DIVD-2022-00005 - Exposed BACnet devices
|Case lead||Ruben Uithol|
|Recommendation||Restrict access to public BACnet ports or implement BACnet/SC (Secure Connect).|
|Last modified||28 May 2023 22:56|
During the Log4J crisis, researchers uncovered BACnet devices with open ports. Upon further investigation, more devices have been found running the BACnet protocol.
What you can do
- End users should restrict access to BACnet controllers. Ensure that only dedicated building management systems can access these HVAC systems. If your system is managed by an outside contractor, provide remote access using a VPN, and prevent the controller from accessing any corporate and control systems machinery. This will reduce the likelihood of a controller like this being used as a pivot point for attackers to fan out within a network.
What we are doing
- DIVD is monitoring the trend of publicly accessable BACnet devices.
- DIVD is informing hosts of their open BACnet devices.
|22 Dec 2021||Discovery of open BACnet devices.|
|05 Jan 2022||Scanning the public interface to collect instances.|
|29 Jan 2022||Case Opened|
|08 Feb 2022||DIVD starts first round of notifications.|
|23 Feb 2022||Notified governement SOCs.|
|20 Apr 2022||DIVD starts second round of notifications.|
|20 Apr 2022||Case closed.|
gantt title DIVD-2022-00005 - Exposed BACnet devices dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2022-00005 - Exposed BACnet devices (81 days) :2022-01-29, 2022-04-20 section Events Discovery of open BACnet devices. : milestone, 2021-12-22, 0d Scanning the public interface to collect instances. : milestone, 2022-01-05, 0d Case Opened : milestone, 2022-01-29, 0d DIVD starts first round of notifications. : milestone, 2022-02-08, 0d Notified governement SOCs. : milestone, 2022-02-23, 0d DIVD starts second round of notifications. : milestone, 2022-04-20, 0d Case closed. : milestone, 2022-04-20, 0d