BIoTA Control-Aware Attack Analytics for Building Internet of Things

TL;DR

This paper introduces BIoTA, a formal attack analysis framework for building IoT-based HVAC systems, highlighting vulnerabilities and assessing security risks using real datasets.

Contribution

It presents the first formal modeling and attack analysis framework specifically for BIoT-based HVAC control systems, enhancing security assessment methods.

Findings

Effective attack modeling on BIoT systems demonstrated

Vulnerabilities identified in commercial occupancy and live-in datasets

Framework provides insights for improving building IoT security

Abstract

Modern building control systems adopt demand control heating, ventilation, and cooling (HVAC) for increased energy efficiency. The integration of the Internet of Things (IoT) in the building control system can determine real-time demand, which has made the buildings smarter, reliable, and efficient. As occupants in a building are the main source of continuous heat and $CO_2$ generation, estimating the accurate number of people in real-time using building IoT (BIoT) system facilities is essential for optimal energy consumption and occupants' comfort. However, the incorporation of less secured IoT sensor nodes and open communication network in the building control system eventually increases the number of vulnerable points to be compromised. Exploiting these vulnerabilities, attackers can manipulate the controller with false sensor measurements and disrupt the system's consistency. The attackers with the knowledge of overall system topology and control logics can launch attacks without alarming the system. This paper proposes a building internet of things analyzer (BIoTA) framework\footnote{https://github.com/imtiazulhaque/research-implementations/tree/main/biota} that assesses the smart building HVAC control system's security using formal attack modeling. We evaluate the proposed attack analyzer's effectiveness on the commercial occupancy dataset (COD) and the KTH live-in lab dataset. To the best of our knowledge, this is the first research attempt to formally model a BIoT-based HVAC control system and perform an attack analysis.