Security in Building Automation Systems (seBAS)

Building Automation Systems are traditionally concerned with the control of heating, ventilation, air conditioning, lighting and shading systems. They provide enhanced user comfort while reducing operational cost. Typically, they follow a distributed approach and are based on a two-tier architecture. Sensors, actuators and controllers are coupled by robust, low-bandwidth and cost efficient control networks. Control networks are interconnected by a high-performance backbone that provides the necessary infrastructure for management tasks. While the particular demands of the control networks are covered by specialized field bus systems, IP-based solutions have become common for the back-bone network. For a long time, security in building automation networks has been a side issue at best. It was assumed that attacks would necessarily require physical access at the field level. This widely held belief is no longer true (integration with IP networks, increasing importance of open media in control networks). Moreover, an important trend for building automation systems over the next years will be the integration of formerly dedicated stand-alone subsystems (e.g., access control and alarm systems) besides the traditional areas of application. Obviously, fulfilling the demands on communication security for the resulting systems will be a challenging task. The underlying control systems have to be reliable and robust against malicious manipulations. The proposal describes a project devoted to the design of a framework for secure building automation systems. En route, three crucial points have been identified: First, secure data communication must be guaranteed. The security features of popular system technologies (BACnet, LonWorks, KNX) are insufficient with regard to data confidentiality, data integrity, data freshness and authentication. Cryptographic algorithms and mechanisms for key management must be analyzed with respect to their suitability for field devices with limited resources. With that in mind, a secure protocol has to be designed. Second, attacks must be detected and prevented while they happen. This requires an analysis of the building automation process. Patterns for regular traffic within a building automation network have to be derived so that rules that allow uncovering intrusions (and, in further course, triggering of counter measures) can be specified. Finally, the security policy must not be undermined by applications running on nodes (which could, for instance, release secret keys). This requires a profile for the behavior of node applications in building automation to be developed. Embedded applications shall be executed in a secure run-time environment that satisfies the demands of this profile and refuses unauthorized access to physical resources when necessary. As a complementary approach, illegal actions shall be determined by a priori program analysis. The results from this project can be expected to provide stimuli for the design of secure, large, distrib-uted automation systems at large.

Building Automation Systems are traditionally concerned with the control of heating, ventilation, air conditioning, lighting and shading systems. They provide enhanced user comfort while reducing operational cost. Typically, they follow a distributed approach and are based on a two-tier architecture. Sensors, actuators and controllers are coupled by robust, low-bandwidth and cost efficient control networks. Control networks are interconnected by a high-performance backbone that provides the necessary infrastructure for management tasks. While the particular demands of the control networks are covered by specialized field bus systems, IP-based solutions have become common for the backbone network. For a long time, security in building automation networks has been a side issue at best. It was assumed that attacks would necessarily require physical access at the field level. This widely held belief is no longer true (integration with IP networks, increasing importance of open media in control networks). Moreover, an important trend for building automation systems over the next years will be the integration of formerly dedicated stand-alone subsystems (e.g., access control and alarm systems) besides the traditional areas of application. Obviously, fulfilling the demands on communication security for the resulting systems will be a challenging task. The underlying control systems have to be reliable and robust against malicious manipulations. The proposal describes a project devoted to the design of a framework for secure building automation systems. En route, three crucial points have been identified: First, secure data communication must be guaranteed. The security features of popular system technologies (BACnet, LonWorks, KNX) are insufficient with regard to data confidentiality, data integrity, data freshness and authentication. Cryptographic algorithms and mechanisms for key management must be analyzed with respect to their suitability for field devices with limited resources. With that in mind, a secure protocol has to be designed. Second, attacks must be detected and prevented while they happen. This requires an analysis of the building automation process. Patterns for regular traffic within a building automation network have to be derived so that rules that allow uncovering intrusions (and, in further course, triggering of counter measures) can be specified. Finally, the security policy must not be undermined by applications running on nodes (which could, for instance, release secret keys). This requires a profile for the behavior of node applications in building automation to be developed. Embedded applications shall be executed in a secure run-time environment that satisfies the demands of this profile and refuses unauthorized access to physical resources when necessary. As a complementary approach, illegal actions shall be determined by a priori program analysis. The results from this project can be expected to provide stimuli for the design of secure, large, distributed automation systems at large.