An Exploration of Some Security Issues Within the BACnet Protocol
Building automation systems control a range of services, commonly heating, ventilation and air-conditioning. BACnet is a leading protocol used to transmit data across building automation system networks, for the purpose of reporting and control. Security is an issue in BACnet due to its initial design brief which appears to be centred around a centralised monolithic command and control architecture. With the advent of the Internet of Things, systems that were isolated are now interconnected. This interconnectivity is problematic because whilst security is included in the BACnet standard, it is not implemented by vendors of building automation systems. The lack of focus on security can lead to vulnerabilities in the protocol being exploited with the result that the systems and the buildings they control are open to attack. This paper describes two proof-of-concept protocol attacks on a BACnet system, proves one attack using experimentation and the other attack through simulation. The paper contextualises a range of identified attacks using a threat model based on the STRIDE threat taxonomy.
KeywordsBuilding automation State modelling Security Heating ventilation and air conditioning
The authors would like to thank Marcelo Macedo for his assistance in implementing the simulation environment.
This research was supported by an Australian Government Research Training Program Scholarship.
- 2.Peacock, M., Johnstone, M.N., Valli, C.: Security issues with BACnet value handling. In: Olivier Camp, P.M., Furnell, S. (eds.): Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, INSTICC, pp. 546-552. SciTePress (2017)Google Scholar
- 3.Chipkin, P.: BACnet for field technicians. Technical report. Chipkin Automation Systems (2009)Google Scholar
- 4.SSPC-135: BACnet: a data communciation protocol for building automation and control networks (2012)Google Scholar
- 5.Holmberg, D.G.: BACnet wide area network security threat assessment. Technical report. NIST (2003)Google Scholar
- 7.Granzer, W., Kastner, W.: Communication services for secure building automation networks. In: 2010 IEEE International Symposium on Industrial Electronics (ISIE), pp. 3380–3385 (2010)Google Scholar
- 8.Peacock, M., Johnstone, M.N.: An analysis of security issues in building automation systems. In: Proceedings of the 12th Australian Information Security Management Conference, pp. 100–104 (2014)Google Scholar
- 9.Valli, C., Johnstone, M.N., Peacock, M., Jones, A.: BACnet - bridging the cyber physical divide one HVAC at a time. In: Proceedings of the 9th IEEE-GCC Conference and Exhibition, pp. 289–294. IEEE (2017)Google Scholar
- 11.Caselli, M.: Intrusion detection in networked control systems: from system knowledge to network security. Ph.D thesis. University of Twente, Enschede (2016)Google Scholar
- 12.Holmberg, D.G., Bender, J.J., Galler, M.A.: Using the BACnet firewall router. ASHRAE Am. Soc. Heat. Refrig. Air Cond. J. 48, 10–14 (2006)Google Scholar
- 13.Johnstone, M.N., Peacock, M., den Hartog, J.: Timing attack detection on bacnet via a machine learning approach. In: Proceedings of the 13th Australian Information Security Management Conference, pp 57–64 (2015)Google Scholar
- 14.SSPC-135: BACnet addenda and companion standards (2014)Google Scholar
- 17.Magar, A.: State-of-the-art in cyber threat models and methodologies. Report, Defence Research and Development Canada (2016)Google Scholar
- 18.Bernier, M.: Military activities and cyber effects (MACE) taxonomy. Taxonomy, Defence Research and Development Canada, Centre for Operational Research and Analysis (2013)Google Scholar
- 19.Howard, M., Lipner, S.: The Security Development Lifecycle. Microsoft Press, Redmond (2006)Google Scholar
- 22.(OMG), O.M.G.: Object Constraint Language (OCL). Version 2.4. (2014)Google Scholar