FINAL REPORT Investigation Into Computer Network Security For by gvl14091


									                       FINAL REPORT

            NIST Research Project SB 1341-01-Q-0913

     Investigation Into Computer Network Security
For Integrated Building Automation and Control Systems
     Security of Building Control System Interconnections using
        BACnet/IP or BACnet Annex H Tunneling Routers

                      Principal Investigators

                  Dr. Bruce Eisenstein, ECE Dept.
                  Dr. T. Agami Reddy, CAE Dept.

                       Research Associates

                   Asgodom Woldu, ECE Dept.
                    Rohan Wagle, ECE Dept.

                      College of Engineering
              Drexel University, 3141 Chestnut Street
                     Philadelphia, PA 19104

                            Submitted to:
             Mechanical Systems and Controls Group
               Building and Fire Research Laboratory
           National Institute of Standards and Technology
                    100 Bureau Drive, Stop 3571
                     Building 301, Room B 129
                   Gaithersburg, MD 20899-3571

                        November 15, 2002
                                       Executive Summary

The BACnet protocol in its current form provides limited optional network security by design. When
the standard was first developed, it was felt that such security measures were adequate for the first
generation BACnet devices and networks. However, as the number, sophistication and size of such
networks (both intranet and Internet based) has been growing rapidly, the ASHRAE BACnet Standards
Committee is reconsidering this issue. For this purpose, a working group, called the Network Security
Working Group (NSWG) was formed to provide recommendations on improving security of BACnet
networks. This document will be directly beneficial to their deliberations.

From a comprehensive list of computer network threats and vulnerabilities, we first identify those that
are likely to affect Annexes H and J BACnet networks. Subsequently we have identified tools to
eliminate or mitigate the above threats and vulnerabilities. A two-tiered approach is taken for securing
BACnet networks. The first approach is to use well-known TCP/IP security protocols, such as IPsec
and Kerberos, both for authentication, and data confidentiality purposes. The second approach deals
with methods used to secure BACnet networks by selecting firewall devices developed in accordance
with the application-level and traffic filter firewall protection profiles. These firewalls could be
standalone, commercially available firewall devices, or B/IP PADs or B/IP Router/PADs with firewall
capabilities that adhere to the firewall PPs. In addition, we propose that host-based and network-based
intrusion detection systems (IDS) be adopted as an integral part of BACnet network security tools.

A detailed analysis of the BACnet network security clause (clause 24) is provided followed by four
specific recommendations to strengthen it:

    •    enhanced security during the private key (PK) distribution mechanism;
    •    replace DES with AES;
    •    follow guidelines given in FIPS PUB 140-2 both for key distribution and for physically
         securing the devices; and
    •    adopting Kerberos and IPsec protocols to improve authentication of users and devices, and for
         improving data integrity and confidentiality services provided by the BACnet protocol.

We also make specific recommendations regarding Annexes H and J BACnet networks.                  These
recommendations include:

     •   using firewalls that comply with the two firewall protection profiles, namely the traffic filter
         and the application level firewall protection profiles;
     •   using strategically placed network based intrusion detection systems, and by adopting the
         proposed host-based BACnet intrusion detection object; and
     •   issuing access cards to selected individuals, which enhances the authentication process.

The various ameliorations to the BACnet network threats proposed by Drexel University are
summarized in a succinct and clear table for each of the different types of BACnet-related threat
categories identified as part of this study.

To top