Putting Attacks in Context: A Building Automation Testbed for Impact Assessment from the Victim’s Perspective

Cybersecurity research relies on the reproducibility and deep understanding of attacks to devise appropriate solutions. Different kinds of testbeds are typically used to systematically execute attacks and evaluate defenses. Testbeds are widely used to demonstrate Building Automation and Control System (BACS) attacks and defenses, considered too risky to be executed on real infrastructures. However, those testbeds implement arbitrary configurations of building services that do not resemble real-world deployments. In this work, we present the first BACS testbed specially designed to assess the impact of cyberattacks from the victim’s perspective. It features general purpose building services such as illumination, ventilation, and temperature control, whose configuration is easily adapted to emulate the requirements of real-world locations. In this way, the context added to our testbed allows us to better understand the impact of BACS attacks through concrete and realistic scenarios. Moreover, by analyzing different configurations of the BACS (i.e., contexts), we found out that identical attacks may have dramatically different impacts. Thus, reinforcing our view on the relevance of adding context to BACS testbeds.