How to create dark buildings with light speed.

A number of talks in the last few years have addressed various topics in the generic area of industrial control system insecurity but only few have tapped into security of building automation systems, albeit its prevalence.

The usage of building automation, regardless if in private homes or corporate buildings, aims to optimize comfort, energy efficiency and physical access for its users. Is cyber security part of the equation? Unfortunately, not to the extent one might expect, cyber security is quite often found to be sacrificed either for comfort or efficiency.

The higher number of small and large-scale installations combination with easily exploitable vulnerabilities leads to a stronger exposure of building automation systems, which are often overlooked. Even worse, an adversary understanding the usage of regular building automation protocol functions for malicious purposes may not only create chaos within the breached building but can potentially even peak into internal networks over building protocols which are otherwise not reachable.

This talk describes prototypic attack scenarios through building automation systems one should consider, and how even without exploits, a number of protocol functions in common building automation protocols like BACnet/IP and KNXnet/IP can support a malicious adversary going for those scenarious.

For penetration testers who would like to explore this interesting field of industrial security research, we include a section on tooling. We will discuss noteworthy tools both from the security toolbox but also from the building automation toolbox for carrying out a number of attacks or their preparatory steps.

We will close out talk by discussing existing security measures proposed by the building automation industry as well as their adoption problems found in this field.