A building automation system (BAS, cf. Wikipedia Entry) is basically a computer network containing sensors (devices which provide measured values, such as the temperature) and actuators (devices used to control something, like a heating actuatur used to control the heating in a room). BAS use various protocols (containing own stacks) and thus make only very limited use of TCP/IP.
The question I wanted to answer is: Are Covert or Side Channels possible in BAS environments? Indeed, the answer for both questions is “Yes”.
To differ between both terms, I refer to a side channel as a communication channel without an intentional sender while a covert channel requires an intentional sender. This distinction is relativeley common in the current CS research.
Side Channels in BAS
A side channel in a building automation systems exists if a user can obtain information leaked by the BAS network. Therefore, the user can monitor the BAS network for messages or can request information from sensors. While the first scenario is a passive side channel, the latter one is an active side channel.
An employee wants to steal a document from the manager's office. Therefore, the employee wants to ensure that the manager is currently out of his office, i.e. the employee wants to be sure that it is safe to steal the document without getting caught.
The employee utilizes the BAS to obtain information about the presence of the manager in the room. Therefore the employee can request sensor information (e.g. temperatur, lighting …) in the manager's office. If the ligthening is turned off, the temperature does not seem to represent the presence of a person, the heating is turned off and so on, the employee can be relatively sure that the office is empty and that it is safe to steal the document at the moment.
Covert Channels in Building Automation Systems
For a covert channel communication, it is necessary to have an intentional sender in the scenario. Let us therefore imagine a situation in which we have a building with two rooms as shown in Figure 1. The left room is closed and Internet access in the room is prevented. A secret meeting is taking place in the room and the results of the meeting have to be kept secret until the meeting is over. The security policy of the organization prevents any communication from the left (secret) room to the right (public) room.
Fig. 1: A Sample Covert Channel Scenario for a Building Automation System.-->
Let us imagine, one person in the left room wants to pre-inform a person in the right room about the estimated result of the secret discussion. Therefore, the BAS can be manipulated. The “sender” person in the left room could turn on the light in the left room ("because it is getting dark outside") but the light button can be connected to an additional device by the BAS logic and could turn on the lightening in the right room (or any other device in the building) at the same time to signal hidden information to the covert channel receiver. This covert channel is shown in Figure 2.
Fig. 2: A covert channel established in the BAS that breaks the security policy of the building.Thus, covert channels can leak hidden information and can break security policies in building environments. The details can be found in my referenced paper above.
Preventing Covert and Side Channels
In my paper, I also present a technique to prevent at least a subset of the possible covert and side channels in BAS. I therefore route all BAS commands of applications (e.g. smart phone applications used to control or monitor the building) through a middleware that contains multilevel security (MLS) and role-based access control (RBAC) support. Low-level prevention means are part of future work.