Our botnet concept and scenario is novel in the sense that it takes advantage of the physical capabilities of a building and as it has to adapt to a specialized environment being highly deterministic, predictable, simplistic and conservative. These properties make anomalies easy to detect. Smart building botnets allow the monitoring and remote control of (critical) building automation infrastructure in public and private facilities, such as airports or hospitals. We discuss why building automation botnets could thus enable attackers to cause various critical damage on whole regions and economies. Hiding the command and control communication is a highly beneficial step to adapt botnets to the BAS environment. We show that this is not necessarily a big hurdle and can be solved using existing covert channel techniques.

The benefits for malware developers are manifold. First, malware attackers could monitor events (e.g. movement patterns) in a large number of buildings and could thus create usage profiles of inhabitants, which could be sold later on a black market. Second, miscreants can aim at causing a denial-of-service in a building (e.g. forcing an evacuation by a false fire alarm). Third, in contrast to mobile devices and PC systems, BAS are permanently available, rarely modified, face nearly no security features, are designed for long-term deployment and are rarely patched. This makes them an excellent choice for placing bots. Fourth, buildings can be used to blackmail their inhabitants and owners (e.g. forcing the transfer of money to a bank account to end a disruption on a critical system such as an airport baggage transfer system or lifts in a hospital).

We present the first prototype of a BACnet traffic normalizer based on Snort which we currently develop. We design our normalization to be capable to significantly increase the robustness of BAS networks by protecting BACnet network stack implementations against malformed packets and packets linked to selected attacks as well as by ensuring the compliance of BACnet messages. Our normalization rules are additionally a means to counter fuzzing attacks and to provide protection for usually seldom updated BACnet devices as patching is a challenging task in BAS.

• Identify all building automation systems upon which a facility, company, and enterprise relies
• Assess the consequences to operations posed by an attack on these systems
• Document (require documentation of) all access points to these systems (this may require engaging contractors who manage the systems)
• Document all users who have access to these systems
• Determine whether these systems use BACnet
• If possible, determine whether these systems have been penetrated
• Ensure that these systems are subject to the same security governance concepts as regular IT or OT networks
• Consider the usefulness of requiring/enabling BACnet security ^[8]
• Consider the usefulness of the open source "BACnet firewall router" ^[9]
• Consider the usefulness of BADnet "traffic normalization" as described by Wendzel, et al.
• Consider the usefulness of scan/IDS signatures for HVAC networks, such as those provided by Qualys ^[10]