105 research outputs found

    Anomaly Detection in BACnet/IP managed Building Automation Systems

    Get PDF
    Building Automation Systems (BAS) are a collection of devices and software which manage the operation of building services. The BAS market is expected to be a $19.25 billion USD industry by 2023, as a core feature of both the Internet of Things and Smart City technologies. However, securing these systems from cyber security threats is an emerging research area. Since initial deployment, BAS have evolved from isolated standalone networks to heterogeneous, interconnected networks allowing external connectivity through the Internet. The most prominent BAS protocol is BACnet/IP, which is estimated to hold 54.6% of world market share. BACnet/IP security features are often not implemented in BAS deployments, leaving systems unprotected against known network threats. This research investigated methods of detecting anomalous network traffic in BACnet/IP managed BAS in an effort to combat threats posed to these systems. This research explored the threats facing BACnet/IP devices, through analysis of Internet accessible BACnet devices, vendor-defined device specifications, investigation of the BACnet specification, and known network attacks identified in the surrounding literature. The collected data were used to construct a threat matrix, which was applied to models of BACnet devices to evaluate potential exposure. Further, two potential unknown vulnerabilities were identified and explored using state modelling and device simulation. A simulation environment and attack framework were constructed to generate both normal and malicious network traffic to explore the application of machine learning algorithms to identify both known and unknown network anomalies. To identify network patterns between the generated normal and malicious network traffic, unsupervised clustering, graph analysis with an unsupervised community detection algorithm, and time series analysis were used. The explored methods identified distinguishable network patterns for frequency-based known network attacks when compared to normal network traffic. However, as stand-alone methods for anomaly detection, these methods were found insufficient. Subsequently, Artificial Neural Networks and Hidden Markov Models were explored and found capable of detecting known network attacks. Further, Hidden Markov Models were also capable of detecting unknown network attacks in the generated datasets. The classification accuracy of the Hidden Markov Models was evaluated using the Matthews Correlation Coefficient which accounts for imbalanced class sizes and assess both positive and negative classification ability for deriving its metric. The Hidden Markov Models were found capable of repeatedly detecting both known and unknown BACnet/IP attacks with True Positive Rates greater than 0.99 and Matthews Correlation Coefficients greater than 0.8 for five of six evaluated hosts. This research identified and evaluated a range of methods capable of identifying anomalies in simulated BACnet/IP network traffic. Further, this research found that Hidden Markov Models were accurate at classifying both known and unknown attacks in the evaluated BACnet/IP managed BAS network

    A critical review of cyber-physical security for building automation systems

    Full text link
    Modern Building Automation Systems (BASs), as the brain that enables the smartness of a smart building, often require increased connectivity both among system components as well as with outside entities, such as optimized automation via outsourced cloud analytics and increased building-grid integrations. However, increased connectivity and accessibility come with increased cyber security threats. BASs were historically developed as closed environments with limited cyber-security considerations. As a result, BASs in many buildings are vulnerable to cyber-attacks that may cause adverse consequences, such as occupant discomfort, excessive energy usage, and unexpected equipment downtime. Therefore, there is a strong need to advance the state-of-the-art in cyber-physical security for BASs and provide practical solutions for attack mitigation in buildings. However, an inclusive and systematic review of BAS vulnerabilities, potential cyber-attacks with impact assessment, detection & defense approaches, and cyber-secure resilient control strategies is currently lacking in the literature. This review paper fills the gap by providing a comprehensive up-to-date review of cyber-physical security for BASs at three levels in commercial buildings: management level, automation level, and field level. The general BASs vulnerabilities and protocol-specific vulnerabilities for the four dominant BAS protocols are reviewed, followed by a discussion on four attack targets and seven potential attack scenarios. The impact of cyber-attacks on BASs is summarized as signal corruption, signal delaying, and signal blocking. The typical cyber-attack detection and defense approaches are identified at the three levels. Cyber-secure resilient control strategies for BASs under attack are categorized into passive and active resilient control schemes. Open challenges and future opportunities are finally discussed.Comment: 38 pages, 7 figures, 6 tables, submitted to Annual Reviews in Contro

    NETWORK TRAFFIC CHARACTERIZATION AND INTRUSION DETECTION IN BUILDING AUTOMATION SYSTEMS

    Get PDF
    The goal of this research was threefold: (1) to learn the operational trends and behaviors of a realworld building automation system (BAS) network for creating building device models to detect anomalous behaviors and attacks, (2) to design a framework for evaluating BA device security from both the device and network perspectives, and (3) to leverage new sources of building automation device documentation for developing robust network security rules for BAS intrusion detection systems (IDSs). These goals were achieved in three phases, first through the detailed longitudinal study and characterization of a real university campus building automation network (BAN) and with the application of machine learning techniques on field level traffic for anomaly detection. Next, through the systematization of literature in the BAS security domain to analyze cross protocol device vulnerabilities, attacks, and defenses for uncovering research gaps as the foundational basis of our proposed BA device security evaluation framework. Then, to evaluate our proposed framework the largest multiprotocol BAS testbed discussed in the literature was built and several side-channel vulnerabilities and software/firmware shortcomings were exposed. Finally, through the development of a semi-automated specification gathering, device documentation extracting, IDS rule generating framework that leveraged PICS files and BIM models.Ph.D

    Machine Learning Based Network Vulnerability Analysis of Industrial Internet of Things

    Full text link
    It is critical to secure the Industrial Internet of Things (IIoT) devices because of potentially devastating consequences in case of an attack. Machine learning and big data analytics are the two powerful leverages for analyzing and securing the Internet of Things (IoT) technology. By extension, these techniques can help improve the security of the IIoT systems as well. In this paper, we first present common IIoT protocols and their associated vulnerabilities. Then, we run a cyber-vulnerability assessment and discuss the utilization of machine learning in countering these susceptibilities. Following that, a literature review of the available intrusion detection solutions using machine learning models is presented. Finally, we discuss our case study, which includes details of a real-world testbed that we have built to conduct cyber-attacks and to design an intrusion detection system (IDS). We deploy backdoor, command injection, and Structured Query Language (SQL) injection attacks against the system and demonstrate how a machine learning based anomaly detection system can perform well in detecting these attacks. We have evaluated the performance through representative metrics to have a fair point of view on the effectiveness of the methods

    A spatio-temporal entropy-based approach for the analysis of cyber attacks (demo paper)

    Get PDF
    Computer networks are ubiquitous systems growing exponentially with a predicted 50 billion devices connected by 2050. This dramatically increases the potential attack surface of Internet networks. A key issue in cyber defense is to detect, categorize and identify these attacks, the way they are propagated and their potential impacts on the systems affected. The research presented in this paper models cyber attacks at large by considering the Internet as a complex system in which attacks are propagated over a network. We model an attack as a path from a source to a target, and where each attack is categorized according to its intention. We setup an experimental testbed with the concept of honeypot that evaluates the spatiotemporal distribution of these Internet attacks. The preliminary results show a series of patterns in space and time that illustrate the potential of the approach, and how cyber attacks can be categorized according to the concept and measure of entropy

    Cyber-physical Reconnaissance in Smart Buildings

    Get PDF

    DETECTION OF SYNTHETIC ANOMALIES ON AN EXPERIMENTALLY GENERATED 5G DATA SET USING CONVOLUTIONAL NEURAL NETWORKS

    Get PDF
    The research microgrid currently deployed at Marine Corps Air Station, Miramar, is leveraging Verizon’s Non-Standalone (NSA) 5G communications network to provide connectivity between dispersed energy assets and the energy and water operations center (EWOC). Due to its anchor to the Verizon 4G/LTE core, the NSA network does not provide technological avenues for cyber anomaly detection. In this research, we developed a traffic anomaly detection model using supervised machine learning for the energy communication infrastructure at Miramar. We developed a preliminary cyber anomaly detection platform using a convolutional neural network (CNN). We experimentally generated a benign 5G data set using the AT&T 5G cellular tower at the NPS SLAMR facility. We injected synthetic anomalies within the data set to test the CNN and its effectiveness at classifying packets as anomalous or benign. Data sets with varying amounts of anomalous data, ranging from 10% to 50%, were created. Accuracy, precision, and recall were used as performance metrics. Our experiments, conducted with Python and TensorFlow, showed that while the CNN did not perform its best on the data sets generated, it has the potential to work well with a more balanced data set that is large enough to host more anomalous traffic.ONRLieutenant, United States NavyApproved for public release. Distribution is unlimited

    Cybersecurity of Industrial Cyber-Physical Systems: A Review

    Get PDF
    Industrial cyber-physical systems (ICPSs) manage critical infrastructures by controlling the processes based on the "physics" data gathered by edge sensor networks. Recent innovations in ubiquitous computing and communication technologies have prompted the rapid integration of highly interconnected systems to ICPSs. Hence, the "security by obscurity" principle provided by air-gapping is no longer followed. As the interconnectivity in ICPSs increases, so does the attack surface. Industrial vulnerability assessment reports have shown that a variety of new vulnerabilities have occurred due to this transition while the most common ones are related to weak boundary protection. Although there are existing surveys in this context, very little is mentioned regarding these reports. This paper bridges this gap by defining and reviewing ICPSs from a cybersecurity perspective. In particular, multi-dimensional adaptive attack taxonomy is presented and utilized for evaluating real-life ICPS cyber incidents. We also identify the general shortcomings and highlight the points that cause a gap in existing literature while defining future research directions.Comment: 32 pages, 10 figure
    • …
    corecore