Skip to main content

Guarding the Modern Castle: Providing Visibility into the BACnet Protocol

Building automation devices are used to monitor and control HVAC, security, fire, lighting, and other similar functions in a building or across a campus. Over 60% of the global market for building automation relies on the BACnet protocol to enable communication between field devices (BSRIA, 2018). There are few open-source network intrusion detection or prevention systems (NIDS/NIPS) capable of interpreting and monitoring the BACnet protocol (Hurd & McCarty, 2017). This blind spot presents a significant security risk. The maloperation of building automation systems can cause physical damage and financial losses, and can allow an attacker to pivot from a building automation network into other networks (Balent & Gordy, 2013). A BACnet/IP protocol analyzer was created for an open-source NIDS/NIPS called Zeek to help minimize this network security blind spot. The analyzer was tested with publicly available BACnet capture files, including some with protocol anomalies. The new analyzer and test cases provide network defenders with a tool to implement a BACnet/IP capable NIDS/NIPS as well as insight into how to defend the modern-day castles that rely on the Building Automation and Control network protocol.

Download file

39240 (PDF, 2.35MB)

30 Oct 2019
ByAaron Heller
Share
All papers are copyrighted

No re-posting of papers is permitted

Related Content

Code Modularity as a Heuristic for Malware Design

Research Paper

Malware targeting industrial control systems (ICS) and critical infrastructure often exhibits a modular architecture, using a central loader to execute interchangeable payload modules.

  • 7 Nov 2025

Webs of Deception: Using the SANS ICS Kill Chain to Flip the Advantage to the Defender

Research Paper

Defending a small Industrial Control System (ICS) against sophisticated threats can seem futile. The...

  • 14 Apr 2025

Industrial Control System Internal Network Security Monitoring with Open-Source Tools

Research Paper

Security vendors have made many advances in internal network security monitoring (INSM) in recent...

  • 5 Dec 2024

False Data Injection Attacks Against Distribution Automation Systems

Research Paper

Utility companies increasingly rely on automated switching to provide their customers with a...

  • 5 Dec 2024

Shedding Light on OT Anomalies: Parsing Proprietary OT Protocols with Zeek

Research Paper

Many traditional intrusion detection systems (IDS) may struggle with the unique devices and...

  • 9 Oct 2024

SANS 2024 State of ICS/OT Cybersecurity

Research Paper

This white paper, SANS Certified Instructor Jason Christopher explores the growing trends in cyber...

  • 9 Oct 2024
  • SANS Institute

Mode Matters: Monitoring PLCs for Detecting Potential ICS/OT Incidents

Research Paper

There is a blind spot regarding cyber security in many Industrial Control Systems (ICS)and...

  • 28 Feb 2024

Can Open-Source Tools Be Used to Safely Scan a Modern ICS Environment?

Research Paper

This research delves into the long-standing belief within the Operational Technology (OT) security...

  • 27 Nov 2023

Private 5G, "Not as Private as You May Think"

Research Paper

Private 5G networks and the transition to Industry 4.0 are gaining traction as demand increases for...

  • 10 Oct 2023

Implementing Scalable Security for Devices Without 802.1x Support

Research Paper

Enterprises often implement 802.1x to control access to wired and wireless networks by...

  • 21 Dec 2022

Transparently Insecure Operational Technology: A Contextual Analysis

Research Paper

In cybersecurity, countering threats depends on an ability to see and respond to attacks. However,...

  • 6 Jan 2022

You Cannot Defend What You Cannot See: Gaining Insight into Proprietary Protocols through Custom Parsers with Zeek

Research Paper

A vital component of any information security architecture is a network intrusion detection...

  • 6 Jan 2022

Collection and Analysis of Serial-Based Traffic in Critical Infrastructure Control Systems

Research Paper

There is a blind spot the size of a 27-ton, 2.25-megawatt maritime diesel generator in the world's...

  • 11 Feb 2021

Industrial Traffic Collection: Understanding the implications of Deploying visibility without impacting production

Research Paper

Due to the critical nature of industrial environments and the lifetime of deployed assets, many...

  • 21 Sep 2020

Fashion Industry (Securely) 4.0ward

Research Paper

The fashion market segment is going through a significant technological upgrade. The need to meet...

  • 9 Sep 2020

60870-5-104 protocol snort rule customization

Research Paper

OT Security emerges as a necessity due to its flat network implementation and criticality of systems...

  • 10 Aug 2020

Vulnerabilities on the Wire: Mitigations for Insecure ICS Device Communication

Research Paper

Modbus TCP and other legacy ICS protocols ported over from serial communications are still widely...

  • 12 Feb 2020
  • Michael Hoffman

Gaining Endpoint Log Visibility in ICS Environments

Research Paper

This paper examines WEF in the context of Windows ICS environments to determine if WEF is better suited for ICS environments than WMI pulling regarding bandwidth, security, and deployment considerations

  • 11 Mar 2019
  • Michael Hoffman

Who's in the Zone? A Qualitative Proof-of-Concept for Improving Remote Access Least-Privilege in ICS-SCADA Environments

Research Paper

Remote access control in many ICS-SCADA environments is of limited effectiveness leading to...

  • 4 Dec 2017

Man-In-The-Middle Attack Against Modbus TCP Illustrated with Wireshark

Research Paper

Though attacks on the industrial control system (ICS) and their protocols are not a new occurrence,...

  • 20 Oct 2017