BACnet (Building Automation and Control Networking Protocol) is an ICS protocol, developed by ASHRAE (American Society of Heating,Refrigerating and Air Conditioning Engineers). Like most ICS protocols, BACnet suffers from design vulnerabilities [source 3] such as poor implementation, lack of encryption and ability to load files (firmware) into BACnet devices making it open to various attacks [source 2] such as network mapping and Dos attacks (abusing broadcast messages)…etc. BACnet devices can be found in online search engines such as Shodan , just type “port:47808” or “bacnet” in Shodan’s search bar. BACnet Firewall Router (BFR) is an open source technology that can help secure this protocol against network mapping and Dos and spoofing [Source 2] and and its ability to filter BACnet packets. In this article I have assembled a list of filters and messages that can help you towards securing your network and assets if you are using BACnet protocol.
BACnet traffic analysis helps in understanding BACnet normal and abnormal behavior in your network. It’s also useful to develop firewall/IDS/IPS rules and most importantly monitoring operation (see 1st table) and security messages (see 2nd table). BACnet traffic can be analyzed using tools such as Wireshark. I mentioned in my article “Wireshark filters for ICS protocols“that BACnet is supported by Wireshark. Check out the Wireshark filters for BACnet here. To get started quickly, here are the common filters to use in Wireshark that can aid you with your investigation:
|bvlc || bacnet || bacapp||BACnet packets|
|bacnet||BACnet NPDU packets|
|bacnet.mesgtyp||BACnet Network Layer (router) packets|
|bvlc.function == 0x0b||BACnet/IP Broadcast packets|
|bacapp||BACnet APDU packets|
|bacapp.confirmed_service == 12||BACnet ReadProperty packets|
|bacapp.confirmed_service == 15||BACnet WriteProperty packets|
|bacapp.unconfirmed_service == 0||BACnet I-Am packets|
|bacapp.unconfirmed_service == 8||BACnet WhoIs packets|
|bacapp.unconfirmed_service == 2||BACnet UnconfirmedCOVNotification packets|
So, what are the BACnet security messages that are worth watching in your network traffic ? . They can be found using this filter: bacnet.mesgtyp and see the below table for those messages’ codes. Just look for the message inside the “Network Layer Message Type” section.