Traffic Measurement and Analysis of Building Automation and Control - - PowerPoint PPT Presentation

traffic measurement and analysis of building automation
SMART_READER_LITE
LIVE PREVIEW

Traffic Measurement and Analysis of Building Automation and Control - - PowerPoint PPT Presentation

Mar 04, 2023 357 likes •725 views

Traffic Measurement and Analysis of Building Automation and Control Networks Radek Krej, Pavel eleda, Jakub Dobrovoln rkrejci@cesnet.cz, {celeda|dobrovolny}@ics.muni.cz AIMS 2012 - 6th International Conference on Autonomous

slide-1
SLIDE 1

Traffic Measurement and Analysis of Building Automation and Control Networks

Radek Krejčí, Pavel Čeleda, Jakub Dobrovolný

rkrejci@cesnet.cz, {celeda|dobrovolny}@ics.muni.cz AIMS 2012 - 6th International Conference on Autonomous Infrastructure, Management and Security, 4-8 June 2012, Luxembourg

slide-2
SLIDE 2

Part I Building Automation and Control Network Monitoring

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 2 / 22

slide-3
SLIDE 3

IP Flow Monitoring

SRC and DST IP addr SRC and DST port Protocol number Lifetime Number of packets Sum of bytes TCP flags Others HTTP Request FROM 172.16.96.48:15094 TO 209.85.135.147:80 HTTP Response FROM 209.85.135.147:80 TO 172.16.96.48:15094 Flow start Duration Proto Src IP Addr:Port Dst IP Addr:Port Flags Packets Bytes 09:41:21.763 0.101 TCP 172.16.96.48:15094 -> 209.85.135.147:80 .AP.SF 4 715 09:41:21.893 0.031 TCP 209.85.135.147:80

  • >

172.16.96.48:15094 .AP.SF 4 1594

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 3 / 22

slide-4
SLIDE 4

What About Special Networks?

Building Management System (BMS) networks Supervisory Control And Data Acquisition (SCADA) networks

WAN

SECURITY BUILDING LIFE SAFETY DIGITAL VIDEO ENERGY

LAN

OPERATIONAL CENTER APLICATION SERVERS IP Ethernet RS-485 (HVAC) MANAGEMENT

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 4 / 22

slide-5
SLIDE 5

Network Monitoring in Special Environment

Active Monitoring – SNMP polling, ICMP ping Nagios Zabbix

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 5 / 22

slide-6
SLIDE 6

Network Monitoring in Special Environment

Active Monitoring – SNMP polling, ICMP ping Nagios Zabbix Deep Packet Inspection Specialized Firewalls (BACnet Firewall Router) Intrusion Detection/Prevention Systems

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 5 / 22

slide-7
SLIDE 7

Network Monitoring in Special Environment

Active Monitoring – SNMP polling, ICMP ping Nagios Zabbix Deep Packet Inspection Specialized Firewalls (BACnet Firewall Router) Intrusion Detection/Prevention Systems Flow Monitoring Barbosa et al. (University of Twente) Using standard NetFlow – limited to IP only.

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 5 / 22

slide-8
SLIDE 8

BMS Network Environment

BACnet Protocol Communication protocol for BMS networks. ASHRAE standard 135 – U.S. standard, adapted by ISO, EU. Various protocols used at transport layer:

LonTalk, MS/TP, Ethernet, Ethernet/IP, ZigBee, . . .

Contains key information about BMS network traffic.

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 6 / 22

slide-9
SLIDE 9

BMS Network Environment

BACnet Protocol Communication protocol for BMS networks. ASHRAE standard 135 – U.S. standard, adapted by ISO, EU. Various protocols used at transport layer:

LonTalk, MS/TP, Ethernet, Ethernet/IP, ZigBee, . . .

Contains key information about BMS network traffic. Need of modification of IP flow for the BACnet environment

BACnetFlow

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 6 / 22

slide-10
SLIDE 10

Part II BACnetFlow

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 7 / 22

slide-11
SLIDE 11

NetFlow vs. BACnetFlow

NetFlow VLAN IP TCP/UDP ETH IP TCP/UDP ETH Other

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 8 / 22

slide-12
SLIDE 12

NetFlow vs. BACnetFlow

NetFlow VLAN IP TCP/UDP ETH IP TCP/UDP ETH Other BACnetFlow ETH BACnet/ARP/ISMP/LLDP/Slow protocols/... BACnet

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 8 / 22

slide-13
SLIDE 13

BACnetFlow

Flow record key fields

DNET DADR SNET SADR

BACnet network layer key fields

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 9 / 22

slide-14
SLIDE 14

BACnetFlow

Flow record key fields

DNET DADR SNET SADR

BACnet network layer key fields

DST MAC ADR SRC MAC ADR VLAN ID

Ethernet-related key fields

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 9 / 22

slide-15
SLIDE 15

BACnetFlow

Flow record key fields

DNET DADR SNET SADR

BACnet network layer key fields

DST MAC ADR SRC MAC ADR VLAN ID

Ethernet-related key fields

DST IPv4 ADR DST PORT SRC IPv4 ADR SRC PORT

BACnet over IP key fields

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 9 / 22

slide-16
SLIDE 16

BACnetFlow

Flow record key fields

DNET DADR SNET SADR

BACnet network layer key fields

DST MAC ADR SRC MAC ADR VLAN ID

Ethernet-related key fields

DST IPv4 ADR DST PORT SRC IPv4 ADR SRC PORT

BACnet over IP key fields

Flow record non-key fields

Control Hop Count Message Type Ethertype Timestamps Byte Count Packet Count ...

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 9 / 22

slide-17
SLIDE 17

BACnetFlow

Flow record key fields

DNET DADR SNET SADR

BACnet network layer key fields

DST MAC ADR SRC MAC ADR VLAN ID

Ethernet-related key fields

DST IPv4 ADR DST PORT SRC IPv4 ADR SRC PORT

BACnet over IP key fields

Flow record non-key fields

Control Hop Count Message Type Ethertype Timestamps Byte Count Packet Count ...

Need of flexible flow information protocol (IPFIX).

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 9 / 22

slide-18
SLIDE 18

BACnetFlow Monitoring System Architecture

BACnetFlow probe

FlowMon Engine filter BACnet input plugin NetFlow exporter BACnet exporter

BACnetFlow Probe based on FlowMon exporter engine with BACnet plugins.

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 10 / 22

slide-19
SLIDE 19

BACnetFlow Monitoring System Architecture

BACnetFlow probe

FlowMon Engine filter BACnet input plugin NetFlow exporter BACnet exporter BACnet

  • ver Ethernet

network BACnet over IP network IP network mirror port

BACnet Network is an Ethernet network at rate of 10-1000 Mbps. BACnetFlow Probe based on FlowMon exporter engine with BACnet plugins.

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 10 / 22

slide-20
SLIDE 20

BACnetFlow Monitoring System Architecture

BACnetFlow probe

FlowMon Engine filter BACnet input plugin NetFlow exporter BACnet exporter BACnet

  • ver Ethernet

network BACnet over IP network IP network mirror port (SQL database)

BACnetFlow collector

(NFDUMP)

NetFlow collector

BACnet Network is an Ethernet network at rate of 10-1000 Mbps. BACnetFlow Probe based on FlowMon exporter engine with BACnet plugins. BACnetFlow Collectors stores flow information for further analysis.

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 10 / 22

slide-21
SLIDE 21

Part III Measurement and Analysis

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 11 / 22

slide-22
SLIDE 22

Monitored Network

Masaryk University Campus more than 24 teaching pavilions BACnet over Ethernet and BACnet over IP BMS networks monitoring of the 1 Gbps mirror port of the core switch week long measurement (Jan 16, 2012 – Jan 23, 2012)

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 12 / 22

slide-23
SLIDE 23

Overall Traffic Statistics

Protocol Bytes Packets Flows bps pps TCP 3.6 T 3.6 G 533628 47.4 M 6013 BACnet/IP 7.2 G 79.5 M 5.3 M 95.2 K 131.4 BACnet/Eth 5.4 G 59.8 M 6.2 M 71.4 K 98.9 UDP 814.0 M 6.6 M 2.5 M 10757 10 ICMP 722.4 M 7.0 M 1.1 M 9550 11 ARP 680 M 10.5 M 1.8 M 8995 17.4 Other 63.7 M 0.6 M 0.6 M 105 1 OSPF 25.6 M 191079 1990 338 PIM 4.6 M 61131 6435 60 IGMP 2.0 M 31509 14012 26 ICMP6 1.7 M 18362 1261 22 Total 3.7 T 3.8 G 4.3 M 47.6 M 6282

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 13 / 22

slide-24
SLIDE 24

Overall Traffic Statistics

Protocol Bytes Packets Flows bps pps TCP 3.6 T 3.6 G 533628 47.4 M 6013 BACnet/IP 7.2 G 79.5 M 5.3 M 95.2 K 131.4 BACnet/Eth 5.4 G 59.8 M 6.2 M 71.4 K 98.9 UDP 814.0 M 6.6 M 2.5 M 10757 10 ICMP 722.4 M 7.0 M 1.1 M 9550 11 ARP 680 M 10.5 M 1.8 M 8995 17.4 Other 63.7 M 0.6 M 0.6 M 105 1 OSPF 25.6 M 191079 1990 338 PIM 4.6 M 61131 6435 60 IGMP 2.0 M 31509 14012 26 ICMP6 1.7 M 18362 1261 22 Total 3.7 T 3.8 G 4.3 M 47.6 M 6282

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 13 / 22

slide-25
SLIDE 25

Overall Traffic Statistics

Protocol Bytes Packets Flows bps pps TCP 3.6 T 3.6 G 533628 47.4 M 6013 BACnet/IP 7.2 G 79.5 M 5.3 M 95.2 K 131.4 BACnet/Eth 5.4 G 59.8 M 6.2 M 71.4 K 98.9 UDP 814.0 M 6.6 M 2.5 M 10757 10 ICMP 722.4 M 7.0 M 1.1 M 9550 11 ARP 680 M 10.5 M 1.8 M 8995 17.4 Other 63.7 M 0.6 M 0.6 M 105 1 OSPF 25.6 M 191079 1990 338 PIM 4.6 M 61131 6435 60 IGMP 2.0 M 31509 14012 26 ICMP6 1.7 M 18362 1261 22 Total 3.7 T 3.8 G 4.3 M 47.6 M 6282

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 13 / 22

slide-26
SLIDE 26

Overall Traffic Statistics

Protocol Bytes Packets Flows bps pps TCP 3.6 T 3.6 G 533628 47.4 M 6013 BACnet/IP 7.2 G 79.5 M 5.3 M 95.2 K 131.4 BACnet/Eth 5.4 G 59.8 M 6.2 M 71.4 K 98.9 UDP 814.0 M 6.6 M 2.5 M 10757 10 ICMP 722.4 M 7.0 M 1.1 M 9550 11 ARP 680 M 10.5 M 1.8 M 8995 17.4 Other 63.7 M 0.6 M 0.6 M 105 1 OSPF 25.6 M 191079 1990 338 PIM 4.6 M 61131 6435 60 IGMP 2.0 M 31509 14012 26 ICMP6 1.7 M 18362 1261 22 Total 3.7 T 3.8 G 4.3 M 47.6 M 6282

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 13 / 22

slide-27
SLIDE 27

Diurnal Patterns in BMS Network Traffic

50 100 150 200 250 17/01 00:00 18/01 00:00 19/01 00:00 20/01 00:00 21/01 00:00 22/01 00:00 23/01 00:00 Traffic kb/s (1) BACnet over IP (2) BACnet over Ethernet (3) ARP (4) Other (2) (1) (3) (4)

: Traffic load in kilobits per second

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 14 / 22

slide-28
SLIDE 28

Packets Distribution per Flow

1 10 100 1000 10000 100000 1e+06 1e+07 100 200 300 400 500 600 700 800 900 1000 Number of Flows Number of Packets per Flow BACnet over IP BACnet over Ethernet

: Traffic load in packets per second

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 15 / 22

slide-29
SLIDE 29

Packets Distribution per Flow

1 10 100 1000 10000 100000 1e+06 1e+07 1e+08 100 150 200 250 300 350 400 450 500 550 Number of Packets BACnet over IP avg Packet Size 1 10 100 1000 10000 100000 1e+06 1e+07 1e+08 100 150 200 250 300 350 400 450 500 550 Number of Packets Packet Size [bytes] BACnet over Ethernet avg Packet Size

: BACnet average packet size

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 16 / 22

slide-30
SLIDE 30

Top Talkers – BACnet over Ethernet

10000 100000 1e+06 1e+07 1e+08 1e+09 1e+10 00:40:AE:01:32:11 FF:FF:FF:FF:FF:FF 00:19:B9:E5:EA:FF 00:19:B9:E5:FA:97 00:40:AE:01:22:03 00:40:AE:00:75:8F 00:40:AE:01:2D:CD 00:40:AE:00:BC:13 00:40:AE:00:AB:99 00:40:AE:00:68:A7 BACnet over Ethernet TOP 10 dst MAC - bytes packets flows

: BACnet TOP 10 destination addresses / bytes

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 17 / 22

slide-31
SLIDE 31

Top Talkers – BACnet over IP

10000 100000 1e+06 1e+07 1e+08 1e+09 1e+10 10.11.3.100 10.11.9.11 10.11.17.206 10.31.255.255 10.11.17.207 10.11.17.208 10.11.255.255 10.61.255.255 10.103.11.11 10.11.3.206 BACnet over IP TOP 10 dst IPv4 - bytes packets flows

: BACnet TOP 10 destination addresses / bytes

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 18 / 22

slide-32
SLIDE 32

Part IV Conclusion

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 19 / 22

slide-33
SLIDE 33

Conclusion

We deployed the prove of concept system for the flow monitoring in BMS networks. We presented the first flow measurement from the BMS network. BMS and SCADA networks CAN contain diurnal patterns.

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 20 / 22

slide-34
SLIDE 34

Future Work

IPFIX protocol for the flow information export. Explore usability of flow-based monitoring in BMS networks for security issue detection.

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 21 / 22

slide-35
SLIDE 35

Thank You For Your Attention!

Radek Krejčí et al.

rkrejci@cesnet.cz

Traffic Measurement and Analysis of Building Automation and Control Networks

This material is based upon work supported by Masaryk University and also supported by the “CESNET Large Infrastructure” project LM2010005 funded by the Ministry of Education, Youth and Sports of the Czech Republic.

  • R. Krejčí et al.

Traffic Measurement and Analysis of Building Automation and Control Networks 22 / 22