Who is? Who Has? I am, I have!
In the past articles, we have discussed the fact that most of the OT protocols are in clear, and it's quite easy for an attacker to silently monitor the network with a tcpdump and create a complete map of the devices.
One of the key points of most industrial protocols is the ability for a device to do an autodiscovery of the network and quickly announce his presence in the OT infrastructure.
This ability reaches unparalleled skills in BACnet.
For those who don't know BACnet, it's a protocol developed starting from 1987 from ASRAE (American Society of Heating, Refrigerating and Ait-Conditioned Engineers) and, as you can imagine, the main goal of this protocol is to guarantee interoperability between BMS (Building Management System).
Like other industrial protocols, BACnet uses an object-oriented structure permitting to model devices with classes, objects, properties, and services. To reach this goal it defines around 60 standard objects and 35 message types divided into 5 classes.
It's not the place here to dig deep into the protocol, but I would like to highlight 2 points that are one of BACnet's strongest point but can easily turn against it.
First Point: the human language
While for other protocols, you need a little bit of skills to "decode" the meaning of a message, in BACnet, everything is quite clear.
If you want to know what are the BACnet devices in the network, you just need to send a WHO-IS command in the broadcast. And all the other device will reply with the answer I-AM.
Now that you have the list of devices, you may be interested in one in particular, so you just need to ask them WHO-HAS a particular object, and the interested devices will be immediately pleased to answer with I-HAVE this object.
Of course, you can go deep with other commands like READ PROPERTIES, or ATOMIC READ FILE but we don't want to dig to deep.
What does it mean? It means that you don't even need to risk using one of the many BACnet explorer software on the market to map the network, but you just need to listen patiently with a tcpdump, and you will be able to read the PCAP easily like a word document.
Second point: Broadcast.
Thank God the firewalls/routers block all the broadcast "human language" communication, but BACnet was also able to find a solution.
In a building, you may have multiple networks, routers, and firewalls. You may also need that a fire sensor placed on the last floor is aware of the presence of a fire alarm placed at the bottom of the building in a completely different network. To reach this goal, BACnet created a particular router called Broadcast Management Device. A BACnet router should be present in every network and create a map of the network nodes sharing it with all the other BACnet router in the building. In this way, an I AM message can also be propagated on the neighbor's networks, permitting to map the whole infrastructure with just a few commands.
Of course the widespread use of broadcast messages makes it susceptible to many attacks at this level but this is another story.
To conclude
Usually, the main method to guarantee an adequate level of security in a network is segmentation, but how can you provide segmentation with a protocol like BACnet?
A possible solution, waiting for a next generation protocol like BACnet Secure Connect, is to use a transparent device to isolate BACnet routers and nodes. In this way we can monitor and block malicious activity without to impact the normal behavior of the protocol.
Lot of possibilities are on the table and I'm really interested to know you experience securing this protocol, so don't hesitate to contact me to continue the discussion.