Critical infrastructure

BACnet

Nitesh Malviya
February 28, 2020 by
Nitesh Malviya

Introduction

BACnet stands for “Building Automation and Control Networks.” As the name suggests, BACnet is used for communication in building automation and control networks. BACnet has been accredited as an ISO (International Standard Organization) and ANSI (American National Standards Institute) global standard and a European pre-standard.

Learn ICS/SCADA Security

Learn ICS/SCADA Security

Explore realistic critical infrastructure scenarios and build your security skills with hands-on labs, on-demand courses and live boot camps.

BACnet history

BACnet was developed in 1987 by ASHRAE (American Society of Heating, Refrigerating and Air-Conditioning Engineers). BACnet is an open-source protocol and ASHRAE looks after its development and maintenance. Due to wide support and adoption, BACnet is used in more than 30 countries.

Purpose of BACnet

BACnet acts as a standard communication protocol enabling interoperability between building devices and systems — controls and automation systems. BACnet presents standard methods for requesting, interpreting, transporting and presenting information between systems from various vendors such as lighting, HVAC, fire systems and security. 

In order to achieve interoperability across the wide range of equipment, BACnet specifies three major parts. They are as follows:

  1. The first part specifies different methods for representing building automation equipment in a standard way
  2. The second part specifies messages which can be sent across to control and monitor different equipment in the network
  3. The third part specifies a set of applicable LANs (Local Area Network) which can be used for conveying BACnet communications

BACnet overview

To understand BACnet, we need to understand a few terminologies used by the BACnet protocol. They are:

  1. Objects: BACnet is an object-oriented protocol. Objects are the standard way of representing functions of any device in the network. Objects are used to represent different aspects of the control system. They include:
    1. Device object/physical device
    2. Analog input like temperature
    3. Binary output
    4. Schedules
    5. Control loops and alarms 
  2. Services: Services are responsible for providing information exchanges between two or more objects. There are around 35 services defined by BACnet and they are divided into five classes. Services are used in performing I/O (input/output), read and write operations. Objects which provide service are called servers, and objects which request services are called clients. Thus, BACnet is a client-server system model. Depending on the system requirement, an object can be both a server and a client
  3. Properties: Properties contain information about the object. Objects usually contain a large collection of properties. Every object has at least the following three properties:
    1. object_identifier
    2. object_name
    3. object_type

BACnet communication layer

BACnet performs different functions on different layers to provide smooth functioning of building automation applications. The various layers on which BACnet provides services are:

  1. Physical layer: At the physical layer, BACnet provides various functionalities such as addressing, electric signaling, error checking, flow control, network access, message format and presentation
  2. BACnet MS/TP layer: MS/TP stands for Master-Slave Token Passing. Device having the token is the master and other devices are slaves in the network. If a master has to send messages to any device, it holds the token until it is done sending the message. After the message has been sent, it passes the token to the next device. This is called “Token Passing” and it is thus a peer-to-peer network
  3. BACnet IP layer: At this layer, BACnet sends and receives messages over the standard UDP/IP stack. Packets found at the MS/TP layer are encapsulated in a UDP/IP packet and they are called BACnet IP. Devices at this layer use IP and an Ethernet MAC address to communicate. Devices transmit the packet, and Ethernet looks after the packet delivery and takes care of issues like packet collision and retries
  4. BACnet application layer: The application layer is the most important layer in the BACnet network. All message processing and device addressing happens at the application layer. The application layer receives the BACnet packet from the IP layer and processes the packet accordingly. The most common message types are “read present value property” and COV (Change of Value notification)

BACnet security issues

BACnet was not designed with security in mind. Thus, a number of issues exist in the BACnet protocol. The following are the noteworthy attacks widely found on BACnet networks:

  1. Lack of authentication and spoofing: BACnet is susceptible to spoofing attacks due to a lack of authentication and authorization. Due to this, devices can generate fake messages and can force other devices to send their messages
  2. DoS attacks: This attack is performed by flooding the BACnet network. Here, the compromised device sends broadcast messages to various devices in the network. In turn, these devices reply to the network, creating unnecessary traffic in the network
  3. Disable network connections: This attack is performed by corrupting the routing table in the compromised device. This is done by sharing faulty routing information. Also, a device can be denied network connection by sending false messages to it
  4. Write access on devices: This attack changes the current values of BACnet object property. Thus, it is possible to change the values of the object, creating undesired changes in the network
  5. Lack of encryption: By default, BACnet traffic is not encrypted and the data is transferred in plain text

Conclusion

BACnet is one of the best protocols out in the market for building automation and connecting various systems. Considering the boom in IoT Technology, BACnet has a great future and it will grow by leaps and bounds. From a scalability perspective too, BACnet offers a great solution. 

Considering the demand and criticality of the application, security should be given prior importance and development should be done with security in mind. Considering lack of standards, proper standards should be defined for vendors to follow and implement.

Learn ICS/SCADA Security

Learn ICS/SCADA Security

Explore realistic critical infrastructure scenarios and build your security skills with hands-on labs, on-demand courses and live boot camps.

 

Sources

  1. BACnet - The New Standard Protocol, bacnet.org
  2. Introduction to BACnet, BACnet International
  3. BACnet 101 - Introduction to BACnet®, Control Solutions Minnesota
  4. BACnet Basics User's Guide, Carrier Corporation
  5. BACnet QUICK OVERVIEW, RTA
  6. BACnet - What is the BACnet Protocol, Chipkin
  7. Matthew Peacock, Michael N. Johnstone and Craig Valli, "Security Issues with BACnet Value Handling," Proceedings of the 3rd International Conference on Information Systems Security and Privacy (ICISSP 2017)
  8. Security in Protocols for Building Automation, INCIBE-CERT
Nitesh Malviya
Nitesh Malviya

Nitesh Malviya is a Security Consultant. He has prior experience in Web Appsec, Mobile Appsec and VAPT. At present he works on IoT, Radio and Cloud Security and open to explore various domains of CyberSecurity. He can be reached on his personal blog - https://nitmalviya03.wordpress.com/ and Linkedin - https://www.linkedin.com/in/nitmalviya03/.