CYBER SECURITY. Novel Approaches for Security in Building Automation Systems. J. Kaur, C. Herdin, J. Tonejc, S. Wendzel, M. Meier, and S.

Novel Approaches for Security in Building Automation Systems J. Kaur, C. Herdin, J. Tonejc, S. Wendzel, M. Meier, and S. Szlósarczyk jaspreet.kaur@fkie.fraunhofer.de CYBER SECURITY

Outline n Building Automation Systems (BAS) n Security threats in BAS n Protocols used in BAS n Our Approach n Traffic normalization n Visualization techniques n Conclusions and Future Work

What are Building Automation Systems? n Centralized control, monitoring and management of services such as HVAC and lighting in buildings n Safety for inhabitants n Facility management n Energy management strategies to reduce operating and energy costs

HVAC Elevator Lighting Video surveillance Heating Fire alarm Temperature control Smoke detector Meter automation of Electricity, Gas & Water Intrusion detector

Are these automated (smart) buildings really secure?

Security Threats in BAS n Current security threats according to Kastner et al.: Network Attacks: q Attack on the network medium to access the exchanged data q Manipulation, fabrication or interruption of the transmitted data Device Attacks: q On Software Level: code injection, exploiting algorithms q On Physical Level: component replacement n Emerging security threats according to Wendzel et al.: Smart botnets and data leakage: q Hidden exfiltration of sensor data (e.g. monitoring of inhabitants or employees)

Protocols used in BAS n KNX, a protocol for Home and Building Controls n LonTalk, a protocol created by Echelon Corporation for networking devices n BACnet, a network communications protocol for building automation and control systems

Our approach towards BAS security n Focus on BACnet protocol n BACnet is used by more than 800 BAS device vendors worldwide n Vulnerable to attacks due to spotty implementation of security features n Our approach towards securing BACnet includes: q traffic normalization q visualization techniques for BACnet data

Traffic Normalization Internet Intranet Normalizer Figure. A general scheme of traffic normalization

Traffic Normalization for BACnet Our traffic normalizer is an extension for Snort (a network intrusion detection system), n integrated into routers that interconnect BACnet network segments in order to monitor the traffic exchanged between the devices n drops or modifies the packets containing malicious or non-compliant content n uses normalization rules as a basis, which enforces the known protocol specification Examples: Drop the packet when protocol version is not 0x01. Modify the packet by setting DLEN=0 and DADR=0 if the message is a remote broadcast.

Testbed to evaluate Traffic Normalizer Figure. Virtual testbed for BACnet traffic

Importance of Visualization Techniques for BAS data Problem: n BAS operators face the challenge of spotting significant events in a large ocean of simultaneously occurring events n Monitoring of such unusual events can become demanding for BAS operators Solution: n Tailored visualization techniques could be helpful while performing BAS anomaly detection or announcing alarms in such situations

Evaluation of Visualization techniques Usability experiment: n Conducted with five full-time building operators from University of Applied Sciences in Augsburg n Operators were asked to fill out a questionnaire regarding: q type of BAS they use q duration of their working experience with BAS Comparison of different methods: n Temporal mosaic chart: three out of five operators were able to correctly identify a particular sensor as the source of a problem n Entropy-enriched Gantt chart: five out of five operators were able to correctly identify a particular sensor as the source of a problem n Log file analysis: none of the five participants could determine the error correctly

Area of interest (AOI) timing details Gantt average Mosaic average time to first fixation 6.01 sec 12.06 sec first fixation duration 0.19 sec 0.13 sec total fixation duration 3.61 sec 10.16 sec visit count 7 11 Table. Overview of the AOI timing details

Results Figure. Comparison of absolute duration heat maps generated for one of the operators. (left: temporal mosaic chart, right: entropy-enriched Gantt chart).

Conclusions and Future Work n Traffic normalizers can be effective in handling different types of network attacks in BAS n Effective visualization of unusual events is necessary in BAS data n Gantt charts are a better choice for BAS event visualization compared to Temporal mosaic charts and Log files n Plan: n Visualize network data in addition to application data n Improve detection and visualization of traffic anomalies n Expand the results to other BAS protocols

Thank you for your attention! Our Expertise: n Secure Building Automation Systems n Data Leakage Protection n Network Steganography/ Network Covert Channels Jaspreet Kaur Researcher Cyber Security Fraunhofer FKIE, Bonn jaspreet.kaur@fkie.fraunhofer.de This work was partially supported by the German Federal Ministry of Education and Research (BMBF) through project BARNI, project number 16KIS0148.

References 1. Granzer, W., Praus, F., Kastner, W. : Security in building automation systems, in IEEE Transactions on Industrial Electronics, IEEE, 2010. 2. Wendzel, S., Zwanger, V., Meier, M., Szlósarczyk, S. : Envisioning Smart Building Botnets, in Proc. GI Sicherheit 2014, LNI 228, pp. 319-329, GI, Vienna, March 2014.