Abstract
The increasing variety of Internet enabled hardware devices is creating a world of semi-autonomous, interconnected systems capable of control, automation and monitoring of a built environment. Many building automation and control systems that have previously been limited in connectivity, or due to cost only used in commercial environments, are now seeing increased uptake in domestic environments. Such systems may lack the management controls that are in place in commercial environments. The risk to these systems is further increased when they are connected to the Internet to allow control via a web browser or smartphone application. This paper explores the application of traditional digital forensics practices by applying established good practice guidelines to the field of building automation. In particular, we examine the application of the UK Association of Chief Police Officers guidelines for Digital Evidence, identifying the challenges and the gaps that arise in processes, procedures and available tools.
You have full access to this open access chapter, Download conference paper PDF
Similar content being viewed by others
Keywords
1 Introduction
Building Automation Systems (BAS)Footnote 1 have been around for a number of decades with the technology used in commercial premises such as hotels and shopping centers to monitor and control various aspects of the building. Provided functionality includes environmental controls (air conditioning, lighting), security systems (alarms, security shutters and fire control systems) and transport systems (lifts, escalators and walkways) [1]. One advantage of building automation is that it enables the most efficient use of buildings’ environmental controls, so reducing costs for owners. In addition to being commonly used in office and retail structures these automation systems are also used in specialist settings such as law enforcement and prison access systems. These systems are now being gradually adopted into domestic environment [2]. However, due to the increasing use of BAS systems, they form an attractive target for cyber attacks. The disruption or destruction of such systems due to malicious actions can have a significant impact. Although there has been some research [3, 4] on the security analysis and protection of such systems there is still much to be done, especially in the field of post-incident analysis where information from past incidents can help strengthen the system against future events.
This paper presents a first step towards a digital forensics investigation process in BAS systems, exploring the application of commonly accepted digital forensics investigation guidelines [5] in BAS systems. We present the current threat landscape and security risks in this area and identify the challenges that arise when traditional digital forensics is applied.
The rest of the paper is structured as follows: Sect. 2 presents key concepts building automation systems along with utilized technology. In Sect. 3 we present the current threat landscape and security risks. Section 4 investigates the application of the ACPO guidelines in a BAS, presenting the challenges that arise in each step. Finally, Sect. 5 presents the conclusions of our work.
2 Building Automation Systems
In addition to reduced costs, building automation provides additional smart functionality; emergency systems are being developed for commercial premises that, for instance, highlight exit signs based on the location of a fire to provide a safe method of evacuation [6, 7]. The increasing production of the ‘Internet of Things’ is heading toward an accelerated growth in the adoption of building automation systems in domestic environments. Current home automation systems can be divided into two types. The first is simple systems that allow the users to monitor and control devices via a web interface or through their smart phones and are now available on the consumer market. At present these relate to controlling entertainment systems, lighting or domestic energy consumption, for example the Nest thermostat [8]. The second alternative is a fully automated system for domestic use from a supplier specialising in domestic systems [9–14]). It is estimated that the US market alone will grow by 40% between 2014 and 2019 with 6% of homes in the USA already having some degree of automation [2].
The increasing uptake of building automation and the expanding capabilities raises the probability of these systems having the potential to appear in an investigation. The question must therefore be asked as to how these systems would be analysed if deemed necessary in a digital investigation.
2.1 BAS Technology and Implementations
There are a variety of different organisations in the market looking at standards and industry practices concerning commercial building control systems [15–17]. The most commonly used commercial communication protocols are BACnet, LonTalk and Modbus (with Modbus being a popular and free protocol). Commonly “two-wire” RS485 networks are used in the field bus due to its large range (1000 m). Shorter range connections from a controller to a computer (usually a standard desktop PC) are made using an RS232 connection which is limited to a 15 m range.
More recently, the IP network of the building has been utilized allowing for greater flexibility in installation and reducing the wire costs by using one common network supporting multiple protocols at the same time. Although [18] recommend that commercial building control systems use a separate network infrastructure to ensure security on the system, the end customer may not necessarily mandate this requirement. It remains to be seen if this practice is adopted in domestic systems.
IP Connectivity also has the advantage of buildings in different cities or countries being able to communicate with each other over the Internet [19].
Within a building, different devices have varying amounts of storage capacity. For example a smaller device such as a ceiling air conditioning unit may be limited to holding only current settings and active alarm data. Multiple units may then be managed by a larger master unit which would collect information over a field bus and hold a limited ‘event log’ e.g. one Programmable controller used to integrate devices, the North Commander, holds 500 alarms and 2000 log entries [20].
Utilising the protocols above, or manufacturers’ proprietary protocols, an additional piece of hardware could be used to interface different systems within a building. This would allow different products on different networks to share information. The additional hardware interface scans the different devices on the network according to a specified rate, which is configured at the time of installation. The installing engineer then elects how often each system is queried for available data. Systems might be queried for alarms, which are then stored, thus expanding the events logs (into the thousands) to allow for a detailed history of system activity.
In larger building networks, a PC is used to collect information from the interface hardware or directly from systems. The storage capacity of the PC is now the only limitation on the size of the event log. A desktop PC also tends to be used as a GUI so that the user can adjust system settings rather than being limited to settings pre-specified by the installation engineer. The PC or interface hardware can transmit critical information to users via an SMS or email, providing them with notifications of events within a building based on tailored user requirements.
The focus of building automation systems is communication and control. The protocols currently used are inherently insecure [21] as security was not a major concern when these protocols were conceived. Consequently, most systems do not make use of encryption and most end devices do not support encryption. Commercial building automation systems typically communicate in ASCII format and controlling computer systems may store alert logs, configurations and settings also in ASCII within comma-separated formatted files (CSV) which are stored, unencrypted, on the controlling PC. Some aspects of security systems may however use encryption. Door access controls are encrypted inside the door or access system, but messages from the door systems to the BAS are not encrypted. Access to the controlling computer on the building network could therefore potentially enable access to door and alarm systems.
Current home automation systems use a number of proprietary protocols depending on the supplier [9, 10, 12, 14]. However, there are standards such as Zigbee and KNX. The Zigbee system [22] is wireless and based on 802.15.4. KNX [23] which uses a number of different physical communication methods, has been recognised as an open standard and formalised as an international standard: ISO/IEC 14543-3-10:2012. The divide between commercial and home automation standards is somewhat artificial as it is possible to find combinations of the systems running in both domestic and commercial settings. Manufacturers of certain home entertainment automation systems are unable to interface into other commercial devices e.g. air conditioning units and therefore may use the service of an integration company to connect these systems. Zigbee [21] is highlighting the advantages of using the Zigbee standard in commercial premises when refurbishing commercial property as it avoids the expense related to rewiring.
3 Threats -Security Risks/Misuse
Concerns on security issues with possible use of botnets inside building control systems have already been raised. Wendzel [4] has already highlighted the possibility of these systems being breached and the theoretical risk of the building control system being incorporated into a Botnet. Fisk [3] recommended the hard wiring of some systems to enable them to continue to function without intelligent control in the event of an attack. Rios [24] has highlighted the ease with which some building systems can be compromised. The Shodan search engine [25] highlights the risk of these systems being online as this provides a facility for searching for online systems and thus potentially providing a catalogue of systems vulnerable to attack. The increased use in home systems broadens the target landscape for the attackers and increases the potential impact of a successful attack.
A few examples of successful attacks have already been highlighted: In 2013 researchers [26] uncovered a vulnerability that would have allowed them to control the Heating, Ventilation, and Air Conditioning (HVAC) systems within Google’s Wharf 7 building in Sydney, Australia. There are therefore concerns regarding the security stance used in these systems, for example the Tridium Niagara system in use in Google. In a Washington Post interview in 2012 [27], Tridium executives were quoted as saying:
“…attacks seemed unlikely, because hackers had not traditionally targeted such systems. In interviews, the executives said they and their customers generally assumed that control systems were buffered somewhat by their obscurity…”
A potential problem of BAS is that devices may not have been designed to be individually secure, although newer standards like Zigbee include security, albeit limited, within the system. Additionally, integrators may install systems in an insecure manner as system performance is determined by the customers’ specification, which then leave the system vulnerable to being compromised [27]. Issues may also arise due to the information provided to the company when installing the devices. For example, a company was requested to automate a swimming pool system and implemented the system according to the provided specification. However, during testing it was noted that although this had been implemented according to the specification provided, this equated to the maximum values supported by the plant systems and not the maximum desirable settings i.e. this would enable the entire chlorine reservoir contents to be delivered into the pool in one dosage. A similar oversight when specifying a security system may leave a building vulnerable or even hazardous.
Information on specific BAS systems may also be easy to obtain. For instance, they may be released as part of the tender/contractual process and it should be noted that organizations might specify features of an existing system for integration purposes. This is the case with the Los Angeles Airport Terminal building [28]. If the manufacturer and model of the devices used in BAS are known, then publicly available engineering documents can provide details on how to control the devices and, in some cases, provide default passwords. Connecting these systems to smart phones and enabling Internet connectivity to support control and maintenance exposes them to additional security risks.
4 Forensic Practices
The expansion of the number of BAS systems in use, coupled with the threat of cyber attack or misuse suggests that at some point there will be the need to investigate these types of systems. Their interconnectivity and complexity, along with their domestic use, renders them an attractive target, particularly when domestic systems may also include other smart systems such as entertainment devices or fitness/health monitoring systems that may collect personal data [29]. The ability to respond to critical cyber-security incidents is crucial, but the question remains as to how these systems are analysed. Therefore, the application of the traditional digital forensics practices as they are presented through good practice guidance would appear to be the first logical step in proposing a system of analysis. The ACPO [5] guidelines are issued by the Association of Chief Police Officers of England, Wales and Northern Ireland and put forward four principles to ensure the accuracy and admissibility of evidence:
-
1.
No action should be taken that could change data that will later be relied upon in court.
-
2.
Where live evidence must be accessed it should be done so only by experienced competent personnel.
-
3.
An audit trail must be kept of all processes applied to evidence such that an independent party can follow and achieve the same results.
-
4.
The case officer ensures that the law and these principles are adhered to.
Principles 3 and 4 mainly relate to the way in which a case is processed. Principles 1 and 2 require a detailed understanding of the systems functionality and this may pose a number of challenges during an investigation. These challenges are described according to the recommendations put forward in ACPO [5] concerning the stages related to the acquisition and processing of digital evidence: Plan, Capture, Analyse, Present.
4.1 Plan
Planning requires investigators to “develop appropriate strategies to identify the existence of digital evidence and to secure and interpret that evidence throughout the investigation” [5]. Investigators are expected to understand the systems they are called to analyse and to apply resources to the most appropriate areas. There are then some potential difficulties in the planning stage:
Challenge 1: Most digital forensics investigators have little experience on BAS devices or the range of protocols present in a BAS.
Challenge 2: It is quite difficult to preserve the integrity and authenticity of evidence while conducting a digital forensics analysis in such systems. Due to the potential complexity of such systems there is the potential for a single investigative action within such an environment of increased interconnectivity to inadvertently alter evidence across the whole BAS system. A live analysis under such circumstances therefore presents some significant challenges.
4.2 Capture
In the planning stage, the investigator determines the specific types of hardware and software they are likely to face and selects the tools that will be used in the investigation process. In a BAS relevant data may reside in:
-
The end device - ‘slave system’ in the Modbus protocol, or part of the mesh network in a Zigbee based system.
-
Intermediate systems if information is buffered within the system
-
Wired and wireless network communication devices that might have buffering or logging capabilities.
-
The controlling computer system, if present, in logs, configuration files and other Security devices, such as Intrusion Detection Systems (IDS) or Intrusion Prevention Systems (IPS).
Challenge 3: A challenge that arises when capturing data is the wide variety of different protocols and standards potentially utilised within one building installation. This, along with the additional manufacturer specific commands used by end systems can make the collection stage time consuming.
The capture phase is the collection of evidence from data sources using the appropriate tools. This may cover both ‘live’ forensics and ‘static’ forensics, based on the nature of the data that needs to be captured. Live forensics is the process of data capturing from volatile storage media from end devices. The investigator has to be both careful and fast in order to capture data related to the incident without compromising integrity and authenticity.
Challenge 4: In a BAS system live forensics can involve highly volatile data constantly produced by the end devices, along with the perpetual function of those devices. This may result in the loss of evidence, especially when the system is not forensically ready. Additionally, dealing with network systems where evidence may only exist for short periods of time in buffers or in “live” data flows are also a consideration.
Challenge 5: The physical end devices may neither be readily accessible nor easily locatable by the investigator. Systems mounted in difficult to access areas will be a challenge to acquire data from, potentially making some sources unobtainable. This also assumes an accurate and complete record of all devices within the BAS is available, which may not be the case for those systems that have evolved and increased in complexity over time.
4.3 Analyse
This stage includes identifying data of potential evidential value, evidence of exploits or actions from specific users. Eventually, a timeline of activities is constructed that represents all actions relative to the incident, giving the investigator the ability to correlate events that took place within the system. In this way the investigator gathers additional knowledge regarding the vulnerabilities of the system and the identity of the perpetrator.
Challenge 6: Analysing evidence from various data sources can be time-consuming. In an environment of disparate embedded systems and IoT devices the vast volume of data created can be difficult to analyse. Additionally, correlating the evidence from multiple data sources further complicates the situation.
Challenge 7: The correlation of data that come from a large network of devices requires high synchronisation capabilities among the end devices. A lack of synchronisation may result in false evidence and a misleading timeline of events.
4.4 Present
It is imperative that the investigator keeps track of the whole process and documents all steps taken as the investigator may be required to present the final results of the investigation in court as an expert witness. Due to the specialised nature of the system, this may also pose a number of challenges when explaining the evidence uncovered from this type of system to a jury.
5 Conclusions
Building automation systems enable a wide variety of different devices to be connected to facilitate the management of different environmental conditions. There can be a broad range of different types of technology and protocols used to implement building control systems. The complexity and lack of familiarity can pose a problem when analysing a BAS as part of an investigation. The use of good practice guidelines (ACPO) can help to clarify the challenges and improve analysis. Such analysis may also disclose the system’s vulnerable points in order to avoid future events. Furthermore, the adoption of automated mechanisms and techniques for the evidence collection and analysis will eventually lead to improved incident response times. However, collecting and analysing evidence will not only reveal information regarding the system’s vulnerabilities, but may also provide useful information regarding the culprit’s identity. The whole process of evidence collection, analysis and presentation is realised in traditional systems through the digital forensics investigation process and the same processes and methods can be applied to BAS.
Notes
- 1.
Sometimes also referred to as Building Control Systems, Intelligent or Smart buildings.
References
Kwona, O., Leea, E., Bahnb, H.: Sensor-aware elevator scheduling for smart building environments. Build. Environ. 72, 332–342 (2014)
Berg Insight AB: Smart Homes and Home Automation—3rd Edition (2014). http://www.berginsight.com/ReportList.aspx?m_m=3
Fisk, D.: Cyber security, building automation, and the intelligent building. Intell. Build. Int. 4, 169–181 (2012). doi:10.1080/17508975.2012.695277
Wendzel, S., Zwanger, V., Meier, M., Szlósarczyk, S.: Envisioning Smart Building Botnets. In: Sicherheit LNI 228, pp. 319–329, GI Vienna (2014)
Association of Chief Police Officers (ACPO): Good Practice Guide for Digital Evidence, Version 5, October 2011. http://www.acpo.police.uk/documents/crime/2011/201110-cba-digital-evidence-v5.pdf
Chen, C.Y.: The design of smart building evacuation system. Int. J. Comput. Technol. Appl. 5(1), 73–80 (2012)
Cho J., Lee G., Won J., Ryu E.: Application of Dijkstra’s algorithm in the smart exit sign. In: The 31st International Symposium on Automation and Robotics in Construction and Mining (ISARC 2014)
Nest (2015). https://nest.com
AMX Corporation (2015). http://www.amx.com/
Control4: Home automation (2015). http://www.control4.com/
LeGrand Building Control Systems. http://www.legrand.co.uk/building-control
Crestron. http://www.crestron.com/markets/corporate_boardroom_and_building_automation/
Lutron residential solutions. http://www.lutron.com/en-US/Residential-Commercial-Solutions/Pages/Residential-Solutions/WholeHomeSolutions.aspx
SAVANT systems. https://www.savant.com/
Continental Automated Buildings Association (CABA): About Us. http://www.caba.org/about
Modbus: About Modbus Organisation. http://www.modbus.org/about_us.php
IEC: About the International Electrotechnical Commission: Vision and Mission (2015). http://www.iec.ch/about/?ref=menu
NIST: Guide to Industrial Control System (ICS) Security, Special Publication 800-82 (2011)
Canzler: Deutsche Telekom AG MUlti-property Building Management (2015). http://www.canzler.de/images/stories/3_Referenzen/3.4_Downloadbereich/EN/Liegenschaftsuebergreifendes%20Gebaeudemanagement%20E%2020131218.pdf
North Building Technologies: North Commander (2015). http://www.northbt.com/products/commander/
Hayes G., El-Khatib K.: Securing modbus transactions using hash-based message authentication codes and stream transmission control protocol. In: Third International Conference on Communications and Information Technology (ICCIT), pp. 179–184 (2013)
Zigbee Alliance. http://www.zigbee.org/
KNX association. http://www.knx.org/knx-en/index.php
Rios, B.: Owning a Building: Exploiting Access Control and Facility Management Systems. https://www.blackhat.com/asia-14/archives.html#Rios
Shodan Metadata Search Engine. http://www.shodanhq.com/
Rios, B.: Google’s Buildings Hackable (2013). http://blog.cylance.com/blog/bid/297050/Google-s-Buildings-Hackable
O’Harrow Jr., R.: Tridium’s Niagara Framework: Marvel of connectivity illustrates new cyber risks. 12 July 2012, Washington Post (2012). http://www.washingtonpost.com/investigations/tridiums-niagara-framework-marvel-of-connectivity-illustrates-new-cyber-risks/2012/07/11/gJQARJL6dW_story_1.html
FBI: Vulnerabilities in Tridium Niagara Framework Result in Unauthorized Access to a New Jersey Company’s Industrial Control System, 23 July 2012. Situational Information Report, Federal Bureau of Investigation, Newark Division, SIR-00000003417 (2012). http://www.wired.com/images_blogs/threatlevel/2012/12/FBI-AntisecICS.pdf
Los Angeles World Airport: Terminal Building Automation System (2012). http://www.lawa.org/uploadedFiles/LAXDev/Construction_Handbook/Guide_Specs/25%2020%2000%20Terminal%20Building%20Automation%20System%20%28BAS%29.pdf
Petroulakis, N.E. Askoxylakis, I.G. Tryfonas T.: Life-logging in smart environments: challenges and security threats. In: 2012 IEEE International Conference on Communications (ICC), pp. 5680–5684 (2012). doi:10.1109/ICC.2012.6364934
Acknowledgments
The authors would like to thank EBS for proof reading the final version of the paper.
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2015 Springer International Publishing Switzerland
About this paper
Cite this paper
Sutherland, I., Spyridopoulos, T., Read, H., Jones, A., Sutherland, G., Burgess, M. (2015). Applying the ACPO Guidelines to Building Automation Systems. In: Tryfonas, T., Askoxylakis, I. (eds) Human Aspects of Information Security, Privacy, and Trust. HAS 2015. Lecture Notes in Computer Science(), vol 9190. Springer, Cham. https://doi.org/10.1007/978-3-319-20376-8_61
Download citation
DOI: https://doi.org/10.1007/978-3-319-20376-8_61
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-319-20375-1
Online ISBN: 978-3-319-20376-8
eBook Packages: Computer ScienceComputer Science (R0)