Herson Esquivel-Vargas scite author profile

Andreas

2017

Specification-based intrusion detection (SB-ID) is a suitable approach to monitor Building Automation Systems (BASs) because the correct and non-compromised functioning of the system is well understood. Its main drawback is that the creation of specifications often require human intervention. We present the first fully automated approach to deploy SB-ID at network level. We do so in the domain of BASs, specifically, the BACnet protocol (ISO 16484-5). In this protocol, properly certified devices are demanded to have technical documentation stating their capabilities. We leverage on those documents to create specifications that represent the expected behavior of each device in the network. Automated specification extraction is crucial to effectively apply SB-ID in volatile environments such as BACnet networks, where new devices are often added, removed, or replaced. In our experiments, the proposed algorithm creates specifications with both precision and recall above 99.5%. Finally, we evaluate the capabilities of our detection approach using two months (80GB) of BACnet traffic from a real BAS. Additionally, we use synthetic traffic to demonstrate attack detection in a controlled environment. We show that our approach not only contributes to the practical feasibility of SB-ID in BASs, but also detects stealthy and dangerous attacks.

BACGraph: Automatic Extraction of Object Relationships in the BACnet Protocol

Andreas

2021

This work presents BACGRAPH, a tool that extracts relationships among configuration parameters of Building Automation and Control Systems (BACSs) implemented using the BACnet protocol (ISO 16484-5). BACnet models these configuration parameters as object data structures comprised of multiple properties, some of which contain references to other objects. Given the regular exchange of objects among devices, we leverage these explicit references to build a graph of BACnet objects exclusively from network traffic. We tested BACGRAPH using traffic collected from a real building located at the University of Twente. After analyzing 66.8 hours of traffic, the resulting graph is comprised of 13,733 nodes and 3,169 edges. Such a graph improves the system visibility that BACS administrators have over their infrastructure, which is crucial for troubleshooting and security.

Putting Attacks in Context: A Building Automation Testbed for Impact Assessment from the Victim’s Perspective

Laanstra

et al. 2020

Identifying Near-Optimal Single-Shot Attacks on ICSs with Limited Process Knowledge

Castellanos

et al. 2022

Industrial Control Systems (ICSs) rely on insecure protocols and devices to monitor and operate critical infrastructure. Prior work has demonstrated that powerful attackers with detailed system knowledge can manipulate exchanged sensor data to deteriorate performance of the process, even leading to full shutdowns of plants. Identifying those attacks requires iterating over all possible sensor values, and running detailed system simulation or analysis to identify optimal attacks. That setup allows adversaries to identify attacks that are most impactful when applied on the system for the first time, before the system operators become aware of the manipulations. In this work, we investigate if constrained attackers without detailed system knowledge and simulators can identify comparable attacks. In particular, the attacker only requires abstract knowledge on general information flow in the plant, instead of precise algorithms, operating parameters, process models, or simulators. We propose an approach that allows single-shot attacks, i.e., near-optimal attacks that are reliably shutting down a system on the first try. The approach is applied and validated on two use cases, and demonstrated to achieve comparable results to prior work, which relied on detailed system information and simulations.

Identifying Near-Optimal Single-Shot Attacks on ICSs with Limited Process Knowledge

Esquivel-Vargas¹,

Castellanos²,

Caselli³

et al. 2022

Preprint