Securing Building Automation System

board-780316_1920.jpg

Our Building Automation System is secure!

You wish! Unfortunately, it is often not true.

Forescout Researchers found many devices with known vulnerabilities (CVE) with publicly reachable interface. What is more troubling is that many of these devices with exposed public interfaces were found at hospitals and schools. A separate study by CyberX note that about 84% of the sites have at least one remotely accessible device.

Building Automation Systems running on BACnet have vulnerabilities that can be broadly classified into two major categories: inherent protocol specific and operational.

Protocol specific vulnerabilities are:

1.       Missing authentication at the protocol level

1.       Lack of encryption makes it easy to spoof/replay

2.       BACnet/IP broadcast management device (BBMD) function can be misused.

Operational specific challenges are:

1.       Outdated and legacy software with inherent vulnerabilities

2.       Remote access for maintenance and troubleshooting.

The following picture shows number of BACnet devices with BBMD function enabled, exposed to the internet.

shodan-bacnet.png

These devices shown above are exposing their default BACnet port 47808 ( with BBMD function enabled), and therefore can allow any device to register as a foreign device on the internet using the BBMD function. This permits the external registered device to talk to any building automation endpoints as if they are operating in the local LAN.

For example, an HVAC network layout shown below, can be extremely vulnerable if BACnet service port is accessible from the internet with BBMD function enabled.

Figure 1: Typical BACnet based Building Automation System

bacnet-without-hmatix.png

The above network layout can also allow local malicious actors to try to connect to the HVAC supervisory node or controller using some BACnet fuzzer code. At a recent Blackhat conference, it was demonstrated how easy it is to cause a segmentation fault on a BACnet server.

Securing Building Automation System using Hmatix Solution

Hmatix recommends the following security measures to protect Smart Building Automation Systems.  This is in-line with NIST.SP.800-82 recommendation.

Figure 2: Securing BACNet based HVAC system with Hmatix

bacnet-network-using-Hmatix.png
bacnet-security-recommendation-table.png

For more details please reach out to info@hmatix.com

Hmatix