An Exploration of Some Security Issues Within the BACnet Protocol

  • Matthew Peacock
  • Michael N. Johnstone
  • Craig Valli
Conference paper
Part of the Communications in Computer and Information Science book series (CCIS, volume 867)


Building automation systems control a range of services, commonly heating, ventilation and air-conditioning. BACnet is a leading protocol used to transmit data across building automation system networks, for the purpose of reporting and control. Security is an issue in BACnet due to its initial design brief which appears to be centred around a centralised monolithic command and control architecture. With the advent of the Internet of Things, systems that were isolated are now interconnected. This interconnectivity is problematic because whilst security is included in the BACnet standard, it is not implemented by vendors of building automation systems. The lack of focus on security can lead to vulnerabilities in the protocol being exploited with the result that the systems and the buildings they control are open to attack. This paper describes two proof-of-concept protocol attacks on a BACnet system, proves one attack using experimentation and the other attack through simulation. The paper contextualises a range of identified attacks using a threat model based on the STRIDE threat taxonomy.


Building automation State modelling Security Heating ventilation and air conditioning 



The authors would like to thank Marcelo Macedo for his assistance in implementing the simulation environment.

This research was supported by an Australian Government Research Training Program Scholarship.


  1. 1.
    Stouffer, K., Pillitteri, V., Lightman, S., Abrams, M., Hahn, A.: NIST Special Publication 800–82: Guide to Industrial Control Systems (ICS) Security. Special Publication, NIST, London (2015)CrossRefGoogle Scholar
  2. 2.
    Peacock, M., Johnstone, M.N., Valli, C.: Security issues with BACnet value handling. In: Olivier Camp, P.M., Furnell, S. (eds.): Proceedings of the 3rd International Conference on Information Systems Security and Privacy - Volume 1: ICISSP, INSTICC, pp. 546-552. SciTePress (2017)Google Scholar
  3. 3.
    Chipkin, P.: BACnet for field technicians. Technical report. Chipkin Automation Systems (2009)Google Scholar
  4. 4.
    SSPC-135: BACnet: a data communciation protocol for building automation and control networks (2012)Google Scholar
  5. 5.
    Holmberg, D.G.: BACnet wide area network security threat assessment. Technical report. NIST (2003)Google Scholar
  6. 6.
    Kastner, W., Neugschwandtner, G., Soucek, S., Newman, H.: Communication systems for building automation and control. Proc. IEEE 93, 1178–1203 (2005)CrossRefGoogle Scholar
  7. 7.
    Granzer, W., Kastner, W.: Communication services for secure building automation networks. In: 2010 IEEE International Symposium on Industrial Electronics (ISIE), pp. 3380–3385 (2010)Google Scholar
  8. 8.
    Peacock, M., Johnstone, M.N.: An analysis of security issues in building automation systems. In: Proceedings of the 12th Australian Information Security Management Conference, pp. 100–104 (2014)Google Scholar
  9. 9.
    Valli, C., Johnstone, M.N., Peacock, M., Jones, A.: BACnet - bridging the cyber physical divide one HVAC at a time. In: Proceedings of the 9th IEEE-GCC Conference and Exhibition, pp. 289–294. IEEE (2017)Google Scholar
  10. 10.
    Kaur, J., Tonejc, J., Wendzel, S., Meier, M.: Securing BACnet’s pitfalls. In: Federrath, H., Gollmann, D. (eds.) SEC 2015. IAICT, vol. 455, pp. 616–629. Springer, Cham (2015). Scholar
  11. 11.
    Caselli, M.: Intrusion detection in networked control systems: from system knowledge to network security. Ph.D thesis. University of Twente, Enschede (2016)Google Scholar
  12. 12.
    Holmberg, D.G., Bender, J.J., Galler, M.A.: Using the BACnet firewall router. ASHRAE Am. Soc. Heat. Refrig. Air Cond. J. 48, 10–14 (2006)Google Scholar
  13. 13.
    Johnstone, M.N., Peacock, M., den Hartog, J.: Timing attack detection on bacnet via a machine learning approach. In: Proceedings of the 13th Australian Information Security Management Conference, pp 57–64 (2015)Google Scholar
  14. 14.
    SSPC-135: BACnet addenda and companion standards (2014)Google Scholar
  15. 15.
    Newman, H.M.: BACnet: The Global Standard for Building Automation and Control Networks. Momentum Press LLC, New York (2013)CrossRefGoogle Scholar
  16. 16.
    Gamma, E., Helm, R., Johnson, R., Vlissides, J.: Design Patterns: Elements of Reusable Object-oriented Software. Addison-Wesley Longman Publishing Co., Inc., Boston (1995)zbMATHGoogle Scholar
  17. 17.
    Magar, A.: State-of-the-art in cyber threat models and methodologies. Report, Defence Research and Development Canada (2016)Google Scholar
  18. 18.
    Bernier, M.: Military activities and cyber effects (MACE) taxonomy. Taxonomy, Defence Research and Development Canada, Centre for Operational Research and Analysis (2013)Google Scholar
  19. 19.
    Howard, M., Lipner, S.: The Security Development Lifecycle. Microsoft Press, Redmond (2006)Google Scholar
  20. 20.
    Spivey, J.M.: The Z Notation: A Reference Manual. Prentice-Hall Inc., Upper Saddle River (1989)zbMATHGoogle Scholar
  21. 21.
    Hoare, C.A.R.: Communicating sequential processes. Commun. ACM 21, 666–677 (1978)CrossRefGoogle Scholar
  22. 22.
    (OMG), O.M.G.: Object Constraint Language (OCL). Version 2.4. (2014)Google Scholar

Copyright information

© Springer International Publishing AG, part of Springer Nature 2018

Authors and Affiliations

  • Matthew Peacock
    • 1
  • Michael N. Johnstone
    • 1
  • Craig Valli
    • 1
  1. 1.Security Research InstituteEdith Cowan UniversityPerthAustralia

Personalised recommendations