NETWORK TRAFFIC CHARACTERIZATION AND INTRUSION DETECTION IN BUILDING AUTOMATION SYSTEMS

The goal of this research was threefold: (1) to learn the operational trends and behaviors of a realworld building automation system (BAS) network for creating building device models to detect anomalous behaviors and attacks, (2) to design a framework for evaluating BA device security from both the device and network perspectives, and (3) to leverage new sources of building automation device documentation for developing robust network security rules for BAS intrusion detection systems (IDSs). These goals were achieved in three phases, first through the detailed longitudinal study and characterization of a real university campus building automation network (BAN) and with the application of machine learning techniques on field level traffic for anomaly detection. Next, through the systematization of literature in the BAS security domain to analyze cross protocol device vulnerabilities, attacks, and defenses for uncovering research gaps as the foundational basis of our proposed BA device security evaluation framework. Then, to evaluate our proposed framework the largest multiprotocol BAS testbed discussed in the literature was built and several side-channel vulnerabilities and software/firmware shortcomings were exposed. Finally, through the development of a semi-automated specification gathering, device documentation extracting, IDS rule generating framework that leveraged PICS files and BIM models.Ph.D

Anomaly Detection in BACnet/IP managed Building Automation Systems

Building Automation Systems (BAS) are a collection of devices and software which manage the operation of building services. The BAS market is expected to be a $19.25 billion USD industry by 2023, as a core feature of both the Internet of Things and Smart City technologies. However, securing these systems from cyber security threats is an emerging research area. Since initial deployment, BAS have evolved from isolated standalone networks to heterogeneous, interconnected networks allowing external connectivity through the Internet. The most prominent BAS protocol is BACnet/IP, which is estimated to hold 54.6% of world market share. BACnet/IP security features are often not implemented in BAS deployments, leaving systems unprotected against known network threats. This research investigated methods of detecting anomalous network traffic in BACnet/IP managed BAS in an effort to combat threats posed to these systems. This research explored the threats facing BACnet/IP devices, through analysis of Internet accessible BACnet devices, vendor-defined device specifications, investigation of the BACnet specification, and known network attacks identified in the surrounding literature. The collected data were used to construct a threat matrix, which was applied to models of BACnet devices to evaluate potential exposure. Further, two potential unknown vulnerabilities were identified and explored using state modelling and device simulation. A simulation environment and attack framework were constructed to generate both normal and malicious network traffic to explore the application of machine learning algorithms to identify both known and unknown network anomalies. To identify network patterns between the generated normal and malicious network traffic, unsupervised clustering, graph analysis with an unsupervised community detection algorithm, and time series analysis were used. The explored methods identified distinguishable network patterns for frequency-based known network attacks when compared to normal network traffic. However, as stand-alone methods for anomaly detection, these methods were found insufficient. Subsequently, Artificial Neural Networks and Hidden Markov Models were explored and found capable of detecting known network attacks. Further, Hidden Markov Models were also capable of detecting unknown network attacks in the generated datasets. The classification accuracy of the Hidden Markov Models was evaluated using the Matthews Correlation Coefficient which accounts for imbalanced class sizes and assess both positive and negative classification ability for deriving its metric. The Hidden Markov Models were found capable of repeatedly detecting both known and unknown BACnet/IP attacks with True Positive Rates greater than 0.99 and Matthews Correlation Coefficients greater than 0.8 for five of six evaluated hosts. This research identified and evaluated a range of methods capable of identifying anomalies in simulated BACnet/IP network traffic. Further, this research found that Hidden Markov Models were accurate at classifying both known and unknown attacks in the evaluated BACnet/IP managed BAS network

Secure Control Applications in Smart Homes and Buildings

With today’s ongoing integration of heterogeneous building automation systems, increased comfort, energy efficiency, improved building management, sustainability as well as advanced applications such as active & assisted living scenarios become possible. These smart homes and buildings are implemented as decentralized systems, where embedded devices are connected via networks to exchange their data. Obviously, the demands – especially regarding security – increase: Secure communication becomes equally important as secure software being executed on the embedded devices. While the former has been addressed by standardization committees, manufacturers and researchers, until now the problem of secure control applications in this domain has not been addressed extensively. This leads to insecure and unprotected software being executed on the embedded devices. Thus, adversaries are capable of attacking building automation systems. This paper introduces an architecture for distributed control applications in smart homes and buildings, which tackles the problem on how to secure software running on different device classes. The following novelties are contributed: an application model capable of depicting control applications in a formal way, the concept of security attributes, being able to formally specify a security policy, and a framework, which allows the secure development and execution of control applications, and an enforcement of the defined security policies.Intelligent Electrical Power Grid

Secure control applications in smart homes and buildings

Zsfassung in dt. SpracheDie zunehmende Integration von heterogenen Gebäudeautomationssystemen ermöglicht gesteigerten Komfort, Energieeffizienz, verbessertes Gebäudemanagement, Nachhaltigkeit sowie erweiterte Anwendungsgebiete, wie beispielsweise "Active Assisted Living" Szenarien. Diese Smart Homes und Gebäude sind heutzutage als dezentrale Systeme realisiert, in denen eingebettete Geräte Prozessdaten über ein Netzwerk austauschen. Offensichtlich verändern sich dabei die Anforderungen an derlei Systeme, vor allem hinsichtlich der Informations- und Datensicherheit (Security). Dem Themengebiet sichere Kommunikation kommt dabei ein ähnlich wichtiger Stellenwert zu wie dem Aspekt der Softwaresicherheit. Während erstere Thematik bereits von Standardisierungsgremien und Herstellern aufgegriffen wurde, gibt es bis jetzt keine wissenschaftliche Aufarbeitung, wie das Problem der Softwaresicherheit in diesem Bereich systemweit realisiert werden kann. Kein generisches Angriffsmodell ist bekannt und es fehlt an Sicherheitsempfehlungen. Existierende Schutzmechanismen sind entweder zu zeit- und kostenintensiv oder können nicht einfach auf bestehende Technologien übertragen werden bzw. berücksichtigen nicht die besonderen Anforderungen. Der Entwurf und die Umsetzung von Sicherheitsmaßnahmen wird daher EntwicklerInnen überlassen, die oft aufgrund der Vielfältigkeit des Problems und der Sicherheitsanforderungen überfordert sind. Daraus resultiert, dass Steuerungs- und Regelungsanwendungen unsicher ausgeführt sind, und es Widersachern ermöglicht wird, Gebäudeautomationssysteme anzugreifen. Diese Dissertation stellt eine Architektur für sichere und verteilte Steuerungs- und Regelungsanwendungen in Smart Homes und Gebäuden vor. Damit soll das Problem gelöst werden, wie diese Software sicher auf den unterschiedlichen oft eingebetteten Systemen ausgeführt werden kann. Die folgenden, bisher noch nicht wissenschaftlich aufgearbeiteten Themen, werden diskutiert: eine umfassende Identifikation der Sicherheitsanforderungen, ein Anwendungsmodell, das es ermöglicht Steuerungs- und Regelungsanwendungen formal zu spezifizieren, das Konzept von Sicherheitsattributen, die die Formulierung einer Sicherheitsrichtlinie erlauben und zu guter Letzt, eine Architektur, die die sichere Entwicklung und Ausführung von Steuerungs- und Regelungsanwendungen sowie die Einhaltung von Sicherheitsrichtlinien garantiert.With today's ongoing integration of heterogeneous building automation systems, increased comfort, energy efficiency, improved building management, sustainability as well as advanced applications such as active assisted living scenarios become possible. These smart homes and buildings are implemented as decentralized systems, where embedded devices are connected via networks to exchange their data. Obviously, the demands - especially regarding security - increase: Secure communication becomes equally important as secure software being executed on the embedded devices. While the former has (recently) been addressed by standardization committees and manufacturers, until now no scientific research is available, that targets the problem of secure control applications in this domain. No attack model has been defined, no security measures have been recommended, existing measures from other domains are either too cost or time intensive to deploy, cannot be trivially applied to or do not cover specific demands and constraints of the building automation domain. Thus, deploying adequate control application security measures is left open to developers, who are overburdened with the manifold and often unknown security requirements. This yields to insecure control applications, which enable adversaries to attack building automation systems. This dissertation introduces an architecture for distributed control applications in smart homes and buildings, which tackles the problem on how to secure software running on different device classes. The following novelties are contributed, which - to the best knowledge of the author - have not been addressed in research, yet: a comprehensive identification of security requirements for control applications in smart homes and buildings, an application model capable of depicting control applications in a formal way, the concept of security attributes, being able to formally specify a security policy, and a framework, which allows the secure development and execution of control applications, and an enforcement of the defined security policies.18