SlideShare una empresa de Scribd logo

Bacnet on the internet - BACnet User Group New England

Cimetrics Inc
Cimetrics Inc

"A look at BACnet on the public internet." - Alex Schoonveld - Senior Engineer at FMC Technologies Inc., Owner Building Systems LLC. had an ongoing project tracking the BACnet systems on the public internet since July 2018. This presentation is about why this is a bad idea, who is currently scanning for these systems, how many are exposed and what he has seen on his own honeypot.

Ingeniería
1 de 18
Descargar para leer sin conexión
BACnet on the Internet
Project Background • Started in July 2018 • Goals • Track total number of devices and trends • Identify most common manufactures and devices • Look for patterns • Find and remove any sites we have involvement with • Notify vendors we have relationships with
Problems exposing BACnet on the internet • Limited market support for BACnet security today • White listing • Read only / limit writable objects • MS/TP Router with Encryption • BFR Project – Joel Bender • Multiple crawlers searching for BACnet • Possible equipment downtime and damage • Firmware tampering / bricking • Ukrainian Power Grid Attack – 2015 • TRITON Attack Framework - 2017
Problems exposing BACnet on the internet • BACnet WAN Security Threat Assessment • (NIST 2003) • Amplification Threat Posed By Public BACnet • (Tech University of Munich 2017)
Scanning for BACnet • Shodan.io • Crawls the entire IPv4 space monthly • Scans for well known protocols HTTP, SSH, FTP, etc • When they find an open port, any response becomes the “banner” HTTP/1.0 200 OK Date: Tue, 16 Feb 2010 10:03:04 GMT Server: Apache/1.3.26 (Unix) AuthMySQL/2.20 PHP/4.1.2 mod_gzip/1.3.19.1a mod_ssl/2.8.9 OpenSSL/0.9.6g Content-Length: 97 Content-Type: text/html
Scanning for BACnet • Shodan data • Host IP • Timestamp of last scan • Banner • Hostname lookup / reverse DNS • Organization assigned to IP space • Country / City (IP Geo-location) • And more…
Scanning for BACnet • Well known protocols get special attention • SSL • Public cert, versions supported • SMTP • Supported SSL versions, server hello • Niagara • Versions, station name • BACnet • Full device object & BDT table
Scanning for BACnet Instance ID: 109100 Object Name: XXX-398 Vine St Location: Ground Floor Boiler Room Vendor Name: XXXXXXXXXXXXXXXXXXXXXXXXXXX Application Software: 8.20|01,10|01,10|--,--|--,--|--,--|--,--|--,--|--,--| Firmware: 8.20|01,10|01,10|--,--|--,--|--,--|--,--|--,--|--,--| Model Name: XXXXXXXXXX BACnet Broadcast Management Device (BBMD): 192.186.XXX.XXX:47808 64.250.XXX.XXX:47808 Foreign Device Table (FDT): 64.250.XXX.XXX:62738:ttl=60:timeout=88
Scanning for BACnet • Low cost to entry • First two pages of results (~20) available with free account • $10 per 10k results • General reports, no cost • Not the only source…
Using Shodan results • Working with .csv results, XML/JSON formats are also available • With VBA in Excel the banners are parsed • Identify BACnet hosts • Not all hosts with 47808 open are BACnet • Sort out manufactures with identity crisis • XYZ Inc., XYZ Inc, XYZ Building Technologies, XYZ Industrial • Generate totals, basic statistics and charts
Results
Hosts by Month
Patterns to date • Most common BACnet vendor != most common in the market • Most common vendors likely use BACnet for all aspects • Programming, firmware updates, etc • Least common vendor / device can be the most interesting • High number of identifiable sites • BACnet honeypots in the wild Metric July 2018 April 2019 Total Hosts 11,304 13,280 Vendors 112 119 Unique Models 457 516
Honeypots
Honeypot Setup • Real BMS hardware and software to simulate a real install • Isolated playground with 47808 UDP/TCP exposed • Raspi & passive network tap • Full setup details • Long term capture and collection • Wireshark export to Excel and classify
Honeypot Results • Identified entities scanning for BACnet devices • University of Michigan • Alpha Strike • Kudelski Group • Net Systems Research • Censys • Rapid7 • And more…
Honeypot Results • Scanning traffic is minimal currently – 1 scan / day • Scanning outside known actors rare • Running realistic HP is difficult • Firmware versions, model, vendor names, typical device instances, etc • Geo-location IP matches any site specific naming • Realistic sensor readings • Do sensors react correctly to output overrides • Many required for a solid understanding
Questions?

Recomendados

BrodcastMinimizingTrafficBACnet.pptx
BrodcastMinimizingTrafficBACnet.pptxBrodcastMinimizingTrafficBACnet.pptx
BrodcastMinimizingTrafficBACnet.pptxCimetrics Inc
 
Cybersecurity Summit AHR20 Protect Cimetrics
Cybersecurity Summit AHR20 Protect CimetricsCybersecurity Summit AHR20 Protect Cimetrics
Cybersecurity Summit AHR20 Protect CimetricsCimetrics Inc
 
Cybersecurity Summit AHR20 Take Action BACnet International
Cybersecurity Summit AHR20 Take Action BACnet InternationalCybersecurity Summit AHR20 Take Action BACnet International
Cybersecurity Summit AHR20 Take Action BACnet InternationalCimetrics Inc
 
Cybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover TridiumCybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover TridiumCimetrics Inc
 
Cybersecurity Summit AHR20 Detect KMC
Cybersecurity Summit AHR20 Detect KMCCybersecurity Summit AHR20 Detect KMC
Cybersecurity Summit AHR20 Detect KMCCimetrics Inc
 
Cybersecurity Summit AHR20 Identify Totem
Cybersecurity Summit AHR20 Identify TotemCybersecurity Summit AHR20 Identify Totem
Cybersecurity Summit AHR20 Identify TotemCimetrics Inc
 
Cybersecurity Summit AHR20 NIST framework Cimetrics
Cybersecurity Summit AHR20 NIST framework CimetricsCybersecurity Summit AHR20 NIST framework Cimetrics
Cybersecurity Summit AHR20 NIST framework CimetricsCimetrics Inc
 
Cybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCimetrics Inc
 

Recomendados

BrodcastMinimizingTrafficBACnet.pptx
BrodcastMinimizingTrafficBACnet.pptxBrodcastMinimizingTrafficBACnet.pptx
BrodcastMinimizingTrafficBACnet.pptxCimetrics Inc
 
Cybersecurity Summit AHR20 Protect Cimetrics
Cybersecurity Summit AHR20 Protect CimetricsCybersecurity Summit AHR20 Protect Cimetrics
Cybersecurity Summit AHR20 Protect CimetricsCimetrics Inc
 
Cybersecurity Summit AHR20 Take Action BACnet International
Cybersecurity Summit AHR20 Take Action BACnet InternationalCybersecurity Summit AHR20 Take Action BACnet International
Cybersecurity Summit AHR20 Take Action BACnet InternationalCimetrics Inc
 
Cybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover TridiumCybersecurity Summit AHR20 Recover Tridium
Cybersecurity Summit AHR20 Recover TridiumCimetrics Inc
 
Cybersecurity Summit AHR20 Detect KMC
Cybersecurity Summit AHR20 Detect KMCCybersecurity Summit AHR20 Detect KMC
Cybersecurity Summit AHR20 Detect KMCCimetrics Inc
 
Cybersecurity Summit AHR20 Identify Totem
Cybersecurity Summit AHR20 Identify TotemCybersecurity Summit AHR20 Identify Totem
Cybersecurity Summit AHR20 Identify TotemCimetrics Inc
 
Cybersecurity Summit AHR20 NIST framework Cimetrics
Cybersecurity Summit AHR20 NIST framework CimetricsCybersecurity Summit AHR20 NIST framework Cimetrics
Cybersecurity Summit AHR20 NIST framework CimetricsCimetrics Inc
 
Cybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCybersecurity Summit 2020 Slide Deck
Cybersecurity Summit 2020 Slide DeckCimetrics Inc
 
What BACnet/SC can do to improve BAS cybersecurity, and what it won’t do
What BACnet/SC can do to improve BAS cybersecurity, and what it won’t doWhat BACnet/SC can do to improve BAS cybersecurity, and what it won’t do
What BACnet/SC can do to improve BAS cybersecurity, and what it won’t doCimetrics Inc
 
BACnet and Metering
BACnet and MeteringBACnet and Metering
BACnet and MeteringCimetrics Inc
 
Analytika educational and research facility case study
Analytika educational and research facility case study Analytika educational and research facility case study
Analytika educational and research facility case study Cimetrics Inc
 
Jefferson University Currents
Jefferson University CurrentsJefferson University Currents
Jefferson University CurrentsCimetrics Inc
 
BACnet/SC: A Secure Alternative to BACnet/IP
BACnet/SC: A Secure Alternative to BACnet/IP BACnet/SC: A Secure Alternative to BACnet/IP
BACnet/SC: A Secure Alternative to BACnet/IP Cimetrics Inc
 
BE A BTU HUNTER: How Big Data Analytics Can Achieve Energy and OM Savings Whi...
BE A BTU HUNTER: How Big Data Analytics Can Achieve Energy and OM Savings Whi...BE A BTU HUNTER: How Big Data Analytics Can Achieve Energy and OM Savings Whi...
BE A BTU HUNTER: How Big Data Analytics Can Achieve Energy and OM Savings Whi...Cimetrics Inc
 
Bringing transparency to buildings.
Bringing transparency to buildings.Bringing transparency to buildings.
Bringing transparency to buildings.Cimetrics Inc
 
IoT Affects BACnet How?
IoT Affects BACnet How?IoT Affects BACnet How?
IoT Affects BACnet How?Cimetrics Inc
 
5 Benefits of BACnet Data In the Cloud
5 Benefits of BACnet Data In the Cloud5 Benefits of BACnet Data In the Cloud
5 Benefits of BACnet Data In the CloudCimetrics Inc
 
BACnet/IP good field implementation practices
BACnet/IP good field implementation practicesBACnet/IP good field implementation practices
BACnet/IP good field implementation practicesCimetrics Inc
 
BACnet at Cornell: 20+ Years of Lessons Learned
BACnet at Cornell: 20+ Years of Lessons LearnedBACnet at Cornell: 20+ Years of Lessons Learned
BACnet at Cornell: 20+ Years of Lessons LearnedCimetrics Inc
 
New England BACnet Users Meeting
New England BACnet Users MeetingNew England BACnet Users Meeting
New England BACnet Users MeetingCimetrics Inc
 
Building a BACnet Product
Building a BACnet ProductBuilding a BACnet Product
Building a BACnet ProductCimetrics Inc
 
Analytika - Research University case study
Analytika - Research University case studyAnalytika - Research University case study
Analytika - Research University case studyCimetrics Inc
 
result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college projectTonystark477637
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Christo Ananth
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesM Maged Hegazy, LLM, MBA, CCP, P3O
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...ranjana rawat
 

Más contenido relacionado

Más de Cimetrics Inc

What BACnet/SC can do to improve BAS cybersecurity, and what it won’t do
What BACnet/SC can do to improve BAS cybersecurity, and what it won’t doWhat BACnet/SC can do to improve BAS cybersecurity, and what it won’t do
What BACnet/SC can do to improve BAS cybersecurity, and what it won’t doCimetrics Inc
 
Analytika educational and research facility case study
Analytika educational and research facility case study Analytika educational and research facility case study
Analytika educational and research facility case study Cimetrics Inc
 
Jefferson University Currents
Jefferson University CurrentsJefferson University Currents
Jefferson University CurrentsCimetrics Inc
 
BACnet/SC: A Secure Alternative to BACnet/IP
BACnet/SC: A Secure Alternative to BACnet/IP BACnet/SC: A Secure Alternative to BACnet/IP
BACnet/SC: A Secure Alternative to BACnet/IP Cimetrics Inc
 
BE A BTU HUNTER: How Big Data Analytics Can Achieve Energy and OM Savings Whi...
BE A BTU HUNTER: How Big Data Analytics Can Achieve Energy and OM Savings Whi...BE A BTU HUNTER: How Big Data Analytics Can Achieve Energy and OM Savings Whi...
BE A BTU HUNTER: How Big Data Analytics Can Achieve Energy and OM Savings Whi...Cimetrics Inc
 
Bringing transparency to buildings.
Bringing transparency to buildings.Bringing transparency to buildings.
Bringing transparency to buildings.Cimetrics Inc
 
IoT Affects BACnet How?
IoT Affects BACnet How?IoT Affects BACnet How?
IoT Affects BACnet How?Cimetrics Inc
 
5 Benefits of BACnet Data In the Cloud
5 Benefits of BACnet Data In the Cloud5 Benefits of BACnet Data In the Cloud
5 Benefits of BACnet Data In the CloudCimetrics Inc
 
BACnet/IP good field implementation practices
BACnet/IP good field implementation practicesBACnet/IP good field implementation practices
BACnet/IP good field implementation practicesCimetrics Inc
 
BACnet at Cornell: 20+ Years of Lessons Learned
BACnet at Cornell: 20+ Years of Lessons LearnedBACnet at Cornell: 20+ Years of Lessons Learned
BACnet at Cornell: 20+ Years of Lessons LearnedCimetrics Inc
 
New England BACnet Users Meeting
New England BACnet Users MeetingNew England BACnet Users Meeting
New England BACnet Users MeetingCimetrics Inc
 
Building a BACnet Product
Building a BACnet ProductBuilding a BACnet Product
Building a BACnet ProductCimetrics Inc
 
Analytika - Research University case study
Analytika - Research University case studyAnalytika - Research University case study
Analytika - Research University case studyCimetrics Inc
 

Más de Cimetrics Inc (14)

What BACnet/SC can do to improve BAS cybersecurity, and what it won’t do
What BACnet/SC can do to improve BAS cybersecurity, and what it won’t doWhat BACnet/SC can do to improve BAS cybersecurity, and what it won’t do
What BACnet/SC can do to improve BAS cybersecurity, and what it won’t do
 
BACnet and Metering
BACnet and MeteringBACnet and Metering
BACnet and Metering
 
Analytika educational and research facility case study
Analytika educational and research facility case study Analytika educational and research facility case study
Analytika educational and research facility case study
 
Jefferson University Currents
Jefferson University CurrentsJefferson University Currents
Jefferson University Currents
 
BACnet/SC: A Secure Alternative to BACnet/IP
BACnet/SC: A Secure Alternative to BACnet/IP BACnet/SC: A Secure Alternative to BACnet/IP
BACnet/SC: A Secure Alternative to BACnet/IP
 
BE A BTU HUNTER: How Big Data Analytics Can Achieve Energy and OM Savings Whi...
BE A BTU HUNTER: How Big Data Analytics Can Achieve Energy and OM Savings Whi...BE A BTU HUNTER: How Big Data Analytics Can Achieve Energy and OM Savings Whi...
BE A BTU HUNTER: How Big Data Analytics Can Achieve Energy and OM Savings Whi...
 
Bringing transparency to buildings.
Bringing transparency to buildings.Bringing transparency to buildings.
Bringing transparency to buildings.
 
IoT Affects BACnet How?
IoT Affects BACnet How?IoT Affects BACnet How?
IoT Affects BACnet How?
 
5 Benefits of BACnet Data In the Cloud
5 Benefits of BACnet Data In the Cloud5 Benefits of BACnet Data In the Cloud
5 Benefits of BACnet Data In the Cloud
 
BACnet/IP good field implementation practices
BACnet/IP good field implementation practicesBACnet/IP good field implementation practices
BACnet/IP good field implementation practices
 
BACnet at Cornell: 20+ Years of Lessons Learned
BACnet at Cornell: 20+ Years of Lessons LearnedBACnet at Cornell: 20+ Years of Lessons Learned
BACnet at Cornell: 20+ Years of Lessons Learned
 
New England BACnet Users Meeting
New England BACnet Users MeetingNew England BACnet Users Meeting
New England BACnet Users Meeting
 
Building a BACnet Product
Building a BACnet ProductBuilding a BACnet Product
Building a BACnet Product
 
Analytika - Research University case study
Analytika - Research University case studyAnalytika - Research University case study
Analytika - Research University case study
 

Último

result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college projectTonystark477637
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Christo Ananth
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxupamatechverse
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...ranjana rawat
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINESIVASHANKAR N
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdfKamal Acharya
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur High Profile
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...ranjana rawat
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordAsst.prof M.Gokilavani
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Call Girls in Nagpur High Profile
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfKamal Acharya
 
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTINGMANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTINGSIVASHANKAR N
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCall Girls in Nagpur High Profile
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdfKamal Acharya
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...ranjana rawat
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingrakeshbaidya232001
 

Último (20)

result management system report for college project
result management system report for college projectresult management system report for college project
result management system report for college project
 
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(ANVI) Koregaon Park Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
Call for Papers - Educational Administration: Theory and Practice, E-ISSN: 21...
 
Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024Water Industry Process Automation & Control Monthly - April 2024
Water Industry Process Automation & Control Monthly - April 2024
 
Introduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptxIntroduction to Multiple Access Protocol.pptx
Introduction to Multiple Access Protocol.pptx
 
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur EscortsRussian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
Russian Call Girls in Nagpur Grishma Call 7001035870 Meet With Nagpur Escorts
 
Roadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and RoutesRoadmap to Membership of RICS - Pathways and Routes
Roadmap to Membership of RICS - Pathways and Routes
 
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
(SHREYA) Chakan Call Girls Just Call 7001035870 [ Cash on Delivery ] Pune Esc...
 
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINEMANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
MANUFACTURING PROCESS-II UNIT-2 LATHE MACHINE
 
Online banking management system project.pdf
Online banking management system project.pdfOnline banking management system project.pdf
Online banking management system project.pdf
 
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur EscortsCall Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
Call Girls in Nagpur Suman Call 7001035870 Meet With Nagpur Escorts
 
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
The Most Attractive Pune Call Girls Budhwar Peth 8250192130 Will You Miss Thi...
 
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete RecordCCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
CCS335 _ Neural Networks and Deep Learning Laboratory_Lab Complete Record
 
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
Top Rated Pune Call Girls Budhwar Peth ⟟ 6297143586 ⟟ Call Me For Genuine Se...
 
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdfONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
ONLINE FOOD ORDER SYSTEM PROJECT REPORT.pdf
 
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTINGMANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
MANUFACTURING PROCESS-II UNIT-1 THEORY OF METAL CUTTING
 
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service NashikCollege Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
College Call Girls Nashik Nehal 7001305949 Independent Escort Service Nashik
 
University management System project report..pdf
University management System project report..pdfUniversity management System project report..pdf
University management System project report..pdf
 
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
(PRIYA) Rajgurunagar Call Girls Just Call 7001035870 [ Cash on Delivery ] Pun...
 
Porous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writingPorous Ceramics seminar and technical writing
Porous Ceramics seminar and technical writing
 

Bacnet on the internet - BACnet User Group New England

  • 1. BACnet on the Internet
  • 2. Project Background • Started in July 2018 • Goals • Track total number of devices and trends • Identify most common manufactures and devices • Look for patterns • Find and remove any sites we have involvement with • Notify vendors we have relationships with
  • 3. Problems exposing BACnet on the internet • Limited market support for BACnet security today • White listing • Read only / limit writable objects • MS/TP Router with Encryption • BFR Project – Joel Bender • Multiple crawlers searching for BACnet • Possible equipment downtime and damage • Firmware tampering / bricking • Ukrainian Power Grid Attack – 2015 • TRITON Attack Framework - 2017
  • 4. Problems exposing BACnet on the internet • BACnet WAN Security Threat Assessment • (NIST 2003) • Amplification Threat Posed By Public BACnet • (Tech University of Munich 2017)
  • 5. Scanning for BACnet • Shodan.io • Crawls the entire IPv4 space monthly • Scans for well known protocols HTTP, SSH, FTP, etc • When they find an open port, any response becomes the “banner” HTTP/1.0 200 OK Date: Tue, 16 Feb 2010 10:03:04 GMT Server: Apache/1.3.26 (Unix) AuthMySQL/2.20 PHP/4.1.2 mod_gzip/1.3.19.1a mod_ssl/2.8.9 OpenSSL/0.9.6g Content-Length: 97 Content-Type: text/html
  • 6. Scanning for BACnet • Shodan data • Host IP • Timestamp of last scan • Banner • Hostname lookup / reverse DNS • Organization assigned to IP space • Country / City (IP Geo-location) • And more…
  • 7. Scanning for BACnet • Well known protocols get special attention • SSL • Public cert, versions supported • SMTP • Supported SSL versions, server hello • Niagara • Versions, station name • BACnet • Full device object & BDT table
  • 8. Scanning for BACnet Instance ID: 109100 Object Name: XXX-398 Vine St Location: Ground Floor Boiler Room Vendor Name: XXXXXXXXXXXXXXXXXXXXXXXXXXX Application Software: 8.20|01,10|01,10|--,--|--,--|--,--|--,--|--,--|--,--| Firmware: 8.20|01,10|01,10|--,--|--,--|--,--|--,--|--,--|--,--| Model Name: XXXXXXXXXX BACnet Broadcast Management Device (BBMD): 192.186.XXX.XXX:47808 64.250.XXX.XXX:47808 Foreign Device Table (FDT): 64.250.XXX.XXX:62738:ttl=60:timeout=88
  • 9. Scanning for BACnet • Low cost to entry • First two pages of results (~20) available with free account • $10 per 10k results • General reports, no cost • Not the only source…
  • 10. Using Shodan results • Working with .csv results, XML/JSON formats are also available • With VBA in Excel the banners are parsed • Identify BACnet hosts • Not all hosts with 47808 open are BACnet • Sort out manufactures with identity crisis • XYZ Inc., XYZ Inc, XYZ Building Technologies, XYZ Industrial • Generate totals, basic statistics and charts
  • 13. Patterns to date • Most common BACnet vendor != most common in the market • Most common vendors likely use BACnet for all aspects • Programming, firmware updates, etc • Least common vendor / device can be the most interesting • High number of identifiable sites • BACnet honeypots in the wild Metric July 2018 April 2019 Total Hosts 11,304 13,280 Vendors 112 119 Unique Models 457 516
  • 15. Honeypot Setup • Real BMS hardware and software to simulate a real install • Isolated playground with 47808 UDP/TCP exposed • Raspi & passive network tap • Full setup details • Long term capture and collection • Wireshark export to Excel and classify
  • 16. Honeypot Results • Identified entities scanning for BACnet devices • University of Michigan • Alpha Strike • Kudelski Group • Net Systems Research • Censys • Rapid7 • And more…
  • 17. Honeypot Results • Scanning traffic is minimal currently – 1 scan / day • Scanning outside known actors rare • Running realistic HP is difficult • Firmware versions, model, vendor names, typical device instances, etc • Geo-location IP matches any site specific naming • Realistic sensor readings • Do sensors react correctly to output overrides • Many required for a solid understanding