Building Management Systems for Providing Security in Existing KNX Projects: Organizational Measures and Device Monitoring Netxautomation Software Gmbh

Building management systems for providing security in existing KNX projects: organizational measures and device monitoring NETxAutomation Software GmbH

NETxAutomation

• Austrian company that is operating Software solutions for world-wide building automation systems Customers are • Founded in 2001 • Integration of heterogenous • electrical consultants building automation networks: • electrical engineers Building Management System • system integrators 100,000 (BMS) platform, OPC server • Management applications: Projects with 100,000+ data points visualization, energy reporting, automatic shading control, lighting management, 16 40 project support 6,000 36 16 years of experience Customers in 6,000+ realized 36+ international in building automation 40+ countries projects sales, solution and R&D partners NETx solutions

oBIX, MQTT & PC visualization Web visualization 3rd party 3rd party other web service NETx BMS clients clients BACnet OPC interfaces for Platform clients clients Windows based Web browser, NETx Vision IoT devices for clustering

NETx BMS Platform Multi-protocol gateway, visualization, alarm management, trending, scheduler, logic engine, lighting/DALI management, automatic shading control

Fidelio/Opera, KNX, BACnet, Universal HTTP server Hardware gateway: Modbus, OPC, OnQ, Infor, XIO and other web DALI, EnOcean, SNMP Protel, VingCard, interface service gateways M-Bus, DMX Salto, Kaba Why is security important?

Is security important in the home and building automation domain? Security-critical services

• “Why should I bother if anyone turns my lights on or off?” • Access control • “If someone wants to know my room temperature, I have no objections” • Intruder alarms

Vandalism acts may have massive economic impact

• Complete wide shutdown of system in hotel • Security attacks in functional buildings • Mass panic in public spaces (e.g., lighting system in concert hall) • Hospital (e.g., lighting system in emergency room) • Building system may be entrance point to other (more critical) systems (e.g. hotel management systems) KNX security

What about security in building automation?

All protocols (LonWorks, KNX, Modbus, BACnet, proprietary solutions) are or were prone to security attacks

The good news is that new security standards are available for KNX

KNX data security KNX IP security

Additional security measures for Secure communication for all KNX media KNX over IP networks KNX security

Is KNX security enough?

Yes, it uses state of the art cryptographic technologies which is used in other application domains (TLS/SSL, e banking, …)

But:

What about existing KNX projects that use non-secure KNX devices?

Secure communication is not enough Secure communication is not enough

Glass breakage sensor message Example: Denial-of-service attack in alarm system when window is broken

Alarm

Message

Broken window Alarm system Secure communication is not enough

Jamming attack fully Message is not received breaks alarm system by alarm system

No alarm

Message

Disorder Broken window Alarm system

Unauthorized person Secure communication is not enough

More secure solution: sensor sends “OK” If message is missing message periodically alarm is raised

No alarm Alarm Regular OK No message message Window Alarm system Broken window Alarm system undamaged Secure existing KNX projects

Use organizational measures!

• Isolate building automation networks • Use defence-in-depth methods • Train the electrical engineers and integrator to use technologies in a right and secure

Use additional software tools at the building management level

Building management systems that provide additional countermeasures against security attacks

Visualizations that Device monitoring Intrusion detection Alarm systems support TLS/SSL and logging connections Defence in depth in hotel projects

Insecure integration

KNX TP backbone KNX TP backbone

KNX line KNX line coupler coupler KNX line main line KNX line main line

KNX line KNX line KNX line KNX line coupler coupler coupler coupler

Unauthorized person

KNX TP line KNX TP line KNX TP line KNX TP line KNX TP line KNX TP line KNX TP line KNX TP line

Room 101 Room 102 . . . Room 201 Room 202 Room 101 Room 102 . . . Room 201 Room 202 Defence in depth in hotel projects

Better, but still insecure

KNX IP backbone KNX IP backbone KNXnet/IP routing (multicast) KNXnet/IP routing (multicast)

KNXnet/IP KNXnet/IP KNXnet/IP KNXnet/IP router router router router

Unauthorized person

KNX TP line KNX TP line KNX TP line KNX TP line KNX TP line KNX TP line KNX TP line KNX TP line

Room 101 Room 102 . . . Room 201 Room 202 Room 101 Room 102 . . . Room 201 Room 202 Defence in depth in hotel projects

Security by isolated rooms

No KNXnet/IP routing! No KNXnet/IP routing!

Isolated IP network Isolated IP network

KNXnet/IP KNXnet/IP interface interface

Unauthorized person

KNX TP line KNX TP line KNX TP line KNX TP line KNX TP line KNX TP line KNX TP line KNX TP line

Room 101 Room 102 . . . Room 201 Room 202 Room 101 Room 102 . . . Room 201 Room 202 Defence in depth in hotel projects

Security by isolated rooms

No KNX communication between rooms is necessary

• No KNXnet/IP routing is necessary • KNXnet/IP interfaces instead of KNXnet/IP routers can be used (much cheaper)

What about central commands like changing set points?

Using Building Management System (BMS) software Defence in depth in hotel projects

Secure central management using BMS solution

KNXnet/IP tunneling connection (unicast) NETx BMS Platform

Isolated IP network

KNXnet/IP interface

Unauthorized person

KNX TP line KNX TP line KNX TP line KNX TP line

Room 101 Room 102 . . . Room 201 Room 202 Intrusion detection with BMS

Device monitoring

NETx BMS Platform NETx BMS Platform Device poll Device poll

Device responsive Device responsive is missing

IP network IP network

KNXnet/IP KNXnet/IP interface interface

Unauthorized person

KNX TP line KNX TP line KNX TP line KNX TP line KNX TP line KNX TP line KNX TP line KNX TP line

Room 101 Room 102 . . . Room 201 Room 202 Room 101 Room 102 . . . Room 201 Room 202 Intrusion detection with BMS

If device is not No bandwidth problem Device polling using responding within due to multiple Data source information KNX management appropriate time, point-to-point tunnelling is also available request alarm is raised connections Isolation of the IP network

KNXnet/IP tunneling What to do if the IP connection (unicast) NETx BMS Platform network can not be isolated? Open IP network Unauthorized person KNXnet/IP interface

Unauthorized Using KNX security standard: person secure KNXnet/IP tunnelling KNX TP line KNX TP line KNX TP line KNX TP line

Room 101 Room 102 . . . Room 201 Room 202 Secure KNXnet/IP tunnelling

New KNXnet/IP security pro- NETx BMS Platform Unauthorized tects communication between person BMS Platform and KNXnet/IP Secure KNXnet/IP tunnelling connection routers and interfaces (unicast) IP network Secure KNXnet/IP interface

Unauthorized Malicious users with access person to IP network cannot disturb KNX TP line KNX TP line KNX TP line KNX TP line

KNXnet/IP communication Room 101 Room 102 . . . Room 201 Room 202 Secure visualization with NETx BMS Platform

NETx BMS Platform provides web based visualization

Pure HTML5 and JavaScript Https support using TLS

Username/password authentication Secure KNXnet/IP tunnelling driver

Can be used with new secure Available for NETx BMS Platform Secure KNXnet/IP tunnelling KNXnet/IP routers and interfaces www.netxautomation.com