Embedded Security for Modern Building Automation Systems

Transcription

1 Embedded Security for Modern Building Automation Systems Daniel Höttges, ESCRYPT GmbH Embedded Security, Bochum, Germany Marko Wolf, ESCRYPT GmbH Embedded Security, München, Germany Digitalization and networking of building automation systems has become a major area of interest in recent years. Today, many manufacturers offer systems that allow for remote administration and monitoring via Internet. With the increased availability of these Internet-enabled systems also researchers and hackers started trying to find and exploit security weaknesses. This paper gives some examples of attacks that have been conducted successfully on building automation systems and explains common security threats for modern building automation systems. It further provides an overview of security measures that can be applied in modern building automation systems to increase their security and safety. Embedded Security for Modern Building Automation Systems Daniel Höttges & Marko Wolf Digitalization and networking of building automation systems has become a major area of interest in recent years. Today, many manufacturers offer systems that allow for remote administration and monitoring via Internet. With the increased availability of these Internet-enabled systems also researchers and hackers started trying to find and exploit security weaknesses. This paper gives some examples of attacks that have been conducted successfully on building automation systems and explains common security threats for modern building automation systems. It further provides an overview of security measures that can be applied in modern building automation systems to increase their security and safety.

2 1 Introduction & Motivation Building automation has been used in non-residential buildings for many years. Typical applications are the automated control of heating, ventilation and air conditioning (HVAC) or lighting and access systems. Building automation increases a buildings efficiency, safety and security and allows for an increased comfort while cutting operating costs. As shown in Figure 2, such building automation systems usually contain a central backbone network to which multiple field networks can be connected using interconnection devices. Each field network itself consists of several embedded sensors, actuators and controllers that provide automation functionality for individual rooms or floors. Maintenance and surveillance capabilities of such systems are realized by central management devices that are connected to the backbone. Additionally the backbone network can allow for an Internet connection to enable remote administration by maintenance personnel, system manufacturers or end users. In recent years, due to lowered costs and decreased system complexity, similar systems have become affordable also for the automation of residential buildings. This new and trending market of home automation systems benefits from the widespread availability of smartphones and tablets. These mobile devices offer the required connectivity (e.g., Bluetooth, WiFi or Internet) to administrate and control the home automation systems remotely. Furthermore they allow for implementing graphical user interfaces and control applications ( apps ) that are easy to use even for non-professional private users. More complex administrative functions like firmware updates or adjustment of critical system parameters can often be performed remotely by the manufacturer, thereby decreasing maintenance complexity for end users and reducing error sources. The current trend towards computerization and the so-called Internet of Things results in more and more building automation systems that provide various digital interfaces and (remote) network connectivity. These new connected devices thereby slowly blend with existing traditional IT systems like desktops or servers. At the same time these systems are now facing security threats that are already well-known in today s IT world but new to building automation systems. Digitalization and network connectivity does hence not only provide increased comfort and simplicity of usage, but can also result in new security risks. So far appropriate security measures are often only badly applied or completely missing. Compared to traditional IT systems, attacks on building automation systems can have worse consequences, since these systems are capable of interacting with the physical world and can thus cause physical damages when malfunctioning. A security exploit in such systems may not only lead to a severe loss of reputation, but can also inflict critical financial, operational, safety, or even health damage. Figure 1: Software-based, digitally connected home automation control unit that processes the input signals from several distributed sensors to control a (distributed) heating system again using different digital communication channels. Photo by Chixoy / CC-BY-SA 3.0

3 The followings sections provide an overview on security threats for today s building automation systems and measures that can be implemented to resist them. 2 Embedded Security Threats for Modern Building Automation Systems Whenever systems or devices are provided with digital network connectivity they are usually also facing an increased threat potential due to remote attacks originating from the connected networks. This new connectivity removes the requirement to have physical access to the attacked target from the adversary. Consequently, this loss of a very efficient attack barrier of accessibility significantly increases the number of potential attackers. However, the problem is not the remote connectivity itself, but the lack of correctly selected and implemented security measures to protect it. In fact, during most developments, security is often considered as a low-priority topic, which mainly increases complexity and costs while (at least on the first look) provides no obvious benefit. The reduced efforts and costs by omitting appropriate security protections, however, can quickly become negligible once the product is out in the field and subject to real-world attacks. In the following, we give a quick overview of some prominent examples of real-world building automation security incidents. Figure 2: Basic structure of a building automation system, which is formed by household appliances or multimedia systems that are used standalone, that means they do not interact with other local systems, but they provide remote connectivity either for remote maintenance or remote user control. Examples for such systems are smart TVs, Internet routers, video game consoles, or multimedia receivers. A first home automation security incident 1, which became publicly known in April 2013, revealed that insufficient data security protection can yield to critical real-world impacts and is no just academic theory. The affected target is a small-scale heat and power unit deployed in single-family houses. It can be connected to the Internet allowing home owners to remotely 1

4 control the whole heating system. The discovered security vulnerability made it possible for attackers to retrieve user passwords to access the remote control functionality in plain text. Even worse, it was also possible for attackers to access even system functions originally reserved for service technicians. These functions enabled the remote attackers to shut down the heating system and to adjust critical system parameters beyond safe values. Finally, all of the manufacturer s heating systems were connected to a dynamic online service, such that it was very easy for attackers to find and access these Internet-enabled heating systems. Due to the high risk for human safety, public authorities required an immediate protection solution, which forced the manufacturer to request all customers to temporarily disconnect their heating systems from the Internet and to wait for service technicians to install software security updates on site. Once updated, the customers were able to securely re-enable and use the connectivity based features of their heating systems. The damage caused by this incident is difficult to estimate but the following can be assumed: 1. Critical safety risk to customers with all corresponding legal consequences. 2. Massive financial damage as every system has to be updated on site by service technicians. 3. Massive reputational damage due to dissatisfied customers and prominent media coverage about this security incident. Another report 2 published in May 2013 revealed that in Germany hundreds of industry automation systems installed in thermal power plants, waterworks etc. were accessible via Internet without effective authentication mechanisms. Especially in such critical environments missing security measures are sensitive issues and may easily result in a severe risk for daily life. During Black Hat 2013 conference several briefings dealt with exploitation of such industrial and home automation systems, showing that researchers and attackers are focusing more and more on this area. Finally, Figure 3 shows a selection of concrete threats towards a generic building automation system installed in an arbitrary office building. The single field busses are represented by surveillance, HVAC, access control and passenger transport systems which are connected to a central routing network which is also used by workstations, servers and PCs to access the Internet. Here one can see that weaknesses within building automation systems may not only be a threat for automation equipment itself but may also be a threat towards other systems connected to the same network. It is important to note that exploitation of the router (e.g. the routing network) cannot be prevented by the connected building automation systems. However, if communication between building automation systems is secured, at least unauthorized access and manipulation of building automation devices and services can be prevented. In general, building automation systems might face the following security threats and should hence be provided with respective countermeasures. Misuse of implementation weakness Even functional correct implementations might contain security vulnerabilities that allow leakage or manipulation of critical information. Such vulnerabilities can either be caused by insecure implementations (e.g., buffer overflows) or by 2

5 insecure runtime environments that allow for side-channel attacks, enabling attackers to eavesdrop critical information. Wrong selection and use of security primitives Security algorithms or protocols might be employed to achieve security goals that they can either not provide or that they can only provide at an insufficient level (e.g., data encryption to enforce data authenticity). Also primitives might be setup with wrong or weak parameters (e.g., too short key lengths that allow brute-force attacks) or in an insecure protocol, such that the implementation might not reach the expected security goals. Figure 3: Selection of concrete threats towards building automation systems Algorithm- and protocol weakness A security algorithm or protocol might contain conceptual design errors or logical weakness that can be easily exploited by an attacker. Memory manipulation Program data or security data stored in volatile and non-volatile memory is replaced, modified, or deleted either offline using external programming tools or by replacing corresponding memory components, or online by malware, or dedicated hardware attacks (e.g., via JTAG) to achieve unauthorized system behavior. Counterfeits and product piracy Relevant system parts like controllers, memory chips, or even whole devices are physically exchanged with counterfeit parts or devices with different behavior. Despite from a loss of revenues this may also lead to further damage like loss of reputation, for example when the manufacturer of the original product is either blamed on purpose or for lack of better knowledge for consequential malfunctions and errors. Unauthorized software upgrades or downgrades Device software or firmware are replaced by an older, newer or customized version without authorization, for example, to exploit known security vulnerabilities or to circumvent license restrictions.

6 Infected user devices Building automation systems can often become connected to devices that are not under complete control of the building automation system (e.g., smartphones, desktops, USB sticks) that hence can already be infected malware, which in turn could infect the building automation system once they become connected. Eavesdropping Messages between two legitimate devices of the building automation system can be read by an attacker without authorization to gain insider knowledge, to steal know-how, or to do industry espionage. Tampering Messages between two legitimate devices of the building automation system can be manipulated by an attacker by adding, replacing, or removing data without being noticed. Replay attack Messages from legitimate devices of the building automation system are recorded and resent later by an attacker without being noticed. Man-in-the-middle attack An attacker hooks into the communication between two or more parties and intercepts, relays and replays messages, thereby pretending a direct communication towards the legitimate parties. Identity spoofing or theft An attacker spoofs or steals the identity of legitimate device of the building automation system to gain access to restricted data, functions or services. Denial-of-service Functions provided or communications between legitimate devices of the building automation system are deactivated or prevented, for instance, by overloading the communication channel with myriads of malicious requests. 3 Embedded Security Solutions for Modern Building Automation To counteract security threats like the ones described in the previous section a wide variety of protection measures can be applied. Fortunately, building automation systems do not necessarily have to implement all security measures but should employ a carefully selected subset of measures to meet the actual security requirements of manufacturers, operators, and customers. To find the necessary security measures, the chances and impacts of successful security exploitation in terms of reputational, financial, operational, safety, or health damage must be considered. The chances of such an event are evaluated in order to calculate the actual risk of such security threats. For example, a financial damage of with a chance of once in 10 years may be acceptable, while the same damage with a chance on almost every day is very likely to be inacceptable. This analysis allows for designing the smallest and most efficient (and hence cheapest) security concept possible while still maintaining an adequate security level (also known as economic security). In this context it has to be considered that attackers will usually search for the weakest link in a system. The application of strong encryption can for example become quickly useless if corresponding keys can easily be readout from software. This means that decisions require a holistic security analysis and design which covers all

7 parts of a system, for instance, hardware, software, protocols and all organizational policies and processes. The following list provides an overview about exemplary security protection measures that are applicable with today s building automation systems. Secure boot assures authenticity and integrity of the device software during bootstrap. This is achieved by having a cryptographic reference signature or hash of all relevant software, which is stored in a way that it is accessible only by the boot loader. During boot time, the boot loader then computes the cryptographic signature of the current system which is then verified against the stored reference signature. Only if this verification is successful the software is executed, otherwise the system will execute a predefined emergency function (e.g., error log or halt). However, it must be assured that boot loader and the reference signature are stored securely against unauthorized manipulations (tamper-resistant). Additionally, cryptographic keys must only be accessible by the boot loader itself. Hence, secure boot should be securely achieved by running at least the boot loader from secure hardware. Secure software downloads prevent attackers from installing non-authentic or even malicious software to a device. Comparable to the boot loader this can be achieved by providing software with a cryptographic signature that can only be computed by the original manufacturer. During installation the target system first verifies whether the signature matches the corresponding software or not. If this is the case, the software is installed, otherwise installation refused. As with secure boot, the installation routine and corresponding cryptographic material must be located in tamper-protected location to prevent circumvention of the signature verification function. In addition to software authenticity, secure software download can optionally ensure also software confidentiality by additional encryption of the original software to prevent, for instance, industry espionage or privacy attacks on the way from the developer site to the end device. Secure feature activation prevents attackers from unauthorized unlocking of pay-ondemand aftermarket device features. This can especially become a realistic security threat, if for instance; low-end and high-end systems are based on the same hardware platform where the actual range of functions solely relies on the individual software configuration. In case that the (aftermarket) feature configuration or activation is not sufficiently protected, users could buy cheap low-end devices and illegally convert them to high-end devices afterwards, causing a significant loss of earnings. Secure communication is applied to ensure multiple communication security goals at once. It provides entity authentication which ensures that a communication partner is indeed the one he pretends to be. Further, secure communication guarantees data authenticity that receivers are able to actually check if received data is the same data that was originally sent by the communication partner. Furthermore confidentiality of transmitted data can be preserved to prevent eavesdropping. Last but not least secure communication can provide countermeasures against a wide variety of attacks like replay or relay. Secure communication therefor can apply various cryptographic measures like authenticated data encryption, freshness counters and endpoint authentication protocols depending on the individual requirements.

8 Secure cryptography is the base for most other higher level security measures and requires special attention as a bad choice or bad application of cryptographic algorithms might quickly lead to severe security vulnerabilities. It is strongly advised to apply only well-established cryptographic algorithms and protocols that have been well-evaluated by the cryptographic community and which are recommended by well-known research institutions or public authorities. Despite from the cryptographic algorithms itself appropriate key lengths have to be chosen such that a compromise of the security concept within the systems lifetime is unlikely. In general, the system should be designed in a way that cryptographic algorithms and protocols can easily be exchanged in case severe cryptographic security vulnerabilities have been detected after the system has been deployed on the market. Additional care has to be taken what cryptographic principles are actually applied for which security goal. A common mistake is, for instance, encrypting data only while not securing its authenticity. Secure implementation assures that security issues are not caused by software security vulnerabilities like buffer overflows. Secure implementation are realized, for instance, by applying secure coding standards like code security reviews, code security testing, runtime security testing, and dedicated penetration testing. Additionally, security issues caused by implementations can be reduced by integrating only well-established security-test software libraries. This is especially recommended for cryptographic algorithms and protocols since in the past several vulnerabilities were often caused by badly implemented cryptography. Secure hardware like smartcards, security controllers, or secure memory assures authenticity and confidentially of stored data against software attacks and many physical attacks. Compared with regular hardware, secure hardware implements passive or active countermeasures that increase the effort for an attacker up to a level where it is economically unfeasibly to perform a certain attack. Additionally secure hardware might help to increase performance of computationally intensive cryptographic operations like data encryption algorithms 3. Organizational security assures all additional non-technical security measures to protect security-critical objects like root key by defining corresponding administrative security measures on an organizational level, for example by defining organizational security policies (e.g., access rights, password polices) and organizational security processes (e.g., how to securely create a root key). Compliance and correct application of these measures is assured by regular audits and regular employee / customer training. Usually organizational security has to be considered on the manufacturers and on the customer s side. The manufacturer has to assure, for instance, that central security relevant information (e.g., root keys) is not disclosed to unauthorized third parties while the customer has to assure that his system is properly configured (e.g., strong passwords) setting to prevent unauthorized access. Strong access control with fine-grained authorizations enforces the principle of least privilege and thereby assures that entities (i.e., users, devices, services, apps) may only access such information, processes, services or devices which they actually need to perform their tasks. Thereby, fault tolerance and resistance against intentional misbehavior or exploitation are highly increased. This is ideally supported by the need to know principle which additionally defines when access is permitted to an already authorized party. 3 cf. ESCRYPT Whitepaper Hardware Security Modules for Protecting Embedded Systems (2012)

9 Firewalls, intrusion detection, and security gateways are installed at network boundaries to separate networks with different access rights and different security levels. Thereby, they prevent, for instance, remote attackers located in external networks trying to access internal networks by analyzing in- and outgoing network traffic and dropping unauthorized or potentially malicious data immediately at network boundaries before the malicious inputs reach the internal network. In combination with a proper monitoring these firewalls can be extended to intrusion detection and response systems, which can early detect also more advanced attacks and enable activation of proper countermeasures. Security evaluation and certification assures that the applied security measures meet the required protection goals or corresponding security standards / protection profiles (if any). Hence, trustworthy, well-established external parties like officially certified security evaluation laboratories perform comprehensive theoretical and practical security analyses of the respective security solution in order indicated potential security gaps (if any) or, if everything is as required, issue corresponding security certificate. 4 Conclusion and Outlook Until now, building automation systems have not been widely exploited through critical security attacks. However, first reports on newly discovered security vulnerabilities show that connected digital building automation systems are no longer excluded from real-world security incidents. To prevent further reputational, financial, operational and or even health damage, it is hence strongly advised to implement effective security protections before critical security attacks become a mass phenomenon for building automation systems. Suitable countermeasures already exist and are already successfully applied in a wide variety of sensitive embedded systems, for instance, in the medical and automotive sector. Even though the initial costs for a security concept might seem to be uneconomic at first sight, but they can quickly pay off considering the potential cost and damage of a single security incident, since the cost of a resulting reputation loss and subsequent security updates (if possible at all) for millions of devices can easily outnumber the efforts required to implement a proper security solution. Contact & Further Information info@escrypt.com Web: ESCRYPT GmbH Embedded Security Lise-Meitner-Allee Bochum, Germany Phone: