If you don’t already work in a “smart building,” chances are that you will soon. By 2025, more than 75% of new construction will fit this category—and that’s not counting existing buildings. Connecting building systems like heating, ventilation, air conditioning, lighting, physical access controls, and fire detection to the IP network can increase energy efficiency, health, comfort, and safety.
But smart building networks need security protections. Attacks on a building controllers can shut down heating in the middle of a cold winter. Tampering with environmental sensors can trigger alarms or automated actions putting life or property at risk. And hackers can use connected building automation systems as a foothold to access business applications and critical data.
BACnet wasn’t designed with security in mind
With an estimated 60% market share, BACnet is the most popular industrial protocol in smart buildings, used by more than 100 building systems vendors. But like other building protocols (e.g., KNX, LonWorks), BACnet was not designed with security in mind. It’s susceptible to attacks such as denial of service, message spoofing, network recognition attacks, and others.
We in Cisco’s IoT Security Research Lab just published a white paper explaining how BACnet works, and its security weaknesses. In this blog we’ll summarize three approaches to securing BACnet, with pros and cons.
1) Intrusion detection using network telemetry
One approach is to study the size and number of packets flowing across the BACnet, Ethernet, and IP layers. Statistically comparing current network activity against the norm helps identify certain types of attacks—for example, denial-of-service attacks that flood building systems so they can’t respond to real messages. But statistical measures of packet volume or frequency might miss targeted attacks that use only a few messages. An example is an attack manipulating physical variables such as the temperature in a regulated environment.
2) Using a rule-based induction algorithm
Another approach is to classify network flows as legitimate or not legitimate, using a rule-based induction algorithm such as RIPPER. Training these algorithms involves presenting them with numerous legitimate and illegitimate BACnet messages—say, from the fire detection system. Learning from examples, the algorithm builds rules to single out illegitimate messages. RIPPER’s shortcoming is that it can only detect attacks that alter expected flow behavior. An attack modifying BACnet Write-Property messages, for example, might slip through.
3) Creating rules from BACnet files
Instead of building rules with machine learning (as described above) you can build them from the information contained in a building system’s BACnet network specification and configuration files. These files specify allowed objects, allowed values for object properties, and supported services. Messages with values outside these constraints are flagged as suspicious. The drawback? Rules don’t have context. In a targeted attack, the attacker might be able to alter the physical process without deviating from the constraints.
A look forward
All three intrusion-detection approaches we’ve summarized here are good at detecting “noisy” BACnet attacks, such as denial of service. But they might not be as effective against targeted attacks designed to alter a physical process. The global cybersecurity community is working on solutions.
In the meantime, you can start strengthening security now by monitoring system activities with a solution like Cisco Cyber Vision. Seeing how building automation systems connect to your networks lets you isolate them from your IT domain. And by establishing a baseline for system behavior, Cyber Vision can detect anomalies and trigger alarms so that staff can take immediate action.
To learn more on BACnet security, have a look at our research white paper.
For more technical reports on IoT/OT Security, visit the IoT Security Research Lab web page and subscribe to the Cisco IoT Security Newsletter.
CONNECT WITH CISCO