Identifying security events in a Building Energy Management System (BEMS) Jeffrey M. Young

1. Identifying security events in a Building Energy Management System (BEMS) Jeffrey M. Young Dr. Milos Manic University of Idaho, IF

2. Overview • Network/Sensor setup • What is Wireshark • Example security event

3. Sensors • Various Temperature • Occupancy • Light • CO2 • Damper position • Supply Fan Load/Current • Exhaust Fan Load/Current

4. Network nodes • Router – VxWorks • Hosts – Mix of Windows and Linux • Can2Go controller • Star network topology

5. Wireshark – What is it? • Network packet analyzer • Capture network packets • Display that packet data • Open source

6. Wireshark – What it is not • Not an intrusion detection system • No warning when something strange things on your network • Read only mode

7. Wireshark layout

8. Packet Detail

9. Build a profile • Display filters • Most any characteristic of a network packet • Can be color coded for easy recognition • tcp.flags.reset eq 1

10. Coloring Rules

11. Normal traffic

12. Example attack/vulnerability

13. Attack continued

14. Conclusion • How to setup Wireshark and host for packet capture • How to setup and commence a port probe attack • Configure capture filters to highlight packets involved in a port probe

15. Thank you for your time