Enhanced Security of Building Automation Systems Through Microkernel-Based Controller Platforms

A Building Automation System (BAS) is a complex distributed Cyber-Physical System that controls building functionalities such as heating, ventilation, and air conditioning (HVAC), lighting, access, emergency control, and so on. There is a growing opportunity and motivation for BAS to be integrated into enterprise IT networks together with various new "smart" technologies to improve occupant comfort and reduce energy consumption. These new technologies coexist with legacy applications, creating a mixed-criticality environment. In this environment, as systems are integrated into IT networks, new attack vectors are introduced. Thus, networked non-critical applications running on the OS platform may be compromised, leaving the control systems vulnerable. The industry needs a reliable computing foundation that can protect and isolate these endangered critical systems from untrusted applications. This work presents a novel kernel-based approach to secure critical applications. Our method uses a security-enhanced, microkernel architecture to ensure the security and safety properties of BAS in a potentially hostile cyber environment. We compare three system design and implementations for a simple BAS scenario: 1) using the microkernel MINIX 3 enhanced with mandatory access control for inter-process communication (IPC), 2) using seL4, a formally verified, capability-based microkernel, and 3) using Linux, a monolithic kernel OS. We show through experiment that when the non-critical applications are compromised in both MINIX 3 and seL4, the critical processes that impact the physical world are not affected. Whereas in Linux, the compromised applications can easily disrupt the physical processes, jeopardizing the safety properties in the physical world. This shows that microkernels are a superior platform for BAS or other similar control environments from a security point of view, and demonstrates through example how to leverage the architecture to build a robust and resilient system for BAS.