Flow-Based Security Issue Detection in Building Automation and Control Networks

Flow-based Security Issue

Detection in Building Automation

and Control Networks

Pavel Čeleda, Radek Krejčí, Vojtěch Krmíček

{celeda|vojtec}@ics.muni.cz, [email protected]

18th EUNICE Conference on Information and Communications Technologies

29-31 August 2012, Budapest, Hungary

Part I

Building Automation and Control Systems (BACS) I

Masaryk University Campus

Building Automation and Control Systems (BACS) II

What are the advantages of flow-based monitoring in BACS networks

and how can it help to detect security issue in these networks?

Building Automation and Control Systems (BACS) II

What are the advantages of flow-based monitoring in BACS networks

and how can it help to detect security issue in these networks?

BACnetFlow

BACnet Protocol

Communication protocol for BACS networks.

ASHRAE standard 135 – U.S. standard, adapted by ISO, EU.

Contains key information about BACS network traffic.

BACnetFlow

IP flow modification for BACnet networks.

BACnetFlow

ETH BACnet/ARP/ISMP/LLDP/Slow protocols/...

BACnet

NetFlow

VLAN IP TCP/UDP

ETH

IP TCP/UDP

ETH

Other

Monitored Network

Masaryk University Network

Including university campus BACS network

BACS network

BACnet

network

BACnet

network

Management

servers

1Gb/s mirror port

FlowMon Probe

FlowMon Probe

BACnetFlow Probe

BACnetFlow Probe

University

network

Internet

10Gb/s TAP

Part II

Attack from Building Automation System

AIDRA Botnet in Nutshell

Linux malware

– IRC bots with central C&C servers.

Based on source code of

Hydra

botnet.

Attacks poorly-configured

ARM, MIPS, MIPSEL, PPC

and

SH4

Linux embedded devices (default Telnet credentials).

First attacks observed at Masaryk University on 2011-12-04.

AIDRA in action (screenshot of 2011.1 private version)

AIDRA Infected Device

Modular automation station for intelligent building.

Communication protocols –

BACnet/IP

and TCP/IP.

Linux based (PPC) – integrated web and telnet server.

AIDRA botnet does not support any targeted

attacks against intelligent buildings!

Telnet Attacks Against Masaryk University Network

0 20 40 60 80 12:00 16:00 20:00 00:00 04:00 08:00 T ra ffi c kb /s Telnet traffic kb/s (2) (1) (1) (1) (1) 0 40 80 120 160 12:00 16:00 20:00 00:00 04:00 08:00 P ac ke ts /s Telnet packets/s (2) (1) (1) (1) (1) 0 40 80 120 160 12:00 16:00 20:00 00:00 04:00 08:00 F lo w s/ s Telnet flows/s (2) (1) (1) (1) (1) 0 5 10 15 20 12:00 16:00 20:00 00:00 04:00 08:00 H (d st IP )

Telnet destination IP address entropy

(3) (3)

(3)

(2) (1) (1)

(1)

(1)

AIDRA massive horizontal scan 60 to 130 thousand flows (15 minutes window).

(2)

AIDRA massive horizontal scan 60 to 130 thousand flows (60 minutes window).

Part III

Worldwide Connection Attempts to BACS Network

Attackers’ primary interests were following services -

SSH

,

TELNET

,

Week-long Access Control Validation Results

Incomming and Outgoing BACS Network Traffic

Direction

Protocol

Bytes

Packets

Flows

TCP

2217553

23122

323

In

UDP

0

0

0

ICMP

6812

100

96

TCP

15248736

33267

287

Out

UDP

2068299

27396

13113

ICMP

4202

65

65

Total

19545602

83950

13884

Found Issues

1)

Foreign or public DNS servers e.g. Google Public DNS.

Part IV

BACnet Router Spoofing Attack

0

5

10

15

20

00:00

04:00

08:00

12:00

16:00

20:00

00:00

F

lo

w

s

BACnet Router Messages

BACnet over IP routers broadcasting

I-Am-Router-To-Network

and

BACnet Device Discovery DoS Attack

0

10

20

30

40

04:00

06:00

08:00

10:00

12:00

14:00

16:00

18:00

20:00

F

lo

w

s/

s

(1) Who-Is

(2) I-Am

(1)

(2)

0

10

20

30

40

Tue

13/03

14/03

Wed

15/03

Thu

16/03

Fri

17/03

Sat

18/03

Sun

19/03

Mon

20/03

Tue

F

lo

w

s/

s

(1) Who-Is

(2) I-Am

(1)

(2)

BACnet Write-Property Attack

0

1

2

3

4

Tue

Wed

Thu

Fri

Sat

Sun

Mon

Tue

F

lo

w

s/

s

(1) Read-Property

(2) Write-Property

(1)

(2)

0

20

40

60

80

Tue

13/03

14/03

Wed

15/03

Thu

16/03

Fri

17/03

Sat

18/03

Sun

19/03

Mon

20/03

Tue

P

ac

ke

ts

/s

(1) Read-Property

(2) Write-Property

(2)

(1)

Part V

Conclusion

Summary

Any embedded device can threaten others.

Flow-based monitoring in BACS networks is valuable source of

information.

Even an application protocol specific attacks can be detected

using flow approach.

Future Work

Thank You For Your Attention!

Pavel Čeleda et al.

[email protected]

BACnet Toolset

http://dior.ics.muni.cz/∼celeda/bacnet

Flow-based Security Issue

Detection in BACnet

OPERATOR COMPROMISED LINE ATTACKER

BACnet over IP