What do ICS asset owners need to know about the threat environment? Below is an Indications and Warnings report that went out recently as part of our ICS Cyber Situational Awareness and Threat Intelligence Service. If you are interested in subscribing contact us at info@critical-intelligence.com to obtain a quote.

European researchers explore the possibility of BACnet botnets

Category: Indications and Warnings
Date: April 12, 2014
Priority: Medium
Sector(s): Building Automation
Confidence: Medium

A team of European researchers has published investigations into the security of BACnet devices and networks. The paper "Envisioning Smart Building Botnets" by Steffen Wendzel, Viviane Zwanger, Michael Meier, and Sebastian Szlo'sarczyk, describes [1]:

Our botnet concept and scenario is novel in the sense that it takes advantage of the physical capabilities of a building and as it has to adapt to a specialized environment being highly deterministic, predictable, simplistic and conservative. These properties make anomalies easy to detect. Smart building botnets allow the monitoring and remote control of (critical) building automation infrastructure in public and private facilities, such as airports or hospitals. We discuss why building automation botnets could thus enable attackers to cause various critical damage on whole regions and economies. Hiding the command and control communication is a highly beneficial step to adapt botnets to the BAS environment. We show that this is not necessarily a big hurdle and can be solved using existing covert channel techniques.

The authors explain why building automation systems would be of interest to attackers:

The benefits for malware developers are manifold. First, malware attackers could monitor events (e.g. movement patterns) in a large number of buildings and could thus create usage profiles of inhabitants, which could be sold later on a black market. Second, miscreants can aim at causing a denial-of-service in a building (e.g. forcing an evacuation by a false fire alarm). Third, in contrast to mobile devices and PC systems, BAS are permanently available, rarely modified, face nearly no security features, are designed for long-term deployment and are rarely patched. This makes them an excellent choice for placing bots. Fourth, buildings can be used to blackmail their inhabitants and owners (e.g. forcing the transfer of money to a bank account to end a disruption on a critical system such as an airport baggage transfer system or lifts in a hospital).

The authors theoretically describe how attackers would build such a botnet: by scanning the Internet, by relying on Shodan, or by conducting war-driving to identify wireless building automation systems. They do not, however, provide the technical details of the proposed covert channel.

The authors have written a second paper, "Towards Suppressing Attacks on and Improving Resilience of Building Automation Systems - an Approach Exemplified Using BACnet" [2], that advances "traffic normalizers" to reduce the likelihood of successful covert channel attacks.

The authors presented an extension of their work at the "Hack in the Box" Amsterdam conference in late May 2014 [3]:

We present the first prototype of a BACnet traffic normalizer based on Snort which we currently develop. We design our normalization to be capable to significantly increase the robustness of BAS networks by protecting BACnet network stack implementations against malformed packets and packets linked to selected attacks as well as by ensuring the compliance of BACnet messages. Our normalization rules are additionally a means to counter fuzzing attacks and to provide protection for usually seldom updated BACnet devices as patching is a challenging task in BAS.

The research follows investigation into the security of BACnet protocol by Brad Bowers in 2013 [4] [5]. Digital Bond released a BACnet scanning tool for Nmap in March 2014 [6]; and Shodan added BACnet scanning results in April 2014 [7]. Given that BACnet devices and networks can easily be identified and are generally devoid of security, the possibility and likelihood of attack, and perhaps the creation of botnets as envisioned by Wendzel, et al, is high.

Firms relying on building control systems (even for buildings they do not own) may wish to:

  • Identify all building automation systems upon which a facility, company, and enterprise relies
  • Assess the consequences to operations posed by an attack on these systems
  • Document (require documentation of) all access points to these systems (this may require engaging contractors who manage the systems)
  • Document all users who have access to these systems
  • Determine whether these systems use BACnet
  • If possible, determine whether these systems have been penetrated
  • Ensure that these systems are subject to the same security governance concepts as regular IT or OT networks
  • Consider the usefulness of requiring/enabling BACnet security [8]
  • Consider the usefulness of the open source "BACnet firewall router" [9]
  • Consider the usefulness of BADnet "traffic normalization" as described by Wendzel, et al.
  • Consider the usefulness of scan/IDS signatures for HVAC networks, such as those provided by Qualys [10]

[1] http://www.wendzel.de/dr.org/files/Papers/EnvisioningSmartBuildings.pdf
[2] sicherheit2014.sba-research.org/wp-content/uploads/2013/07/Proceedings-GI-SICHERHEIT-2014.pdf
[3] http://haxpo.nl/hitb2014ams-wendzel-szlosarczyk/
[4] www[.]youtube[.]com/watch?v=c4LMrKEO_t0&list=PLOVuemKfINRk_gDUiLQLZ5Xxinbq-QopW&index=19
[5] http://www.digitalintercept.com/bacnet
[6] http://www.digitalbond.com/blog/2014/03/26/redpoint-discover-enumerate-bacnet-devices/
[7] "Shodan adds BACnet port to query results"; Weekly 20140410
[8] http://www.bacnet.org/Addenda/Add-135-2008g.pdf
[9] http://www.bacnet.org/Bibliography/BACnet-Today-06/28884-Holmberg.pdf
[10] https://community.qualys.com/thread/12455

Click to view this email in a browser

If you no longer wish to receive these emails, please reply to this message with "Unsubscribe" in the subject line or simply click on the following link: Unsubscribe

Critical Intelligence
1970 E. 17th St.
Suite 104
Idaho Falls, Idaho 83404

Read the VerticalResponse marketing policy.

Try Email Marketing with VerticalResponse!