Skip to main content

A Security Policy Engine for Building Energy Management Systems

  • Conference paper
  • First Online:
Applied Cryptography and Network Security Workshops (ACNS 2023)

Part of the book series: Lecture Notes in Computer Science ((LNCS,volume 13907))

Included in the following conference series:

  • 464 Accesses


This paper presents a Policy Engine for securing building energy management systems (BEMSs), a class of industrial control systems (ICSs) requiring additional protection due to their complex and interconnected nature. The Policy Engine supports multiple deployment modes for legacy compliance and features seamless integration of new security policies. We have implemented a provenance verification solution and integrated it into the Policy Engine. To evaluate the effectiveness of the proposed solution, we have established a testbed that utilizes real BEMS equipment. We compared the security features and performance of the Policy Engine with a state-of-the-art security solution in BEMS, i.e., MQTT using TLS. Results indicate that the Policy Engine with provenance verification policy can secure BEMSs against signal injection, duplication, and remote attacks, with minimal operational impact.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
USD 79.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 99.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others


  1. IEEE standard communication delivery time performance requirements for electric power substation automation. IEEE Std 1646–2004, pp. 1–36 (2005).

  2. Alexander, O., Belisle, M., Steele, J.: Mitre att &ck for industrial control systems: design and philosophy. The MITRE Corporation: Bedford, MA, USA, p. 29 (2020)

    Google Scholar 

  3. Cassottana, B., Roomi, M.M., Mashima, D., Sansavini, G.: Resilience analysis of cyber-physical systems: a review of models and methods. Risk Anal. (2023)

    Google Scholar 

  4. Cybersecurity and Infrastructure Security Agency: Crashoverride malware (2017). Accessed 17 Mar 2023

  5. Case, D.U.: Analysis of the cyber attack on the Ukrainian power grid. Electr. Inf. Sharing Anal. Center (E-ISAC) 388, 1–29 (2016)

    Google Scholar 

  6. Esiner, E., Mashima, D., Chen, B., Kalbarczyk, Z., Nicol, D.: F-pro: a fast and flexible provenance-aware message authentication scheme for smart grid. In: 2019 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), pp. 1–7. IEEE (2019)

    Google Scholar 

  7. Esiner, E., et al.: LoMoS: less-online/more-offline signatures for extremely time-critical systems. IEEE Trans. Smart Grid 13(4), 3214–3226 (2022)

    Article  Google Scholar 

  8. Fauri, D., de Wijs, B., den Hartog, J., Costante, E., Zambon, E., Etalle, S.: Encryption in ICS networks: a blessing or a curse? In: 2017 IEEE International Conference on Smart Grid Communications (SmartGridComm) (2017)

    Google Scholar 

  9. Hayes, G., El-Khatib, K.: Securing modbus transactions using hash-based message authentication codes and stream transmission control protocol. In: 2013 Third International Conference on Communications and Information Technology (ICCIT), pp. 179–184. IEEE (2013)

    Google Scholar 

  10. Hussain, S.S., Farooq, S.M., Ustun, T.S.: Analysis and implementation of message authentication code (MAC) algorithms for goose message security. IEEE Access 7, 80980–80984 (2019)

    Article  Google Scholar 

  11. IEC 62351–6:2020: Power systems management and associated information exchange-data and communications security-part 6: Security for IEC 61850 (2020)

    Google Scholar 

  12. Johnson, D., Menezes, A., Vanstone, S.: The elliptic curve digital signature algorithm (ECDSA). Int. J. Inf. Secur. 1(1), 36–63 (2001)

    Article  Google Scholar 

  13. Li, J., Chen, R., Su, J., Huang, X., Wang, X.: ME-TLS: middlebox-enhanced TLS for internet-of-things devices. IEEE Internet Things J. 7(2), 1216–1229 (2020)

    Article  Google Scholar 

  14. Rivest, R.L., Shamir, A., Adleman, L.: A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 21(2), 120–126 (1978).

    Article  MathSciNet  MATH  Google Scholar 

  15. Securosys SA: Centurion network encryptor securosys (2020).

  16. Symantec Security Response: Shellshock: All you need to know about the bash bug vulnerability (2014). Accessed 17 Mar 2023

  17. Tefek, U., Esiner, E., Mashima, D., Chen, B., Hu, Y.C.: Caching-based multicast message authentication in time-critical industrial control systems. In: IEEE INFOCOM 2022-IEEE Conference on Computer Communications, pp. 1039–1048. IEEE (2022)

    Google Scholar 

  18. Tefek, U., Esiner, E., Mashima, D., Hu, Y.C.: Analysis of message authentication solutions for IEC 61850 in substation automation systems. In: 2022 IEEE International Conference on Communications, Control, and Computing Technologies for Smart Grids (SmartGridComm), pp. 224–230. IEEE (2022)

    Google Scholar 

  19. Thales: High speed encryption network encryptor thales (2020).

Download references


This research is supported in part by the National Research Foundation, Prime Minister’s Office, Singapore under its Campus for Research Excellence and Technological Enterprise (CREATE) programme, and in part by National Research Foundation, Singapore, Singapore University of Technology and Design under its National Satellite of Excellence in Design Science and Technology for Secure Critical Infrastructure Grant (NSoE_DeST-SCI2021TG-0002).

Author information

Authors and Affiliations


Corresponding author

Correspondence to Ertem Esiner .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2023 The Author(s), under exclusive license to Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Lim, J., Ong, W., Tefek, U., Esiner, E. (2023). A Security Policy Engine for Building Energy Management Systems. In: Zhou, J., et al. Applied Cryptography and Network Security Workshops. ACNS 2023. Lecture Notes in Computer Science, vol 13907. Springer, Cham.

Download citation

  • DOI:

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-41180-9

  • Online ISBN: 978-3-031-41181-6

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics