Upload
duongcong
View
220
Download
0
Embed Size (px)
Citation preview
© Cyber Defense Research Group, Fraunhofer FKIE
Steffen Wendzel
Head of Secure Building Automation | with contributions by S. Szlósarczyk and J.Kaur
BACnet Security &
Smart Building Botnets
Cyber Defense
© Cyber Defense Research Group, Fraunhofer FKIE
Smart Buildings?
Integrate a Building Automation System (BAS) for control, monitoring,
management
Early systems:
pneumatic components (1950’s)
heating, ventilation, air-
conditioning (HVAC)
Later:
first electronic components (60’s)
… and IT network components
© Cyber Defense Research Group, Fraunhofer FKIE
Smart Buildings?
Today:
Huge functionality spectrum
Integrated into “Internet of
Things”
“Smart”
Respond to internal and external
changes
© Cyber Defense Research Group, Fraunhofer FKIE
Smart Buildings: Goals
Energy saving
Reducing operating costs
Reducing the cost of churn
Enhanced life safety and security
Fast and effective service
Environmental friendly
© Cyber Defense Research Group, Fraunhofer FKIE
Smart Building A != Smart Building B
professional operators
constant monitoring
of BAS functionality
immediate response to
problems
professional operators
constant monitoring
of BAS functionality
immediate response to
problems
Large Scale/ Complex
Large Scale/ Complex
janitors with limited skills
professional operation
via 3rd party
janitors with limited skills
professional operation
via 3rd party
Commercial Building
Commercial Building
private owners
most know-how lost after construction
finished
private owners
most know-how lost after construction
finished
Smart Home Smart Home
© Cyber Defense Research Group, Fraunhofer FKIE
How many are online accessible?
Nobody knows exactly!
Estimations exist
Malchow and Klick (2014) counted building automation environments
most were found in the US (circa 15.000)
of the found BAS, 9% were linked to known vulnerabilities
Alternative: local/regional BAS wardriving
© Cyber Defense Research Group, Fraunhofer FKIE
Security Aspects
First issues arose in the 1990‘s
Internet of Things increases security concerns
Easy to apply attacks known from TCP/IP (e.g. spoofing)
Focus of vendors: security << functionality
Lack of security awareness
Legacy hard- and software (security means are not always implementable)
Patchability problem
Insecure web-interfaces / remote access
© Cyber Defense Research Group, Fraunhofer FKIE
Data Leakage via BAS
(Un)intentional data leakage using remote connection of a BAS
via network covert channel
Connection used for legitimate purpose (administration of remote buildings)
BAS Network
IP G
ate
way
Sensor
External (BAS)
Network or Internet
Passive Observer
BAS Protocol
Source: Wendzel, S., Kahler, B., Rist, T.: Covert Channels And Their Prevention In Building Automation Protocols: A Prototype Exemplified Using BACnet, Proc. CPSCom, IEEE, 2012.
© Cyber Defense Research Group, Fraunhofer FKIE
Data Leakage via BAS
Our Solution: Multi-level security BAS network architecture
Prototype already realized
BAS Network
Sensor
(CONFIDENTIAL)
External (BAS)
Network or Internet
Passive Observer
BAS Protocol
Source: Wendzel, S., Kahler, B., Rist, T.: Covert Channels And Their Prevention In Building Automation Protocols: A Prototype Exemplified Using BACnet, Proc. CPSCom, IEEE, 2012.
IP G
ate
way
ML
S F
ilter
MLS-based Routing
© Cyber Defense Research Group, Fraunhofer FKIE
Smart Building Botnets (SBB)
Short Definition:
A botnet consisting of BAS
bots placed either on control units
… or remote-control is directly
performed (no bot necessary)
Utilize physical capabilities of BAS
to perform malicious actions
no spam, no DoS, …
novel scenarios instead!
Source: Wendzel, S., Zwanger, V., Meier, M., Szlosarczyk, S.: Envisioning Smart Building Botnets, in Proc. Sicherheit, GI, Vienna, 2014.
© Cyber Defense Research Group, Fraunhofer FKIE
Smart Building Botnets (SBB)
How to build it?
Search Shodan
Perform BAS Wardriving
GPS-enabled smartphones with
malware
Source: Wendzel, S., Zwanger, V., Meier, M., Szlosarczyk, S.: Envisioning Smart Building Botnets, in Proc. Sicherheit, GI, Vienna, 2014.
© Cyber Defense Research Group, Fraunhofer FKIE
Example 1: Mass Surveillance
Remote access to sensor data
Monitoring of sensor values and
actuator states (temperature,
presence, heating levels, …)
Who in a smart city goes so often to
the bathroom each night and is
probably ill?
When can a break-in attempt to a
region be performed at the optimal
moment? Where exactly?
Source: Wendzel, S., Zwanger, V., Meier, M., Szlosarczyk, S.: Envisioning Smart Building Botnets, in Proc. Sicherheit, GI, Vienna, 2014.
© Cyber Defense Research Group, Fraunhofer FKIE
Scenario 2: Oil / Gas Producer
Thinkable regional attack
Slightly increase heating levels in
smart buildings over night
… to sell more oil or gas
Not easy to keep a low profile!
e.g. determining vacant rooms
using observation
Source: Wendzel, S., Zwanger, V., Meier, M., Szlosarczyk, S.: Envisioning Smart Building Botnets, in Proc. Sicherheit, GI, Vienna, 2014.
© Cyber Defense Research Group, Fraunhofer FKIE
Various Protocols Exist
Closed Protocols / Open Protocols
EIB/KNX, LONtalk, BACnet are most widely used
We focus on BACnet …
© Cyber Defense Research Group, Fraunhofer FKIE
BACnet in a Nutshell Overview
Building Automation Control and Network (BACnet)
A leading protocol in BAS
(remote) control and management of smart buildings
monitoring of buildings and according devices
Data and communication of all devices specified in ISO-Standard 16-484-5
Worldwide >>700 vendors
© Cyber Defense Research Group, Fraunhofer FKIE
BACnet in a Nutshell Comparison to OSI Layer Model
Defines four layers
© Cyber Defense Research Group, Fraunhofer FKIE
BACnet in a Nutshell NPDU
Network Protocol Data Unit (NPDU)
serves for communication of all the
devices on network layer
Control flow and address resolution
are managed with Network Protocol
Control Information (NPCI)
Opportunity to prioritize messages
Payload depicted in Network
Service Data Unit (NSDU)
network message, e.g. Who-Is
contents of application action
(APDU)
© Cyber Defense Research Group, Fraunhofer FKIE
BACnet in a Nutshell APDU
Application Protocol Data Unit
(APDU) serves for communication
of all the devices on application
layer
Datagram type (PDU Type) and
segmentation information are
managed via Application Protocol
Control Information (APCI)
Payload depicted in Service
Request field
Request /response for / of
application action of a device
encoded in ASN.1
© Cyber Defense Research Group, Fraunhofer FKIE
EXPLOITING BUILDING
AUTOMATION PROTOCOLS
Behind the scenes --- a contribution by S. Szlósarczyk
© Cyber Defense Research Group, Fraunhofer FKIE
Practical security flaws in BACnet
Authentication and encryption means are specified by the standard,
nevertheless they are rarely implemented
Interrogation / scanning made possible
Large attack surface (few were already known before)
Smurf-like attack
Router Adv. Flooding
Traffic Redirection
DoS Re-Routing
Malformed Messages
Inconsistent Retransmissions
© Cyber Defense Research Group, Fraunhofer FKIE
Behind the scenes: Exploiting BAS Attacking scenario
Attacker Eve: Sends
malformed or spoofed
messages remotely to one
or more devices in the BAS
subnet
BACnet Broadcast
Management Device
(BBMD) routes all the
messages to the
corresponding destination
device
Exploitation of device by
Eve
© Cyber Defense Research Group, Fraunhofer FKIE
Behind the scenes: Exploiting BAS Smurf Attack
Eve spoofs Who-is-Router-
to-Network messages with
victim’s source address
Victim receives all the
outgoing/incoming traffic
from all devices in the
subnet
Exploit: DoS in the case of
a too large amount of
messages
© Cyber Defense Research Group, Fraunhofer FKIE
Behind the scenes: Exploiting BAS Traffic Redirection
Eve fakes selected Router-
Available-to-Network
messages
BBMD simply forwards all
incoming and outgoing
messages
Exploit: Eve receives ALL
routed messages as the
devices register her as
“HOP”
© Cyber Defense Research Group, Fraunhofer FKIE
TRAFFIC NORMALIZATION
Our solution to prevent attacks:
© Cyber Defense Research Group, Fraunhofer FKIE
Traffic Normalization Methodology
Eliminates ambiguities and prevents devices of proposed attacks, e.g. several
types of Denial of Service (DoS) on network layer
Can ensure standard conforming network traffic
Ability to secure legacy systems which are not patchable
independent of any platform
can be integrated into each network protocol
Internet Intranet
Normalizer
Source: S. Szlósarczyk, S. Wendzel et al.: Towards Suppressing Attacks on and Improving Resilience of Building Automation Systems, in Proc. GI Sicherheit, Vienna, 2014.
© Cyber Defense Research Group, Fraunhofer FKIE
Traffic Normalization for BACnet
Developed a Snort extension for
BACnet
Developed a Scapy-based BACnet
protocol fuzzer
Realizing traffic normalization for
BACnet/IP‘s network and application
layer
New research project started with
industry partner (funded by German
BMBF)
„Building Automation Reliable
Network Infrastructure“ (BARNI)
Traffic
Normalizer
Source: S. Szlósarczyk, S. Wendzel et al.: Towards Suppressing Attacks on and Improving Resilience of Building Automation Systems, in Proc. GI Sicherheit, Vienna, 2014.
© Cyber Defense Research Group, Fraunhofer FKIE
DISTRIBUTED BACnet
TESTBED
Supporting the Research Community:
© Cyber Defense Research Group, Fraunhofer FKIE
Distributed BACnet Testbed
Large inter-connection of autonomous BACnet environments
Consisting of virtual and real BAS components
Source: J. Kaur et al.: A Cost-efficient building automation security testbed for educational purposes, poster at Securware, Lisbon, 2014 (to appear).
© Cyber Defense Research Group, Fraunhofer FKIE
Distributed BACnet Testbed
Why?
1. research (traffic recordings, traffic analysis, DLP etc.)
2. education (BACnet attack training and monitoring for students)
you can join!
Source: J. Kaur et al.: A Cost-efficient building automation security testbed for educational purposes, poster at Securware, Lisbon, 2014 (to appear).
© Cyber Defense Research Group, Fraunhofer FKIE
Summary
Traffic
Normalizer
Our means to increase security in BAS:
Multi-level security and data leakage protection
for building automation networks
Traffic normalizer for BACnet
Virtual Inter-connected testbed for
the research community
© Cyber Defense Research Group, Fraunhofer FKIE
Thank you for your kind attention!
Our Expertise:
Secure Building Automation
Data Leakage Protection
Network Steganography/
Network Covert Channels
Steffen Wendzel
Head of Secure Building Automation
Cyber Security Department
Fraunhofer FKIE
Personal website:
http://www.wendzel.de
Links to the publications mentioned in this talk:
http://ieeexplore.ieee.org/xpls/abs_all.jsp?arnumber=6468400&tag=1
http://www.wendzel.de/dr.org/files/Papers/EnvisioningSmartBuildings.pdf
http://www.wendzel.de/dr.org/files/Papers/BACnet_TN_Paper_GISich.pdf
If you want to know more about capabilities of network covert channels:
http://www.wendzel.de/dr.org/files/Papers/mp_survey.pdf