BACnet Security & Smart Building Botnets
-
Upload
cruz-young -
Category
Documents
-
view
90 -
download
1
description
Transcript of BACnet Security & Smart Building Botnets
![Page 1: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/1.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Steffen Wendzel
Head of Secure Building Automation
BACnet Security &Smart Building Botnets
Cyber Defense
![Page 2: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/2.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Smart Buildings?
Integrate a Building Automation System (BAS) for control, monitoring, management
Early systems:
pneumatic components (1950’s)
heating, ventilation, air-conditioning (HVAC)
Later:
first electronic components (60’s)
… and IT network components
![Page 3: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/3.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Smart Buildings?
Today:
Huge functionality spectrum
Integrated into “Internet of Things”
“Smart”
Respond to internal and external changes
![Page 4: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/4.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Smart Buildings: Goals
Energy saving
Reducing operating costs
Reducing the cost of churn
Enhanced life safety and security
Fast and effective service
Environmental friendly
![Page 5: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/5.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
SecurityBuilding Automation Systems:
![Page 6: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/6.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
The Media
![Page 7: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/7.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Reality?… and the
![Page 8: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/8.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Smart Building A != Smart Building B
![Page 9: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/9.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
How many are online accessible?
Nobody knows exactly!
Estimations exist
Malchow and Klick (2014) counted building automation environments
most were found in the US (circa 15.000)
of the found BAS, 9% were linked to known vulnerabilities
Alternative: local/regional BAS wardriving
![Page 10: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/10.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Security Aspects
First issues arose in the 1990‘s
Internet of Things increases security concerns
Easy to apply attacks known from TCP/IP (e.g. spoofing)
Focus of vendors: security << functionality
Lack of security awareness
Legacy hard- and software (security means are not always implementable)
Patchability problem
Insecure web-interfaces / remote access
![Page 11: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/11.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Novel Attacks
![Page 12: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/12.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Data Leakage via BAS
(Un)intentional data leakage using remote connection of a BAS
via network covert channel
Connection used for legitimate purpose (administration of remote buildings)
BAS Network
IP G
ate
wa
y
Sensor
External (BAS)Network or Internet
Passive Observer
BAS Protocol
Source: Wendzel, S., Kahler, B., Rist, T.: Covert Channels And Their Prevention In Building Automation Protocols: A Prototype Exemplified Using BACnet, Proc. CPSCom, IEEE, 2012.
![Page 13: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/13.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Data Leakage via BAS
Our Solution: Multi-level security BAS network architecture
Prototype already realized
BAS Network
Sensor(CONFIDENTIAL)
External (BAS)Network or Internet
Passive Observer
BAS Protocol
Source: Wendzel, S., Kahler, B., Rist, T.: Covert Channels And Their Prevention In Building Automation Protocols: A Prototype Exemplified Using BACnet, Proc. CPSCom, IEEE, 2012.
IP G
ate
wa
yM
LS Filte
r
MLS-based Routing
![Page 14: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/14.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Smart Building Botnets (SBB)
Short Definition:
A botnet consisting of BAS
bots placed either on control units
… or remote-control is directly performed (no bot necessary)
Utilize physical capabilities of BAS to perform malicious actions
no spam, no DoS, …
novel scenarios instead!
Source: Wendzel, S., Zwanger, V., Meier, M., Szlosarczyk, S.: Envisioning Smart Building Botnets, in Proc. Sicherheit, GI, Vienna, 2014.
![Page 15: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/15.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Smart Building Botnets (SBB)
How to build it?
Search Shodan
Perform BAS Wardriving
GPS-enabled smartphones with malware
Source: Wendzel, S., Zwanger, V., Meier, M., Szlosarczyk, S.: Envisioning Smart Building Botnets, in Proc. Sicherheit, GI, Vienna, 2014.
![Page 16: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/16.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Example 1: Mass Surveillance
Remote access to sensor data
Monitoring of sensor values and actuator states (temperature, presence, heating levels, …)
Who in a smart city goes so often to the bathroom each night and is probably ill?
When can a break-in attempt to a region be performed at the optimal moment? Where exactly?
Source: Wendzel, S., Zwanger, V., Meier, M., Szlosarczyk, S.: Envisioning Smart Building Botnets, in Proc. Sicherheit, GI, Vienna, 2014.
![Page 17: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/17.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Scenario 2: Oil / Gas Producer
Thinkable regional attack
Slightly increase heating levels in smart buildings over night
… to sell more oil or gas
Not easy to keep a low profile!
e.g. determining vacant rooms using observation
Source: Wendzel, S., Zwanger, V., Meier, M., Szlosarczyk, S.: Envisioning Smart Building Botnets, in Proc. Sicherheit, GI, Vienna, 2014.
![Page 18: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/18.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
![Page 19: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/19.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Network ProtocolsNetwork Communication in BAS:
![Page 20: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/20.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Various Protocols Exist
Closed Protocols / Open Protocols
EIB/KNX, LONtalk, BACnet are most widely used
We focus on BACnet …
![Page 21: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/21.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
BACnet in a Nutshell Overview
Building Automation Control and Network (BACnet)
A leading protocol in BAS
(remote) control and management of smart buildings
monitoring of buildings and according devices
Data and communication of all devices specified in ISO-Standard 16-484-5
Worldwide >>700 vendors
![Page 22: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/22.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
BACnet in a NutshellComparison to OSI Layer Model
Defines four layers
![Page 23: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/23.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
BACnet in a NutshellNPDU
Network Protocol Data Unit (NPDU) serves for communication of all the devices on network layer
Control flow and address resolution are managed with Network Protocol Control Information (NPCI)
Opportunity to prioritize messages
Payload depicted in Network Service Data Unit (NSDU)
network message, e.g. Who-Is
contents of application action (APDU)
![Page 24: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/24.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
BACnet in a NutshellAPDU
Application Protocol Data Unit (APDU) serves for communication of all the devices on application layer
Datagram type (PDU Type) and segmentation information are managed via Application Protocol Control Information (APCI)
Payload depicted in Service Request field
Request /response for / of application action of a device
encoded in ASN.1
![Page 25: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/25.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
EXPLOITING BUILDING AUTOMATION PROTOCOLS
Behind the scenes --- a contribution by S. Szlósarczyk
![Page 26: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/26.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Practical security flaws in BACnet
Authentication and encryption means are specified by the standard, nevertheless they are rarely implemented
Interrogation / scanning made possible
Large attack surface (few were already known before)
Smurf-like attack
Router Adv. Flooding
Traffic Redirection
DoS Re-Routing
Malformed Messages
Inconsistent Retransmissions
![Page 27: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/27.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Behind the scenes: Exploiting BAS Attacking scenario
Attacker Eve: Sends malformed or spoofed messages remotely to one or more devices in the BAS subnet
BACnet Broadcast Management Device (BBMD) routes all the messages to the corresponding destination device
Exploitation of device by Eve
![Page 28: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/28.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Behind the scenes: Exploiting BAS Smurf Attack
Eve spoofs Who-is-Router-to-Network messages with victim’s source address
Victim receives all the outgoing/incoming traffic from all devices in the subnet
Exploit: DoS in the case of a too large amount of messages
![Page 29: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/29.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Behind the scenes: Exploiting BAS Traffic Redirection
Eve fakes selected Router-Available-to-Network messages
BBMD simply forwards all incoming and outgoing messages
Exploit: Eve receives ALL routed messages as the devices register her as “HOP”
![Page 30: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/30.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
TRAFFIC NORMALIZATIONOur solution to prevent attacks:
![Page 31: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/31.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Traffic NormalizationMethodology
Eliminates ambiguities and prevents devices of proposed attacks, e.g. several types of Denial of Service (DoS) on network layer
Can ensure standard conforming network traffic
Ability to secure legacy systems which are not patchable
independent of any platform
can be integrated into each network protocol
Internet Intranet
Normalizer
Source: S. Szlósarczyk, S. Wendzel et al.: Towards Suppressing Attacks on and Improving Resilience of Building Automation Systems, in Proc. GI Sicherheit, Vienna, 2014.
![Page 32: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/32.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Traffic Normalization for BACnet
Developed a Snort extension for BACnet
Developed a Scapy-based BACnet protocol fuzzer
Realizing traffic normalization for BACnet/IP‘s network and application layer
New research project started with industry partner (funded by German BMBF)
„Building Automation Reliable Network Infrastructure“ (BARNI)
TrafficNormalizer
Source: S. Szlósarczyk, S. Wendzel et al.: Towards Suppressing Attacks on and Improving Resilience of Building Automation Systems, in Proc. GI Sicherheit, Vienna, 2014.
![Page 33: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/33.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
DISTRIBUTED BACnet TESTBED
Supporting the Research Community:
![Page 34: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/34.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Distributed BACnet Testbed
Large inter-connection of autonomous BACnet environments
Consisting of virtual and real BAS components
Source: J. Kaur et al.: A Cost-efficient building automation security testbed for educational purposes, poster at Securware, Lisbon, 2014 (to appear).
![Page 35: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/35.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Distributed BACnet Testbed
Why?
1. research (traffic recordings, traffic analysis, DLP etc.)
2. education (BACnet attack training and monitoring for students)
you can join!
Source: J. Kaur et al.: A Cost-efficient building automation security testbed for educational purposes, poster at Securware, Lisbon, 2014 (to appear).
![Page 36: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/36.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
SUMMARY
![Page 37: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/37.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Summary
TrafficNormalizer
Our means to increase security in BAS:
Multi-level security and data leakage protectionfor building automation networks
Traffic normalizer for BACnet
Virtual Inter-connected testbed forthe research community
![Page 38: BACnet Security & Smart Building Botnets](https://reader036.fdocuments.us/reader036/viewer/2022062321/5681377c550346895d9f16e3/html5/thumbnails/38.jpg)
© Cyber Defense Research Group, Fraunhofer FKIE
Thank you for your kind attention!
Our Expertise:
Secure Building Automation
Data Leakage Protection
Network Steganography/Network Covert Channels
Steffen Wendzel Head of Secure Building Automation Cyber Security Department Fraunhofer FKIE [email protected]
Personal website:
http://www.wendzel.de