Guarding the Modern Castle: Providing Visibility into the BACnet Protocol
Building automation devices are used to monitor and control HVAC, security, fire, lighting, and other similar functions in a building or across a campus. Over 60% of the global market for building automation relies on the BACnet protocol to enable communication between field devices (BSRIA, 2018). There are few open-source network intrusion detection or prevention systems (NIDS/NIPS) capable of interpreting and monitoring the BACnet protocol (Hurd & McCarty, 2017). This blind spot presents a significant security risk. The maloperation of building automation systems can cause physical damage and financial losses, and can allow an attacker to pivot from a building automation network into other networks (Balent & Gordy, 2013). A BACnet/IP protocol analyzer was created for an open-source NIDS/NIPS called Zeek to help minimize this network security blind spot. The analyzer was tested with publicly available BACnet capture files, including some with protocol anomalies. The new analyzer and test cases provide network defenders with a tool to implement a BACnet/IP capable NIDS/NIPS as well as insight into how to defend the modern-day castles that rely on the Building Automation and Control network protocol.
39240 (PDF, 2.35MB)
30 Oct 2019Related Content
Sanitized in the Source: Removing Embedded Objects from PLC Projects with CDR
Research PaperThis research seeks to outline a methodology to sanitize supported PLC project files for security while also confirming their operational reliability.
- 16 Apr 2026
ICS Asset Inventory: Passive, or Active? Siemens S7-1200 PLCs
Research PaperThis research builds on previous research to determine what information can and cannot be gleaned solely from passive traffic analysis, specifically for a Siemens S7-1200 PLC.
- 12 Mar 2026
Protecting OT’s Inherent Front-End Vulnerabilities: Legacy SQL Dependencies in Building Automation Systems Through the Lens of the SANS ICS Five Critical Controls
Research PaperThis research presents a practical method for building a Software Bill of Materials (SBOM) for BAS front ends, augmenting it with Shodan exposure analysis, classifying it in a risk heat map, and mitigating using the SANS ICS Five Controls, with an emphasis on Risk-Based Vulnerability Management and Defensible Architecture.
- 9 Feb 2026
Code Modularity as a Heuristic for Malware Design
Research PaperMalware targeting industrial control systems (ICS) and critical infrastructure often exhibits a modular architecture, using a central loader to execute interchangeable payload modules.
- 7 Nov 2025
Webs of Deception: Using the SANS ICS Kill Chain to Flip the Advantage to the Defender
Research PaperDefending a small Industrial Control System (ICS) against sophisticated threats can seem futile. The...
- 14 Apr 2025
Industrial Control System Internal Network Security Monitoring with Open-Source Tools
Research PaperSecurity vendors have made many advances in internal network security monitoring (INSM) in recent...
- 5 Dec 2024
False Data Injection Attacks Against Distribution Automation Systems
Research PaperUtility companies increasingly rely on automated switching to provide their customers with a...
- 5 Dec 2024
Shedding Light on OT Anomalies: Parsing Proprietary OT Protocols with Zeek
Research PaperMany traditional intrusion detection systems (IDS) may struggle with the unique devices and...
- 9 Oct 2024
SANS 2024 State of ICS/OT Cybersecurity
Research PaperThis white paper, SANS Certified Instructor Jason Christopher explores the growing trends in cyber...
- 9 Oct 2024
- SANS Institute
Mode Matters: Monitoring PLCs for Detecting Potential ICS/OT Incidents
Research PaperThere is a blind spot regarding cyber security in many Industrial Control Systems (ICS)and...
- 28 Feb 2024
Can Open-Source Tools Be Used to Safely Scan a Modern ICS Environment?
Research PaperThis research delves into the long-standing belief within the Operational Technology (OT) security...
- 27 Nov 2023
Private 5G, "Not as Private as You May Think"
Research PaperPrivate 5G networks and the transition to Industry 4.0 are gaining traction as demand increases for...
- 10 Oct 2023
Implementing Scalable Security for Devices Without 802.1x Support
Research PaperEnterprises often implement 802.1x to control access to wired and wireless networks by...
- 21 Dec 2022
Transparently Insecure Operational Technology: A Contextual Analysis
Research PaperIn cybersecurity, countering threats depends on an ability to see and respond to attacks. However,...
- 6 Jan 2022
You Cannot Defend What You Cannot See: Gaining Insight into Proprietary Protocols through Custom Parsers with Zeek
Research PaperA vital component of any information security architecture is a network intrusion detection...
- 6 Jan 2022
Collection and Analysis of Serial-Based Traffic in Critical Infrastructure Control Systems
Research PaperThere is a blind spot the size of a 27-ton, 2.25-megawatt maritime diesel generator in the world's...
- 11 Feb 2021
Industrial Traffic Collection: Understanding the implications of Deploying visibility without impacting production
Research PaperDue to the critical nature of industrial environments and the lifetime of deployed assets, many...
- 21 Sep 2020
Fashion Industry (Securely) 4.0ward
Research PaperThe fashion market segment is going through a significant technological upgrade. The need to meet...
- 9 Sep 2020
60870-5-104 protocol snort rule customization
Research PaperOT Security emerges as a necessity due to its flat network implementation and criticality of systems...
- 10 Aug 2020
Vulnerabilities on the Wire: Mitigations for Insecure ICS Device Communication
Research PaperModbus TCP and other legacy ICS protocols ported over from serial communications are still widely...
- 12 Feb 2020
- Michael Hoffman