Building Automation (In)Security

visibility | detection | control

Building Automation

(In)Security

Dr. Elisa Costante – Head of Research

Dr. Mario Dagrada – Senior Security Researcher

Proprietary & Confidential – www.secmatters.com 2Proprietary & Confidential – www.secmatters.com 2

SecurityMatters

University Spin-off

Located in Eindhoven

Security for ICS

visibility and detection for OT

networks

INDUSTRIAL CYBER RESILIENCE


About Smart Buildings


Building Automation Systems (BAS)


A look ahead: Smart Cities

visibility | detection | control

but…


November 8, 2016 14:20


Why attacking Smart Buildings

CRITICAL BUILDINGS LEGACY SYSTEMS CONNECTIVITY

airports

data centers

hospitals & public spaces

60% of buildings have systems that are 20 years old

no encryption

no authentication

more connection = more vulnerabilities

default open ports

default passwords


Building Automation Networks (simplified)

SURVEILLANCEACCESS CONTROLHVAC

Workstation Engineering Workstation Building Management System

HMI HMI

Building Controller

BuildingController

Network Video Recorder

RoomControllers

RoomControllers

IP-Cameras

MAN

AG

EM

EN

TAU

TO

MATIO

NFIE

LD

IP-protocols:BACnet/IP, HTTP, FTP, RTP

Field Protocols (IP & non-IP): Modbus, LonTalk, BACnet MS/TP, KNX

Streaming Software

I/O connections


Examples of Attack & Defense scenarios


HVAC

Thermostats and IoT devices can be used as entry point for data exfiltration(1,2)

Increased temperature can damage data centers and labs

ATTACK

DEFENSE

1. http://www.businessinsider.de/hackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4?r=UK&IR=T2. https://www.darkreading.com/risk/security-guard-busted-for-hacking-hospitals-hvac-patient-information-computers/d/d-id/1131436

Detect changes critical variables

Identify IT/OT undesired communications

Identify IoT devices anomalous behavior

http://www.businessinsider.de/hackers-stole-a-casinos-database-through-a-thermometer-in-the-lobby-fish-tank-2018-4?r=UK&IR=T

https://www.darkreading.com/risk/security-guard-busted-for-hacking-hospitals-hvac-patient-information-computers/d/d-id/1131436


Surveillance System

Using IP-cameras as botnet(1)

Turning off cameras to cover malicious physical actions

Delete recordings that could serve as evidence

ATTACK

DEFENSE

Detect default credentials

Detect dangerous services (UPnP)

Detect dangerous operations (teardown)

1. https://safeandsavvy.f-secure.com/2018/04/25/researchers-find-way-to-generate-master-keys-to-hotels/


Hack like a movie-star: fact or fiction?


Surveillance system architecture

Network switch

Storage server Local monitoring

Network video recorder

Surveillance cameras

RTSP/RTP


Surveillance system protocols

RTSP

Real Time Streaming Protocol, usually over TCP

Designed to control stream parameters, not deliver the data

RTP

Real-time Transport Protocol, usually over UDP

Designed for real-time transfer of audio and video data

Secure version SRTP available, but rarely used



RTSP

Real Time Streaming Protocol, usually over TCP

Designed to control stream parameters, not deliver the data

RTP

Real-time Transport Protocol, usually over UDP

Designed for real-time transfer of audio and video data

Secure version SRTP available, but rarely used


RTSP: establishing connection

Camera uses the RTSP protocol to establish a TCP channel with the NVR


RTP: streaming

RTP protocol is used for the camera to stream audio and video to the NVR


RTSP: keep alive

The NVR continuously exchanges <get param> messages with the camera to keep the

connection alive


What happens on the network

Prerequisites:

• The attacker is inside the network

• Open source tools + simple scripting


Attack in action – man-in-the-middle & recording

videosnarf -i dahua-eavesdrop-traffic.pcapng && ffmpeg -i H264-media-1.264 footage.avi


Attack in action – break communication

if (ip.proto == TCP && tcp.dst == 554) {

if (search(DATA.data, "GET\_PARAMETER")) {

replace("GET_PARAMETER","TEARDOWN"); }

}


Attack in action– replay recorded footage

Replayed footage(viewed by the security officer)

Real footage (hidden to the security officer)


Building subsystems architecture

BACnet/IP

BACnet/MS/TP

BMS



BACnet

Nr. 1 protocol for building automation

Complex, object-oriented protocol

Used by several subsystems: HVAC, lightning…

Security rarely implemented


Spoofing attack

BACnet/IP

BACnet/MS/TP

BMS

Prerequisites:


• Knowledge of BACnet protocol (open spec) + simple scripting

router spoofing


Denial of Service attack

BACnet/IP

BACnet/MS/TP

BMS

Prerequisites:


• Knowledge of BACnet protocol (open spec) + simple scripting

whoisiam


DoS attack in practice

Prerequisites:


• Knowledge of BACnet + simple scripting

Router

BMS

Attacker

Switch


Attack Example

Prerequisites:


• Knowledge of BACnet + simple scripting


What we are busy with

ASSET

INVENTORY

NETWORK

MONITORING

gain visibility

know your devices

new hosts and links

indicators of compromise

ANOMALY

DETECTION

THREAT

HUNTING

raw network traffic actionable information


Key takeaways

Landscape Visibility Detection

• See what your network devices are doing

• Assess risks, threats and vulnerabilities

• Understand the current resilience state of your network

• Catch known and unknown threats

• Pinpoint weak spots and current inefficiencies

• Gather all evidence required for incident response

• Smart building rely on legacy systems with no security in mind

• Cyber risks for smart buildings are on the rise

• Building automation networks are vulnerable


?

Q&A

visibility | detection | control @sec_matterssecuritymatters_bv

www.secmatters.com

[email protected]

[email protected]

Building Automation (In)Security

Documents

Transcript of Building Automation (In)Security