Situational Awareness and Intrusion Detection for Building Automation Networks

Smart buildings integrate physical and digital infrastructures in a Building Automation System (BAS), allowing devices to communicate with each other using network protocols. Such systems may be connected to the Internet, allowing attackers to exploit vulnerabilities on protocols and devices that can lead to economic loss or harm people.   Cyber-security is critical for smart buildings, but few solutions exist to improve the security of building networks. In smart buildings, we need a dynamic and accurate inventory of network devices, their characteristics, and threats they are exposed to. To the best of our knowledge, there is currently no solution that automatically and continuously identifies and characterizes BAS devices by monitoring the network. Intrusion Detection Systems (IDS) are categorized into specification-based (when detection rules are specified) and learning-based (when normal behavior is learned). Specification-based approaches for BAS use vendor-provided documents, which may not be available. Learning-based approaches adopt black-box machine learning techniques that provide little semantic information about anomalies. A white-box approach, which improves the actionability of alerts, has never been proposed for BAS networks.   This project aims to increase BAS network security using situational awareness (to identify security risks, e.g., vulnerable devices) and white-box intrusion detection (to find anomalous communication that may indicate attacks). To validate our work, we will use datasets collected from production environments and simulated in a lab facility.