BACRank: Ranking Building Automation and Control System Components by Business Continuity Impact

Organizations increasingly depend on Building Automation and Control Systems (BACSs) to support their daily tasks and to comply with laws and regulations. However, BACSs are prone to disruptions caused by failures or active attacks. Given the role BACSs play in critical locations such as airports and hospitals, a comprehensive impact assessment methodology is required that estimates the effect of unavailable components in the system. In this paper, we present the foundations of the first impact assessment methodology for BACSs focused on business continuity. At the core of our methodology, we introduce a novel graph centrality measure called BACRank. We quantify the contribution of BACS components to different business activities. Moreover, we take functional dependencies among components into account to estimate indirect consequences throughout the infrastructure. We show the practical applicability of our approach on a real BACS deployed at a 5-story building hosting 375 employees on an international university campus. The experimental evaluation confirms that the proposed methodology successfully prioritizes the most relevant components of the system with respect to the business continuity perspective.

[1]  J. E. Janssen,et al.  Ventilation for acceptable indoor air quality , 1989 .

[2]  Sergey Brin,et al.  The Anatomy of a Large-Scale Hypertextual Web Search Engine , 1998, Comput. Networks.

[3]  Robert W. Shirey,et al.  Internet Security Glossary, Version 2 , 2007, RFC.

[4]  Nachiappan Nagappan,et al.  Predicting defects using network analysis on dependency graphs , 2008, 2008 ACM/IEEE 30th International Conference on Software Engineering.

[5]  Alvaro A. Cárdenas,et al.  Attacks against process control systems: risk assessment, detection, and response , 2011, ASIACCS '11.

[6]  Scott Corzine Operational and Business Continuity Planning for Prolonged Airport Disruptions , 2013 .

[7]  Alvaro A. Cárdenas,et al.  Resilience of Process Control Systems to Cyber-Physical Attacks , 2013, NordSec.

[8]  Refrigerating,et al.  Ventilation for acceptable indoor air quality : ANSI/ASHRAE Standard 62.1-2013 , 2013 .

[9]  Adriano Valenzano,et al.  Review of Security Issues in Industrial Networks , 2013, IEEE Transactions on Industrial Informatics.

[10]  Ilia Tzenev,et al.  RISK ASSESSMENT MODEL BASED ON ISO 22301:2012 “SOCIETAL SECURITY. BUSINESS CONTINUITY MANAGEMENT SYSTEMS. REQUIREMENTS” , 2015 .

[11]  Béla Genge,et al.  A system dynamics approach for assessing the impact of cyber attacks on critical infrastructures , 2015, Int. J. Crit. Infrastructure Prot..

[12]  Wolfgang Kastner,et al.  A generic dependability layer for building automation networks , 2016, 2016 IEEE World Conference on Factory Communication Systems (WFCS).

[13]  Jonathan Flannery Legionellosis protection requirements. How to comply with ASHRAE's standard for building water systems. , 2016, Health facilities management.

[14]  Mohammad Abdollahi Azgomi,et al.  A method for evaluating the consequence propagation of security attacks in cyber-physical systems , 2017, Future Gener. Comput. Syst..

[15]  Yuan Zhang,et al.  Resilient Distributed Energy Management Subject to Unexpected Misbehaving Generation Units , 2017, IEEE Transactions on Industrial Informatics.

[16]  Andreas Peter,et al.  Automatic Deployment of Specification-based Intrusion Detection in the BACnet Protocol , 2017, CPS-SPC@CCS.

[17]  Jerry den Hartog,et al.  Leveraging Semantics for Actionable Intrusion Detection in Building Automation Systems , 2018, CRITIS.

[18]  Naixue Xiong,et al.  Asset-Based Dynamic Impact Assessment of Cyberattacks for Risk Analysis in Industrial Control Systems , 2018, IEEE Transactions on Industrial Informatics.

[19]  Zaheera Zainal Abidin,et al.  Cyber-Security Incidents: A Review Cases in Cyber-Physical Systems , 2018 .

[20]  Chunsheng Yang,et al.  A practical solution for HVAC prognostics: Failure mode and effects analysis in building maintenance , 2018 .