Chipkin Newsletter November 2017

In This Issue

Copper vs Aluminum Conductors


NEC 2017


EnOcean -A 5 minute course.


Cyber Attack – The Looming Automation Crisis

Previously

Coming Next

  • The Scale of the Threat
  • Ready for a COV overload?

How Automation Will Affect You Personally

Previously

Coming Next

  • Skills of the future
  • Future proofing your career

 

Don’t Miss


EnOcean
– 5 minute course


Risky BACnet
19 services and 5 features with risk


Your home’s value
Self-Driving Cars & House Prices


Reverse Engineer


Blockchains
Intro to Blockchains


Why Is BACNET Vulnerable

Cyber Attack

The following 19 services & 5 features provided by the BACnet protocol offer significant vulnerabilities to attack. This is how BACnet opens the door to various attacks.

 

Service 1: File Transfer

Some BACnet devices allow the file transfer service to load new firmware, configuration or other assets which control the behavior of the device. In such cases, the device can made inoperable (possibly permanently) or it can be turned into a zombie device by sending corrupt/hijacked firmware.

 

Service 2: Peer to Peer System

BACNet is non hierarchical. This means that any object that is writable/commandable can be written to by any other BACnet device or system. All devices are considered equal.

 

Service 3: Take Control, Alter Data, Set Points

There are no special privileges to change the present value of a BACnet object. Any device can write to the present value (and some other mandatory properties of the object) at the highest priority. The last value written is applied. This allows any device to effectively take control of BACnet objects and the physical devices they control.

 

Service 4: Time Synch

It’s possible to change the date and time of a BACnet device. This will affect all scheduled operations. All devices can be set to the same, wrong time or they can be set to different dates and times.

 

Service 5: Reinitialize Device

Causes a device to restart. All outputs will be driven to the default state until they are re-commanded – which may not occur until a particular time / day has been reached if the command is scheduled.

 

Service 6: Constantly restarting a device will make it inoperable

If the configuration or firmware of the device has been changed (this is a possible attack), then a restart will give effect to the new firmware or configuration. If both or either have been corrupted, the device may not operate as intended.

 

Service 7: Point deletion

There is a service which allows a BACnet object in a device to be deleted. The control device that the object controls will no longer be controllable. This attack will be difficult to identify.

 

Service 8: Point creation

BACnet objects can be created on the fly. Experience in this industry suggests that manufacturers do not test the limits of this capability well and thus it may be possible to corrupt a device using this attack to consume all memory on the device.

 

Service 9: Out of Service

A BACnet object can be put out of service. In the case of an output to control a field device, this means that the new commands reach the BACnet object but will have no effect on the field device. In other words, the system may think it has turned something on but the command has no effect. The same attack can be applied to inputs – in this case, the BACnet object reports the last value and is never updated with a new value from the sensor. I.e. a tank may have run empty but the system thinks it’s still full.

 

Service 10: Relinquish Default

A BACnet output object can be driven to a particular state or value. If the remote device driving the object releases the object, then the object reverts to a default value. These default values can be changed. E.g. from off to on.

 

Service 11: Attack Alarms and Events

By repeatedly sending alarm acknowledge messages, an attacker can prevent alarm notifications from reaching the operator or control room.

 

Service 12: Subscribe COV – Denial of Service attack

Subscription to a BACnet object means that the object will report its value to the subscriber by sending unsolicited notifications. It is possible to make multiple subscriptions and to have each subscription report too frequently. This results in message deluges which can consume all the bandwidth – a denial of service attack.

 

Service 13: Kill subscriptions

Subscription to a BACnet object means that the object will report its value to the subscriber by sending unsolicited notifications. By killing existing subscriptions one can prevent a device reporting changes of value to the control system. In many cases, subscriptions are used to monitor critical points so that the control / monitoring system is always up to date.

 

Service 14: BBMD infinite hop flood

BBMD is BACNet’s technology for allowing messages from a device on one subnet to reach a device on another subnet. It is possible to create additional BBMD or to reconfigure existing ones so that they form a circular message system. Each one sends a message to the other which causes it to send a message back to the first causing a message flood which consumes all bandwidth.

 

Service 15: BBMD Corruption – add , remove

BBMD is BACNet’s technology for allowing messages from a device on one subnet to reach a device on another subnet. Services can be used to change the configuration of the BBMD’s resulting in system failure. This attack would be extremely hard to identify.

 

Service 16: Alter Schedules

Many HVAC operations are scheduled. Schedules can easily be changed.

 

Service 17: Max APDU is writable

The APDU is a measure of how much data/commands can be carried in a single message. Conceivably it’s possible to change this value to one too small to allow any messages to be received.

 

Service 18: Add SSL keys

There is a service to add an SSL Key which would make the task of detecting a hack hard even though it doesn’t make the hack easier.

 

Service 19: Restart Notification Recipient List

If a device restarts it can notify other devices. This service is most often used by the other devices to re-subscribe to COV, Alarm and Event notifications. By defeating the restart notice and by unsubscribing other devices, a hack can ensure that other devices work with obsolete data.


5 Features of BACnet That Are Vulnerable

Cyber Attack

1. UDP Vulnerability

BACnet uses the UDP Protocol for Transport Layer of its Ethernet messaging system. This Protocol does not use acknowledgements. Packets are sent and assumed to have arrived. This could be a dangerous assumption if they are critical alarms.

 

2. Lack of Encryption

Almost all products on the market do not support Encryption. Devices already in service using BACNet which do not support encryption are especially vulnerable since the manufacturer might not (be able to) provide firmware updates.

 

3. Obsolete Operation Systems and Firmware

Devices already in service using BACnet may be using operating systems whose encryption has been hacked or which have other vulnerabilities. The same risk applies to firmware. Hacked firmware or firmware with known vulnerabilities may already be in service.

 

4. Poor Implementations

Each vendor may have implemented the protocol as an independent project using their own standards, design, skills, quality assurance and testing systems. Some have done a poor job. For example: one manufacturer allows a single broadcast message to delete the configuration and then restart the device. This is a severe risk.

 

5. Open Source Implementations

Many vendors have used the open source stack. There are a number of known vulnerabilities in various versions. Those vulnerable versions may be in service in currently installed devices

Cyber Attack
Previously

Coming Next

  • The Scale of the Threat
  • Ready for a COV overload?

Copper vs Aluminum Conductors

Copper

 

 

Terminating Copper vs Aluminum Conductors – A Comparison

Copper elements used to make electrical connections are more stronger, more corrosion safe, less defenseless to cold flow and thermal impacts and in this way more dependable.

 

There are four fundamental instruments by which the decision of conductor material influences electrical connections – Oxidation, Galvanic activity, Cold flow and Thermal increase.

 

Oxidation: When a conductor of metal is presented to air at connections and terminations, the surfaces of the conductor such as copper and aluminum shape thin oxide, sulfide and inorganic films which lessen the metal-to-metal contact and viably increment the contact protection. The contact temperature rises, and if this is unreasonable, the connection falls apart after some time prompting overheating and extreme disappointment. Where copper scores is that its oxides are delicate and electrically conductive while those of aluminum are hard, persevering and compelling electrical insulants. Accordingly, as opposed to aluminum, terminations and connections with copper rarely overheat and don’t require surface planning or the utilization of oxide-restraining mixes.Copper elements used to make electrical connections are more stronger, more corrosion safe, less defenseless to cold flow and thermal impacts and in this way more dependable.

 

Galvanic action: When two divergent metals, for example, copper and aluminum come in physical contact within the sight of an electrolyte, for example, dampness, aluminum as the less dependable metal loses material through electrolytic activity. The connection falls apart in two ways – electrically, through a diminishment in the contact surface range, and mechanically, through the serious consumption of the aluminum connector. In this way, aluminum conductors require various jointing procedures subject to the materials commonly utilized as a part of gear and embellishments, for example, outlets, fittings and breakers, for example, the utilization of contact sealants, bi-metal terminations or unique hardware. By differentiate, copper stays unaffected by galvanic consumption when associated with these less respectable metals and compounds.

 

Cold flow / Creep: High contact weights are connected on the conductor at mechanical joints and terminations with a specific end goal to make a decent association and this causes the conductor metal to “flow” away. This impact is articulated with aluminum conductors yet essentially bring down for copper because of its more noteworthy hardness. Additionally, “creep” is the plastic twisting of metal conductors that happens when these are subjected to an outer pulling power (stretch) and relies upon the anxiety, its span and the temperature. Both icy stream and crawl prompt a diminishment in contact weight, expanded joint protection and overheating. Aluminum crawls all the more, speedier, and at bring down temperatures than copper.

 

Thermal expansion: When warmed by stack current, copper to copper, copper to metal or copper to plated steel terminations, tend not to extricate the association because of the moderately comparable rates of warm expansion, subsequently staying secure all through the establishment life.

 

Be that as it may, with aluminum conductors in comparative terminations, the moderately high distinction in thermal development can bring about slackened terminations after some time. The contact protection increments dynamically prompting overheating, arcing and potential fire dangers.

 

Hence electrical connections made with copper are solid, dependable and durable.


Factors Which Affect The Selection of Copper or Aluminum Conductor

Factor Copper Aluminum
1 Conductivity Higher conductivity (A/mm2) 60% of copper’s conductivity (A/mm2)
2 Bending
Copper conductors, when compared to aluminum conductors having the same current rating, have a smaller cross-sectional area and are thus easier to bend and shape when jointing and terminating cables.
Smaller cable surface area possible, so more flexible cable Larger cable surface area leads to less flexibility of cable
3 Brittle
Copper is less brittle than aluminum. This is particularly evident when using 3-core cables, where core manipulation is required for correct phasing etc. The larger the cable core size, the more difficult it is to shape and bend the cores while maintaining the correct electrical clearances within cable termination enclosures/compartments.
Highly ductile so less brittle Less ductile so more brittle
4 Cost More expensive Less  expensive
5 Weight Heavier 50% lighter
6 Cold Flow
Aluminum exhibits a property known as “cold flow” in which the aluminum tends to flow out of a compression termination, causing a loose connection that can overheat. Next to new installation techniques and termination devices, it still takes a trained, competent electrician to terminate properly. Copper is much more forgiving.
Cold Flow properties 6x cold flow effect
7 Corrosion
As aluminum corrodes quickly, compared to copper, every installation or repair action requires attention from the jointer to remove any oxide layer, which by definition will cause problems due to the insulating properties of the oxide layer.
Less prone to oxidation Copper does not react with water More prone to oxidation in air leading to localized heating at contact points (oxides exhibit poor conductivity)
8 Galvanic termination effect No galvanic (bi-metallic) action at terminal equipment Galvanic action – contact with brass/copper terminal equipment – leads to poor contacts
9 Fatigue Strength
Copper conductors can withstand larger vibration amplitudes and for much longer than aluminum conductors without cracking or breaking.Fatigue occurs when a material is subjected to repeated loading and unloading stresses. If the stresses are above a certain threshold and the number of repetitions is large enough, microscopic cracks begin to form. Progressively, a crack can reach a critical size and then propagate suddenly, leading to a fracture.Fatigue strength is defined as the value of stress at which failure occurs after a given number of cycles. These are the comparative values of fatigue strength for high conductivity copper and low alloyed aluminum respectively:Another application area in which fatigue strength plays a role is overhead transmission lines. Due to wind excitation, the electrical conductors experience so called aeolian vibrations in the 5 to 50 Hz range.
AnnealedFatigue strength (N/mm²) = 62No. of cycles x 106 = 300Half HardFatigue strength (N/mm²) = 115No. of cycles x 106 = 300 AnnealedFatigue strength (N/mm²) = 20No. of cycles x 106 = 50Half HardFatigue strength (N/mm²) = 45No. of cycles x 106 = 50
10 Short Circuit Heating Copper conductors retain adequate mechanical strength to be able to withstand the large electromagnetic forces during short-circuits in spite of the intense heating
11 Yield Strength Copper conductors can withstand higher pulling forces than aluminum conductors without necking or breaking.Tensile Strength Annealed=200 N/mm20.2% Proof Stress Annealed (N/mm2)<120 Therefore, when long runs of aluminum conductor cables are pulled through containment systems, and subjected to high pulling forces, these can stretch and “neck-down”, reducing the current carrying capacity of the cables which may result in dangerous overheating. In extreme cases, mechanical drawing in of aluminum conductor cables over long or multidirectional routes can even result in irreparable physical damage.Tensile Strength Annealed=50-60 N/mm20.2% Proof Stress Annealed (N/mm2)=20-30
12 Weight for same conductivity (Comparative) 100% 54%
13 Cross section for same conductivity (Comparative) 100% 156%
14 Nicks, scratches, minor damage Better WorseWhere aluminum conductors are subject to nicks, scratches or “ringing”, these flaws can lead to “fatigue failure” when subjected to movements due repeated expansion and contraction or vibration. The significantly higher rate of thermal expansion in aluminum compared with copper when exposed to thermal cycling due to load changes can create sufficient movement such that minor flaws in the aluminum conductor may deteriorate into areas of high resistance, causing hot spots or even breakage of the conductor.
15 Termination Preparation Less Work More workIt is clear that whilst effective terminations may be made in aluminum conductors, the required skill level is also higher if problems relating to dissimilar metals, galvanic corrosion, stress breakage and creep are to be avoided. This additional skill and effort required for reliable aluminum conductor terminations carries a cost premium.A further consideration when exposing the conductor to the atmosphere is the formation of surface contaminants. Oxides, chlorides and sulphides of the base conductor metal are common when the conductor is exposed to the atmosphere at terminations. The principal difference is that the oxides of aluminum are effective electrical insulators, whereas the oxides of copper, whilst not as conductive as copper, remain conductive when formed. The key difference is that aluminum conductors require surface preparation to remove these oxides (usually by mechanical means such as wire brushing) immediately before any further attempt to terminate is made, and also require ongoing protection by means of contact compounds that exclude air (and also moisture).
16 Cross Sections low cross-sections, such as 0.5 to 10 mm stranded aluminium is only available in nominal cross-sectional areas of 10 mm2 and above
17 Thermal Expansion linear coefficients of expansion Copper = 17?10E-6 Coefficient of thermal expansion for aluminium is 35% greater than that of copper.linear coefficients of expansion Aluminium = 23.10E-6

3-core XLPE Submarine cable

As at 2007: The 7.8 km long cable will be the world’s first 3-core XLPE submarine cable to achieve a voltage rating of 245 kV, beating Nexans’ current world record of 150 kV, set by the Horns Rev offshore wind farm in Denmark.


Devicenet cable

Devicenet cable section

 

Estimate Copper Conductor Bending Radius

When installing wire or cable on curved surfaces around building, in ducts or cable tray, how far can you bend it?
 
NEC (National Electric Code) and the Insulated Cable Engineers Association (ICEA) have provided bending radius information as listed in the table below.

 
Simply multiply the cable diameter by the factor on the right side of the table.
 
Cable Type Bending Radius as a Multiple of Cable Overall Diameter
Single or multi-conductor cable without metallic shielding x 8 the overall cable diameter
Single or multi-conductor cables with tape shielding x 12 the overall cable diameter
Multi-conductor cables with individually shielded conductors. x 12 the individual cable diameter (pairs, triads, etc.) or
7 times the overall cable diameter. Whichever is greater.
 
For more accurate information, see NEC Articles 300-34, 334-11 & 336-16, and Appendix H of ICEA S-66-524 and ICEA S-68-516.

 

Next: Page 2

If you liked this post;
  • Please consider subscribing to our RSS feed