1 / 38

BACnet Security & Smart Building Botnets

BACnet Security & Smart Building Botnets. Steffen Wendzel Head of Secure Building Automation. steffen.wendzel@fkie.fraunhofer.de. Cyber Defense. Smart Buildings?. Integrate a Building Automation System (BAS) for control, monitoring, management Early systems:

cruz-young
Download Presentation

BACnet Security & Smart Building Botnets

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BACnet Security &Smart Building Botnets Steffen Wendzel Head of Secure Building Automation steffen.wendzel@fkie.fraunhofer.de Cyber Defense

  2. Smart Buildings? • Integrate a Building Automation System (BAS) for control, monitoring, management • Early systems: • pneumatic components (1950’s) • heating, ventilation, air-conditioning (HVAC) • Later: • first electronic components (60’s) • … and IT network components

  3. Smart Buildings? • Today: • Huge functionality spectrum • Integrated into “Internet of Things” • “Smart” • Respond to internal and external changes

  4. Smart Buildings: Goals • Energy saving • Reducing operating costs • Reducing the cost of churn • Enhanced life safety and security • Fast and effective service • Environmental friendly

  5. Building Automation Systems: Security

  6. The Media

  7. … and the Reality?

  8. Smart Building A != Smart Building B

  9. How many are online accessible? • Nobody knows exactly! • Estimations exist • Malchow and Klick (2014) counted building automation environments • most were found in the US (circa 15.000) • of the found BAS, 9% were linked to known vulnerabilities • Alternative: local/regional BAS wardriving

  10. Security Aspects • First issues arose in the 1990‘s • Internet of Things increases security concerns • Easy to apply attacks known from TCP/IP (e.g. spoofing) • Focus of vendors: security << functionality • Lack of security awareness • Legacy hard- and software (security means are not always implementable) • Patchability problem • Insecure web-interfaces / remote access

  11. NovelAttacks

  12. Data Leakage via BAS • (Un)intentional data leakage using remote connection of a BAS • via network covert channel • Connection used for legitimate purpose (administration of remote buildings) BAS Network BAS Protocol External (BAS) Network or Internet IP Gateway Sensor Passive Observer Source: Wendzel, S., Kahler, B., Rist, T.: Covert Channels And Their Prevention In Building Automation Protocols: A Prototype Exemplified Using BACnet, Proc. CPSCom, IEEE, 2012.

  13. Data Leakage via BAS • Our Solution: Multi-level security BAS network architecture • Prototype already realized BAS Network IP Gateway MLS Filter BAS Protocol External (BAS) Network or Internet MLS-based Routing Sensor (CONFIDENTIAL) Passive Observer Source: Wendzel, S., Kahler, B., Rist, T.: Covert Channels And Their Prevention In Building Automation Protocols: A Prototype Exemplified Using BACnet, Proc. CPSCom, IEEE, 2012.

  14. Smart Building Botnets (SBB) Short Definition: • A botnet consisting of BAS • bots placed either on control units • … or remote-control is directly performed (no bot necessary) • Utilize physical capabilities of BAS to perform malicious actions • no spam, no DoS, … • novel scenarios instead! Source: Wendzel, S., Zwanger, V., Meier, M., Szlosarczyk, S.: Envisioning Smart Building Botnets, in Proc. Sicherheit, GI, Vienna, 2014.

  15. Smart Building Botnets (SBB) How to build it? • Search Shodan • Perform BAS Wardriving • GPS-enabled smartphones with malware Source: Wendzel, S., Zwanger, V., Meier, M., Szlosarczyk, S.: Envisioning Smart Building Botnets, in Proc. Sicherheit, GI, Vienna, 2014.

  16. Example 1: Mass Surveillance Remote access to sensor data • Monitoring of sensor values and actuator states (temperature, presence, heating levels, …) • Who in a smart city goes so often to the bathroom each night and is probably ill? • When can a break-in attempt to a region be performed at the optimal moment? Where exactly? Source: Wendzel, S., Zwanger, V., Meier, M., Szlosarczyk, S.: Envisioning Smart Building Botnets, in Proc. Sicherheit, GI, Vienna, 2014.

  17. Scenario 2: Oil / Gas Producer Thinkable regional attack • Slightly increase heating levels in smart buildings over night • … to sell more oil or gas • Not easy to keep a low profile! • e.g. determining vacant rooms using observation Source: Wendzel, S., Zwanger, V., Meier, M., Szlosarczyk, S.: Envisioning Smart Building Botnets, in Proc. Sicherheit, GI, Vienna, 2014.

  18. Network Communication in BAS: Network Protocols

  19. Various Protocols Exist • Closed Protocols / Open Protocols • EIB/KNX, LONtalk, BACnet are most widely used • We focus on BACnet …

  20. BACnet in a Nutshell Overview • Building Automation Control and Network (BACnet) • A leading protocol in BAS • (remote) control and management of smart buildings • monitoring of buildings and according devices • Data and communication of all devices specified in ISO-Standard 16-484-5 • Worldwide >>700 vendors

  21. BACnet in a Nutshell Comparison to OSI Layer Model • Defines four layers

  22. BACnet in a Nutshell NPDU • Network Protocol Data Unit (NPDU) serves for communication of all the devices on network layer • Control flow and address resolution are managed with Network Protocol Control Information (NPCI) • Opportunity to prioritize messages • Payload depicted in Network Service Data Unit (NSDU) • network message, e.g. Who-Is • contents of application action (APDU)

  23. BACnet in a Nutshell APDU • Application Protocol Data Unit (APDU) serves for communication of all the devices on application layer • Datagram type (PDU Type) and segmentation information are managed via Application Protocol Control Information (APCI) • Payload depicted in Service Request field • Request /response for / of application action of a device • encoded in ASN.1

  24. Behind the scenes --- a contribution by S. Szlósarczyk EXPLOITING BUILDING AUTOMATION PROTOCOLS

  25. Practical security flaws in BACnet • Authentication and encryption means are specified by the standard, nevertheless they are rarely implemented • Interrogation / scanning made possible • Large attack surface (few were already known before) • Smurf-like attack • Router Adv. Flooding • Traffic Redirection • DoS Re-Routing • Malformed Messages • Inconsistent Retransmissions

  26. Behind the scenes: Exploiting BAS Attacking scenario • Attacker Eve: Sends malformed or spoofed messages remotely to one or more devices in the BAS subnet • BACnet Broadcast Management Device (BBMD) routes all the messages to the corresponding destination device • Exploitation of device by Eve

  27. Behind the scenes: Exploiting BAS Smurf Attack • Eve spoofs Who-is-Router-to-Network messages with victim’s source address • Victim receives all the outgoing/incoming traffic from all devices in the subnet • Exploit: DoS in the case of a too large amount of messages

  28. Behind the scenes: Exploiting BAS Traffic Redirection • Eve fakes selected Router-Available-to-Network messages • BBMD simply forwards all incoming and outgoing messages • Exploit: Eve receives ALL routed messages as the devices register her as “HOP”

  29. Our solution to prevent attacks: TRAFFIC NORMALIZATION

  30. Intranet Internet Traffic Normalization Methodology • Eliminates ambiguities and prevents devices of proposed attacks, e.g. several types of Denial of Service (DoS) on network layer • Can ensure standard conforming network traffic • Ability to secure legacy systems which are not patchable • independent of any platform • can be integrated into each network protocol Normalizer Source: S. Szlósarczyk, S. Wendzel et al.: Towards Suppressing Attacks on and Improving Resilience of Building Automation Systems, in Proc. GI Sicherheit, Vienna, 2014.

  31. Traffic Normalizer Traffic Normalization for BACnet • Developed a Snort extension for BACnet • Developed a Scapy-based BACnet protocol fuzzer • Realizing traffic normalization for BACnet/IP‘s network and application layer • New research project started with industry partner (funded by German BMBF) • „Building Automation Reliable Network Infrastructure“ (BARNI) Source: S. Szlósarczyk, S. Wendzel et al.: Towards Suppressing Attacks on and Improving Resilience of Building Automation Systems, in Proc. GI Sicherheit, Vienna, 2014.

  32. Supporting the Research Community: DISTRIBUTED BACnet TESTBED

  33. Distributed BACnet Testbed • Large inter-connection of autonomous BACnet environments • Consisting of virtual and real BAS components Source: J. Kaur et al.: A Cost-efficient building automation security testbed for educational purposes, poster at Securware, Lisbon, 2014 (to appear).

  34. Distributed BACnet Testbed • Why? • 1. research (traffic recordings, traffic analysis, DLP etc.) • 2. education (BACnet attack training and monitoring for students) • you can join! Source: J. Kaur et al.: A Cost-efficient building automation security testbed for educational purposes, poster at Securware, Lisbon, 2014 (to appear).

  35. SUMMARY

  36. Traffic Normalizer Summary • Our means to increase security in BAS: • Multi-level security and data leakage protectionfor building automation networks • Traffic normalizer for BACnet • Virtual Inter-connected testbed forthe research community

  37. Thank you for your kind attention! Our Expertise: • Secure Building Automation • Data LeakageProtection • Network Steganography/Network Covert Channels Steffen WendzelHead of Secure Building AutomationCyber Security Department Fraunhofer FKIEsteffen.wendzel@fkie.fraunhofer.de Personal website: http://www.wendzel.de

More Related