What do ICS asset owners need to know about the threat environment? Below is an Indications and Warnings report that went out recently as part of our ICS Cyber Situational Awareness and Threat Intelligence Service. If you are interested in subscribing contact us at [email protected] to obtain a quote.
|
| European researchers explore the possibility of BACnet botnets |
| Category: | Indications and Warnings |
| Date: | April 12, 2014 |
| Priority: | Medium |
| Sector(s): | Building Automation |
| Confidence: | Medium |
| A team of European researchers has published investigations into the security of BACnet devices and networks. The paper "Envisioning Smart Building Botnets" by Steffen Wendzel, Viviane Zwanger, Michael Meier, and Sebastian Szlo'sarczyk, describes [1]: |
Our botnet concept and scenario is novel in the sense that it takes advantage of the physical capabilities of a building and as it has to adapt to a specialized environment being highly deterministic, predictable, simplistic and conservative. These properties make anomalies easy to detect. Smart building botnets allow the monitoring and remote control of (critical) building automation infrastructure in public and private facilities, such as airports or hospitals. We discuss why building automation botnets could thus enable attackers to cause various critical damage on whole regions and economies. Hiding the command and control communication is a highly beneficial step to adapt botnets to the BAS environment. We show that this is not necessarily a big hurdle and can be solved using existing covert channel techniques. |
| The authors explain why building automation systems would be of interest to attackers: |
The benefits for malware developers are manifold. First, malware attackers could monitor events (e.g. movement patterns) in a large number of buildings and could thus create usage profiles of inhabitants, which could be sold later on a black market. Second, miscreants can aim at causing a denial-of-service in a building (e.g. forcing an evacuation by a false fire alarm). Third, in contrast to mobile devices and PC systems, BAS are permanently available, rarely modified, face nearly no security features, are designed for long-term deployment and are rarely patched. This makes them an excellent choice for placing bots. Fourth, buildings can be used to blackmail their inhabitants and owners (e.g. forcing the transfer of money to a bank account to end a disruption on a critical system such as an airport baggage transfer system or lifts in a hospital). |
| The authors theoretically describe how attackers would build such a botnet: by scanning the Internet, by relying on Shodan, or by conducting war-driving to identify wireless building automation systems. They do not, however, provide the technical details of the proposed covert channel. |
| The authors have written a second paper, "Towards Suppressing Attacks on and Improving Resilience of Building Automation Systems - an Approach Exemplified Using BACnet" [2], that advances "traffic normalizers" to reduce the likelihood of successful covert channel attacks. |
| The authors presented an extension of their work at the "Hack in the Box" Amsterdam conference in late May 2014 [3]: |
We present the first prototype of a BACnet traffic normalizer based on Snort which we currently develop. We design our normalization to be capable to significantly increase the robustness of BAS networks by protecting BACnet network stack implementations against malformed packets and packets linked to selected attacks as well as by ensuring the compliance of BACnet messages. Our normalization rules are additionally a means to counter fuzzing attacks and to provide protection for usually seldom updated BACnet devices as patching is a challenging task in BAS. |
| The research follows investigation into the security of BACnet protocol by Brad Bowers in 2013 [4] [5]. Digital Bond released a BACnet scanning tool for Nmap in March 2014 [6]; and Shodan added BACnet scanning results in April 2014 [7]. Given that BACnet devices and networks can easily be identified and are generally devoid of security, the possibility and likelihood of attack, and perhaps the creation of botnets as envisioned by Wendzel, et al, is high. |
| Firms relying on building control systems (even for buildings they do not own) may wish to: |
|
|
[1] http://www.wendzel.de/dr.org/files/Papers/EnvisioningSmartBuildings.pdf [2] sicherheit2014.sba-research.org/wp-content/uploads/2013/07/Proceedings-GI-SICHERHEIT-2014.pdf [3] http://haxpo.nl/hitb2014ams-wendzel-szlosarczyk/ [4] www[.]youtube[.]com/watch?v=c4LMrKEO_t0&list=PLOVuemKfINRk_gDUiLQLZ5Xxinbq-QopW&index=19 [5] http://www.digitalintercept.com/bacnet [6] http://www.digitalbond.com/blog/2014/03/26/redpoint-discover-enumerate-bacnet-devices/ [7] "Shodan adds BACnet port to query results"; Weekly 20140410 [8] http://www.bacnet.org/Addenda/Add-135-2008g.pdf [9] http://www.bacnet.org/Bibliography/BACnet-Today-06/28884-Holmberg.pdf [10] https://community.qualys.com/thread/12455 |
|
Click to view this email in a browser
If you no longer wish to receive these emails, please reply to this message with "Unsubscribe" in the subject line or simply click on the following link: Unsubscribe |
|
Critical Intelligence 1970 E. 17th St. Suite 104 Idaho Falls, Idaho 83404 US Read the VerticalResponse marketing policy. |
|