FINAL REPORT NIST Research Project SB 1341-01-Q-0913 ============================================ Investigation Into Computer Network Security For Integrated Building Automation and Control Systems Security of Building Control System Interconnections using BACnet/IP or BACnet Annex H Tunneling Routers Principal Investigators Dr. Bruce Eisenstein, ECE Dept. Dr. T. Agami Reddy, CAE Dept. Research Associates Asgodom Woldu, ECE Dept. Rohan Wagle, ECE Dept. College of Engineering Drexel University, 3141 Chestnut Street Philadelphia, PA 19104 Submitted to: Mechanical Systems and Controls Group Building and Fire Research Laboratory National Institute of Standards and Technology 100 Bureau Drive, Stop 3571 Building 301, Room B 129 Gaithersburg, MD 20899-3571 November 15, 2002 Executive Summary The BACnet protocol in its current form provides limited optional network security by design. When the standard was first developed, it was felt that such security measures were adequate for the first generation BACnet devices and networks. However, as the number, sophistication and size of such networks (both intranet and Internet based) has been growing rapidly, the ASHRAE BACnet Standards Committee is reconsidering this issue. For this purpose, a working group, called the Network Security Working Group (NSWG) was formed to provide recommendations on improving security of BACnet networks. This document will be directly beneficial to their deliberations. From a comprehensive list of computer network threats and vulnerabilities, we first identify those that are likely to affect Annexes H and J BACnet networks. Subsequently we have identified tools to eliminate or mitigate the above threats and vulnerabilities. A two-tiered approach is taken for securing BACnet networks. The first approach is to use well-known TCP/IP security protocols, such as IPsec and Kerberos, both for authentication, and data confidentiality purposes. The second approach deals with methods used to secure BACnet networks by selecting firewall devices developed in accordance with the application-level and traffic filter firewall protection profiles. These firewalls could be standalone, commercially available firewall devices, or B/IP PADs or B/IP Router/PADs with firewall capabilities that adhere to the firewall PPs. In addition, we propose that host-based and network-based intrusion detection systems (IDS) be adopted as an integral part of BACnet network security tools. A detailed analysis of the BACnet network security clause (clause 24) is provided followed by four specific recommendations to strengthen it: • enhanced security during the private key (PK) distribution mechanism; • replace DES with AES; • follow guidelines given in FIPS PUB 140-2 both for key distribution and for physically securing the devices; and • adopting Kerberos and IPsec protocols to improve authentication of users and devices, and for improving data integrity and confidentiality services provided by the BACnet protocol. We also make specific recommendations regarding Annexes H and J BACnet networks. These recommendations include: • using firewalls that comply with the two firewall protection profiles, namely the traffic filter and the application level firewall protection profiles; • using strategically placed network based intrusion detection systems, and by adopting the proposed host-based BACnet intrusion detection object; and • issuing access cards to selected individuals, which enhances the authentication process. The various ameliorations to the BACnet network threats proposed by Drexel University are summarized in a succinct and clear table for each of the different types of BACnet-related threat categories identified as part of this study.
Pages to are hidden for
"FINAL REPORT Investigation Into Computer Network Security For"Please download to view full document