(in)Security in Building Automation: How to Create Dark Buildings with Light Speed

Black Hat USA 2017

Presented by: Thomas Brandstetter
Date: Wednesday July 26, 2017
Time: 17:05 - 17:30
Location: Mandalay Bay CD

A number of talks in the last few years have addressed various topics in the generic area of industrial control system insecurity but only few have tapped into security of building automation systems, albeit its prevalence.

The usage of building automation, regardless if in private homes or corporate buildings, aims to optimize comfort, energy efficiency and physical access for its users. Is cyber security part of the equation? Unfortunately, not to the extent one might expect, cyber security is quite often found to be sacrificed either for comfort or efficiency.

The higher number of small and large-scale installations combination with easily exploitable vulnerabilities leads to a stronger exposure of building automation systems, which are often overlooked. Even worse, an adversary understanding the usage of regular building automation protocol functions for malicious purposes may not only create chaos within the breached building but can potentially even peak into internal networks over building protocols which are otherwise not reachable.

This talk describes prototypic attack scenarios through building automation systems one should consider, and how even without exploits, a number of protocol functions in common building automation protocols like BACnet/IP and KNXnet/IP can support a malicious adversary going for those scenarious.

For penetration testers who would like to explore this interesting field of industrial security research, we include a section on tooling. We will discuss noteworthy tools both from the security toolbox but also from the building automation toolbox for carrying out a number of attacks or their preparatory steps.

We will close out talk by discussing existing security measures proposed by the building automation industry as well as their adoption problems found in this field.

Thomas Brandstetter

Thomas Brandstetter is co-founder and GM of Limes Security, a boutique security consulting company specializing in industrial security and secure software development, based out of the Softwarepark Hagenberg, Austria. Besides his consulting work, he is FH Professor at the University of Applied Sciences St. Poelten, Austria, where he loves to teach his students classes like industrial security, incident response, botnets and honeypots and penetration testing. He also is Honorary Professor of Cyber Security at DeMontfort University, Leicester and community instructor for the renown SANS institute. He gathered a decade of experience in industrial security when he joined Siemens in order to build up the topic of IT security in products in 2005. After spending years in pen-testing significant parts of the Siemens product portfolio, he became Program Manager of the "Hack-Proof-Products Program" that he had co-founded. He held this position until in 2010 the Stuxnet malware hit. He was assigned the official incident manager role for this unique threat, and still loves to look back on what he learnt back then technically, about large organizations, but also in dealing with international defence agencies. Out of the remnants of the Stuxnet-activities, Thomas founded the Siemens ProductCERT, which is still one of the most effective industrial incident and vulnerability response teams worldwide today. He was heading the Siemens ProductCERT for another two years before he left for his own company and academia. Thomas was on stage at security conferences like Black Hat and SANS SCADA, Meridian, but also research and industrial conferences like IFIP WG11.10 CIIP, ICS-CSR and CIRED. He holds the GICSP, GSEC and CISSP certifications, has a diploma degree in IT security from the University of Applied Sciences Hagenberg, Austria and a masters degree in business administration from the Universities of Augsburg and Pittsburgh.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats