Covert channels and their prevention in building automation protocols. A prototype exemplified Using BACnet

Security in building automation systems (BAS) recently became a topic in the security community. BAS form a part of enterprise networks and can be utilized to gain access to a company network or to violate a security policy. Up to now, the threat of covert channels in BAS protocols was not discovered. While a first available solution can limit ``high level'' covert channels in BAS, there is no solution available to prevent covert channels on the lower level (i.e., in BAS protocols). In this paper, we present network covert storage and network covert timing channels in the network and application layer of the BACnet protocol stack to show that protocol-level covert channels in BAS are feasible. Additionally, we introduce the first means enabling a BAS to become multi-level secure on the network and application layer to prevent covert channels. We built a prototype based on the BACnet firewall router (BFR) to implement multi-level security in BACnet environments.