A critical review of cyber-physical security for building automation systems

Modern Building Automation Systems (BASs), as the brain that enables the smartness of a smart building, often require increased connectivity both among system components as well as with outside entities, such as optimized automation via outsourced cloud analytics and increased building-grid integrations. However, increased connectivity and accessibility come with increased cyber security threats. BASs were historically developed as closed environments with limited cyber-security considerations. As a result, BASs in many buildings are vulnerable to cyber-attacks that may cause adverse consequences, such as occupant discomfort, excessive energy usage, and unexpected equipment downtime. Therefore, there is a strong need to advance the state-of-the-art in cyber-physical security for BASs and provide practical solutions for attack mitigation in buildings. However, an inclusive and systematic review of BAS vulnerabilities, potential cyber-attacks with impact assessment, detection & defense approaches, and cyber-secure resilient control strategies is currently lacking in the literature. This review paper fills the gap by providing a comprehensive up-to-date review of cyber-physical security for BASs at three levels in commercial buildings: management level, automation level, and field level. The general BASs vulnerabilities and protocol-specific vulnerabilities for the four dominant BAS protocols are reviewed, followed by a discussion on four attack targets and seven potential attack scenarios. The impact of cyber-attacks on BASs is summarized as signal corruption, signal delaying, and signal blocking. The typical cyber-attack detection and defense approaches are identified at the three levels. Cyber-secure resilient control strategies for BASs under attack are categorized into passive and active resilient control schemes. Open challenges and future opportunities are finally discussed.Comment: 38 pages, 7 figures, 6 tables, submitted to Annual Reviews in Contro

NETWORK TRAFFIC CHARACTERIZATION AND INTRUSION DETECTION IN BUILDING AUTOMATION SYSTEMS

The goal of this research was threefold: (1) to learn the operational trends and behaviors of a realworld building automation system (BAS) network for creating building device models to detect anomalous behaviors and attacks, (2) to design a framework for evaluating BA device security from both the device and network perspectives, and (3) to leverage new sources of building automation device documentation for developing robust network security rules for BAS intrusion detection systems (IDSs). These goals were achieved in three phases, first through the detailed longitudinal study and characterization of a real university campus building automation network (BAN) and with the application of machine learning techniques on field level traffic for anomaly detection. Next, through the systematization of literature in the BAS security domain to analyze cross protocol device vulnerabilities, attacks, and defenses for uncovering research gaps as the foundational basis of our proposed BA device security evaluation framework. Then, to evaluate our proposed framework the largest multiprotocol BAS testbed discussed in the literature was built and several side-channel vulnerabilities and software/firmware shortcomings were exposed. Finally, through the development of a semi-automated specification gathering, device documentation extracting, IDS rule generating framework that leveraged PICS files and BIM models.Ph.D

Techniques for utilizing classification towards securing automotive controller area network and machine learning towards the reverse engineering of CAN messages

The vehicle industry is quickly becoming more connected and growing. This growth is due to advancements in cyber physical systems (CPSs) that enhance the safety and automation in vehicle. The modern automobile consists of more than 70 electronic control units (ECUs) that communicate and interact with each other over automotive bus systems. Passenger comforts, infotainment features, and connectivity continue to progress through the growth and integration of Internet-of-Things (IoT) technologies. Common networks include the Controller Area Network (CAN), Local Interconnect Network (LIN), and FlexRay. However, the benefits of increased connectivity and features comes with the penalty of increased vulnerabilities. Security is lacking in preventing attacks on safety-critical control systems. I will explore the state of the art methods and approaches researchers have taken to identify threats and how to address them with intrusion detection. I discuss the development of a hybrid based intrusion detection approach that combines anomaly and signature based detection methods. Machine learning is a hot topic in security as it is a method of learning and classifying system behavior and can detect intrusions that alter normal behavior. In this paper, we discuss utilizing machine learning algorithms to assist in classifying CAN messages. I present work that focuses on the reverse engineering and classification of CAN messages. The problem is that even though CAN is standardized, the implementation may vary for different manufacturers and vehicle models. These implementations are kept secret, therefore CAN messages for every vehicle needs to be analyzed and reverse engineered in order to get information. Due to the lack of publicly available CAN specifications, attackers and researchers need to reverse engineer messages to pinpoint which messages will have the desired impact. The reverse engineering process is needed by researchers and hackers for all manufacturers and their respective vehicles to understand what the vehicle is doing and what each CAN message means. The knowledge of the specifications of CAN messages can improve the effectiveness of security mechanisms applied to CAN

Automatic Deployment of Specification-based Intrusion Detection in the BACnet Protocol

Specification-based intrusion detection (SB-ID) is a suitable approach to monitor Building Automation Systems (BASs) because the correct and non-compromised functioning of the system is well understood. Its main drawback is that the creation of specifications often require human intervention. We present the first fully automated approach to deploy SB-ID at network level. We do so in the domain of BASs, specifically, the BACnet protocol (ISO 16484-5). In this protocol, properly certified devices are demanded to have technical documentation stating their capabilities. We leverage on those documents to create specifications that represent the expected behavior of each device in the network. Automated specification extraction is crucial to effectively apply SB-ID in volatile environments such as BACnet networks, where new devices are often added, removed, or replaced. In our experiments, the proposed algorithm creates specifications with both precision and recall above 99.5%. Finally, we evaluate the capabilities of our detection approach using two months (80GB) of BACnet traffic from a real BAS. Additionally, we use synthetic traffic to demonstrate attack detection in a controlled environment. We show that our approach not only contributes to the practical feasibility of SB-ID in BASs, but also detects stealthy and dangerous attacks

Anomaly Detection in BACnet/IP managed Building Automation Systems

Building Automation Systems (BAS) are a collection of devices and software which manage the operation of building services. The BAS market is expected to be a $19.25 billion USD industry by 2023, as a core feature of both the Internet of Things and Smart City technologies. However, securing these systems from cyber security threats is an emerging research area. Since initial deployment, BAS have evolved from isolated standalone networks to heterogeneous, interconnected networks allowing external connectivity through the Internet. The most prominent BAS protocol is BACnet/IP, which is estimated to hold 54.6% of world market share. BACnet/IP security features are often not implemented in BAS deployments, leaving systems unprotected against known network threats. This research investigated methods of detecting anomalous network traffic in BACnet/IP managed BAS in an effort to combat threats posed to these systems. This research explored the threats facing BACnet/IP devices, through analysis of Internet accessible BACnet devices, vendor-defined device specifications, investigation of the BACnet specification, and known network attacks identified in the surrounding literature. The collected data were used to construct a threat matrix, which was applied to models of BACnet devices to evaluate potential exposure. Further, two potential unknown vulnerabilities were identified and explored using state modelling and device simulation. A simulation environment and attack framework were constructed to generate both normal and malicious network traffic to explore the application of machine learning algorithms to identify both known and unknown network anomalies. To identify network patterns between the generated normal and malicious network traffic, unsupervised clustering, graph analysis with an unsupervised community detection algorithm, and time series analysis were used. The explored methods identified distinguishable network patterns for frequency-based known network attacks when compared to normal network traffic. However, as stand-alone methods for anomaly detection, these methods were found insufficient. Subsequently, Artificial Neural Networks and Hidden Markov Models were explored and found capable of detecting known network attacks. Further, Hidden Markov Models were also capable of detecting unknown network attacks in the generated datasets. The classification accuracy of the Hidden Markov Models was evaluated using the Matthews Correlation Coefficient which accounts for imbalanced class sizes and assess both positive and negative classification ability for deriving its metric. The Hidden Markov Models were found capable of repeatedly detecting both known and unknown BACnet/IP attacks with True Positive Rates greater than 0.99 and Matthews Correlation Coefficients greater than 0.8 for five of six evaluated hosts. This research identified and evaluated a range of methods capable of identifying anomalies in simulated BACnet/IP network traffic. Further, this research found that Hidden Markov Models were accurate at classifying both known and unknown attacks in the evaluated BACnet/IP managed BAS network

Sistemi di georeferenziazione indoor tramite tecnologia Bluetooth:possibili implementazioni BMS e BIM based.

L'incremento costante dell'utilizzo della tecnologia nel secolo in cui viviamo ha introdotto nuovi metodi di gestione degli edifici nel settore dell'edilizia, mirati all'ottimizzazione dei costi e dei consumi. Il pilastro degli smart building è l'Internet of Things (IoT), che ha reso possibile lo sviluppo di sistemi di automazione degli edifici attraverso il collegamento di dispositivi e sistemi domotici a una piattaforma tecnologica centralizzata nota come BMS. Un'altra conseguenza dell'IoT nel settore delle costruzioni è il BIM, considerato una strategia di successo per organizzare, archiviare e gestire i metadati statici relativi alla progettazione, costruzione e manutenzione degli edifici. Il BIM consente la creazione di modelli virtuali tridimensionali in grado di simulare l'edificio e di fungere da database per le informazioni riguardanti la rappresentazione architettonica ed ingegneristica, la stima dei tempi e dei costi, la valutazione energetica, i costi di manutenzione e le considerazioni di sostenibilità economica e ambientale. Tra le esperienze di interconnessione rese possibili dall'IoT, vi è la capacità di localizzare indoor un dispositivo smartphone utilizzando diverse tecnologie. In questo studio, viene dedicato uno spazio all'analisi della letteratura sulle tecnologie di localizzazione indoor e sugli algoritmi correlati, con particolare attenzione al Bluetooth Low Energy, ritenuta la tecnologia più economica e precisa. L'obiettivo di questa tesi è arricchire i database BIM con informazioni più precise riguardanti l'identificativo ID BACnet dei singoli dispositivi domotici collegati alla centrale BMS. Per identificare l'ID BACnet dei dispositivi domotici, verrà utilizzato un lettore di codici presente in un'applicazione per smartphone sviluppata all'interno di questo studio. Una volta acquisito l'identificativo BACnet, l'applicazione sarà in grado di compilare automaticamente i dati rilevati dal campo nell'omologo digitale di Revit.The increasing use of technology that characterizes the century we live in has led to new methods of building management in the construction sector, aiming for cost optimization and efficiency. The cornerstone for smart buildings is the Internet of Things (IoT), which has enabled the development of building automation systems through the integration of home automation systems and devices into a centralized technological backbone, commonly known as the BMS (Building Management System). Another consequence of IoT in the construction industry is Building Information Modeling (BIM), considered a successful strategy for organizing, storing, and managing static metadata related to the design, construction, and maintenance of buildings. BIM allows for the creation of three-dimensional virtual models capable of simulating the building and serving as a database for architectural and engineering representation, time and cost estimation, energy evaluation, maintenance costs, and economic and environmental sustainability considerations. Among the interconnected experiences enabled by the growing IoT, there is also the ability of a smartphone device to be indoor geolocated through various technologies. This thesis project includes a literature analysis on indoor positioning technologies and their corresponding algorithms. One of the most cost-effective and accurate solutions in this regard is Bluetooth Low Energy. The objective of this thesis is to enrich BIM databases with more precise information regarding the BACnet ID of individual devices connected to the central BMS. To identify the BACnet ID of home automation devices, a code reader integrated into a smartphone application developed within this study will be used. Once the BACnet ID is acquired, the application will be able to automatically populate the data collected in the field into the corresponding digital representation in Revit