & Smart Building Botnets - PowerPoint PPT Presentation


  • 534 Views
  • Uploaded on

BACnet Security & Smart Building Botnets. Steffen Wendzel Head of Secure Building Automation. steffen.wendzel@fkie.fraunhofer.de. Cyber Defense. Smart Buildings?. Integrate a Building Automation System (BAS) for control, monitoring, management Early systems:

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

BACnet Security & Smart Building Botnets


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
    Presentation Transcript
    1. BACnet Security &Smart Building Botnets Steffen Wendzel Head of Secure Building Automation steffen.wendzel@fkie.fraunhofer.de Cyber Defense

    2. Smart Buildings? • Integrate a Building Automation System (BAS) for control, monitoring, management • Early systems: • pneumatic components (1950’s) • heating, ventilation, air-conditioning (HVAC) • Later: • first electronic components (60’s) • … and IT network components

    3. Smart Buildings? • Today: • Huge functionality spectrum • Integrated into “Internet of Things” • “Smart” • Respond to internal and external changes

    4. Smart Buildings: Goals • Energy saving • Reducing operating costs • Reducing the cost of churn • Enhanced life safety and security • Fast and effective service • Environmental friendly

    5. Building Automation Systems: Security

    6. The Media

    7. … and the Reality?

    8. Smart Building A != Smart Building B

    9. How many are online accessible? • Nobody knows exactly! • Estimations exist • Malchow and Klick (2014) counted building automation environments • most were found in the US (circa 15.000) • of the found BAS, 9% were linked to known vulnerabilities • Alternative: local/regional BAS wardriving

    10. Security Aspects • First issues arose in the 1990‘s • Internet of Things increases security concerns • Easy to apply attacks known from TCP/IP (e.g. spoofing) • Focus of vendors: security << functionality • Lack of security awareness • Legacy hard- and software (security means are not always implementable) • Patchability problem • Insecure web-interfaces / remote access

    11. NovelAttacks

    12. Data Leakage via BAS • (Un)intentional data leakage using remote connection of a BAS • via network covert channel • Connection used for legitimate purpose (administration of remote buildings) BAS Network BAS Protocol External (BAS) Network or Internet IP Gateway Sensor Passive Observer Source: Wendzel, S., Kahler, B., Rist, T.: Covert Channels And Their Prevention In Building Automation Protocols: A Prototype Exemplified Using BACnet, Proc. CPSCom, IEEE, 2012.

    13. Data Leakage via BAS • Our Solution: Multi-level security BAS network architecture • Prototype already realized BAS Network IP Gateway MLS Filter BAS Protocol External (BAS) Network or Internet MLS-based Routing Sensor (CONFIDENTIAL) Passive Observer Source: Wendzel, S., Kahler, B., Rist, T.: Covert Channels And Their Prevention In Building Automation Protocols: A Prototype Exemplified Using BACnet, Proc. CPSCom, IEEE, 2012.

    14. Smart Building Botnets (SBB) Short Definition: • A botnet consisting of BAS • bots placed either on control units • … or remote-control is directly performed (no bot necessary) • Utilize physical capabilities of BAS to perform malicious actions • no spam, no DoS, … • novel scenarios instead! Source: Wendzel, S., Zwanger, V., Meier, M., Szlosarczyk, S.: Envisioning Smart Building Botnets, in Proc. Sicherheit, GI, Vienna, 2014.

    15. Smart Building Botnets (SBB) How to build it? • Search Shodan • Perform BAS Wardriving • GPS-enabled smartphones with malware Source: Wendzel, S., Zwanger, V., Meier, M., Szlosarczyk, S.: Envisioning Smart Building Botnets, in Proc. Sicherheit, GI, Vienna, 2014.

    16. Example 1: Mass Surveillance Remote access to sensor data • Monitoring of sensor values and actuator states (temperature, presence, heating levels, …) • Who in a smart city goes so often to the bathroom each night and is probably ill? • When can a break-in attempt to a region be performed at the optimal moment? Where exactly? Source: Wendzel, S., Zwanger, V., Meier, M., Szlosarczyk, S.: Envisioning Smart Building Botnets, in Proc. Sicherheit, GI, Vienna, 2014.

    17. Scenario 2: Oil / Gas Producer Thinkable regional attack • Slightly increase heating levels in smart buildings over night • … to sell more oil or gas • Not easy to keep a low profile! • e.g. determining vacant rooms using observation Source: Wendzel, S., Zwanger, V., Meier, M., Szlosarczyk, S.: Envisioning Smart Building Botnets, in Proc. Sicherheit, GI, Vienna, 2014.

    18. Network Communication in BAS: Network Protocols

    19. Various Protocols Exist • Closed Protocols / Open Protocols • EIB/KNX, LONtalk, BACnet are most widely used • We focus on BACnet …

    20. BACnet in a Nutshell Overview • Building Automation Control and Network (BACnet) • A leading protocol in BAS • (remote) control and management of smart buildings • monitoring of buildings and according devices • Data and communication of all devices specified in ISO-Standard 16-484-5 • Worldwide >>700 vendors

    21. BACnet in a Nutshell Comparison to OSI Layer Model • Defines four layers

    22. BACnet in a Nutshell NPDU • Network Protocol Data Unit (NPDU) serves for communication of all the devices on network layer • Control flow and address resolution are managed with Network Protocol Control Information (NPCI) • Opportunity to prioritize messages • Payload depicted in Network Service Data Unit (NSDU) • network message, e.g. Who-Is • contents of application action (APDU)

    23. BACnet in a Nutshell APDU • Application Protocol Data Unit (APDU) serves for communication of all the devices on application layer • Datagram type (PDU Type) and segmentation information are managed via Application Protocol Control Information (APCI) • Payload depicted in Service Request field • Request /response for / of application action of a device • encoded in ASN.1

    24. Behind the scenes --- a contribution by S. Szlósarczyk EXPLOITING BUILDING AUTOMATION PROTOCOLS

    25. Practical security flaws in BACnet • Authentication and encryption means are specified by the standard, nevertheless they are rarely implemented • Interrogation / scanning made possible • Large attack surface (few were already known before) • Smurf-like attack • Router Adv. Flooding • Traffic Redirection • DoS Re-Routing • Malformed Messages • Inconsistent Retransmissions

    26. Behind the scenes: Exploiting BAS Attacking scenario • Attacker Eve: Sends malformed or spoofed messages remotely to one or more devices in the BAS subnet • BACnet Broadcast Management Device (BBMD) routes all the messages to the corresponding destination device • Exploitation of device by Eve

    27. Behind the scenes: Exploiting BAS Smurf Attack • Eve spoofs Who-is-Router-to-Network messages with victim’s source address • Victim receives all the outgoing/incoming traffic from all devices in the subnet • Exploit: DoS in the case of a too large amount of messages

    28. Behind the scenes: Exploiting BAS Traffic Redirection • Eve fakes selected Router-Available-to-Network messages • BBMD simply forwards all incoming and outgoing messages • Exploit: Eve receives ALL routed messages as the devices register her as “HOP”

    29. Our solution to prevent attacks: TRAFFIC NORMALIZATION

    30. Intranet Internet Traffic Normalization Methodology • Eliminates ambiguities and prevents devices of proposed attacks, e.g. several types of Denial of Service (DoS) on network layer • Can ensure standard conforming network traffic • Ability to secure legacy systems which are not patchable • independent of any platform • can be integrated into each network protocol Normalizer Source: S. Szlósarczyk, S. Wendzel et al.: Towards Suppressing Attacks on and Improving Resilience of Building Automation Systems, in Proc. GI Sicherheit, Vienna, 2014.

    31. Traffic Normalizer Traffic Normalization for BACnet • Developed a Snort extension for BACnet • Developed a Scapy-based BACnet protocol fuzzer • Realizing traffic normalization for BACnet/IP‘s network and application layer • New research project started with industry partner (funded by German BMBF) • „Building Automation Reliable Network Infrastructure“ (BARNI) Source: S. Szlósarczyk, S. Wendzel et al.: Towards Suppressing Attacks on and Improving Resilience of Building Automation Systems, in Proc. GI Sicherheit, Vienna, 2014.

    32. Supporting the Research Community: DISTRIBUTED BACnet TESTBED

    33. Distributed BACnet Testbed • Large inter-connection of autonomous BACnet environments • Consisting of virtual and real BAS components Source: J. Kaur et al.: A Cost-efficient building automation security testbed for educational purposes, poster at Securware, Lisbon, 2014 (to appear).

    34. Distributed BACnet Testbed • Why? • 1. research (traffic recordings, traffic analysis, DLP etc.) • 2. education (BACnet attack training and monitoring for students) • you can join! Source: J. Kaur et al.: A Cost-efficient building automation security testbed for educational purposes, poster at Securware, Lisbon, 2014 (to appear).

    35. SUMMARY

    36. Traffic Normalizer Summary • Our means to increase security in BAS: • Multi-level security and data leakage protectionfor building automation networks • Traffic normalizer for BACnet • Virtual Inter-connected testbed forthe research community

    37. Thank you for your kind attention! Our Expertise: • Secure Building Automation • Data LeakageProtection • Network Steganography/Network Covert Channels Steffen WendzelHead of Secure Building AutomationCyber Security Department Fraunhofer FKIEsteffen.wendzel@fkie.fraunhofer.de Personal website: http://www.wendzel.de