Received February 28, 2017, accepted April 10, 2017, date of publication June 14, 2017, date of current

version July 3, 2017.

Digital Object Identifier 10.1109/ACCESS.2017.2714647

Trusted Interconnections Between a Centralized

Controller and Commercial Building HVAC
Systems for Reliable Demand Response
C. BIRK JONES1 AND CEDRIC CARTER, Jr.2
1 Sandia National Laboratories, Photovoltaic and Distributed Systems Integration Department, Albuquerque, NM 87123 USA
2 Sandia National Laboratories, Resilient Control Systems Department, Albuquerque, NM 87123 USA
Corresponding author: C. Birk Jones (cbjones@sandia.gov)

ABSTRACT Dynamic smart grid operations require that utilities that incorporate intermittent renewable
energy resources provide creative and inclusive solutions to reduce and shift electrical demand. Commercial
building HVAC systems have been used as a dispatchable load, but are limited by the lack of interoperability.
Increased operability can be achieved using a secure and reliable interconnection device, which can
provide direct bidirectional communications between the utility and the building automation system (BAS)
controllers. This paper developed and tested a building automation intrusion detection system (BAIDS) that
can provide a cyber-secure connection between public and private BAS networks. The BAIDS was used
in a hardware-in-the-loop experiment that connected an actual photovoltaic array with a BAS control test
bed and a building zone model. The BAIDS device allowed for critical control signals to pass from the
public network directly to a fan controller in a BAS private network. At the same time, the BAIDS device
provided intrusion detection monitoring to identify malicious activity. The network traffic was evaluated
using an adaptive resonance theory (ART) artificial neural network. The ART algorithm was able to learn
normal traffic activity on the private and public networks. The algorithm was then used to detect unauthorized
attempts to access the interconnection device and a malicious cyber-physical attack on the BAS.

INDEX TERMS Demand response, cyber security, intrusion detection, power demand, data security,
centralized control, intelligent control.

I. INTRODUCTION Increased interoperability with commercial building heat-

Building infrastructure can support smart grid applications,
including the integration of non-dispatchable renewable
resources and resiliency measures. There have been a number
of studies that describe various aspects of this paradigm, in
which buildings are not seen only as passive loads. Building
systems can also be active participants in the energy delivery
and generation system. As contributors to the smart grid,
buildings can be managed intelligently to reduce the over-
all electrical demand permanently through energy efficiency
measures, or at short timescales using demand response (DR)
controls [1]. Siano [2] discusses the potential benefits of using
DR as an integral part of smart grid operations, including
deferred upgrades and reduced capital costs. Enabling tech-
nologies for smart grid applications, such as smart meters,
communication systems and energy controllers, requires a
high degree of interoperability.
ing, ventilating, and air-conditioning (HVAC) equipment can
provide more predictable and accurate responses to grid
needs [3]. Targeted investments to upgrade and expand the
use of automated control systems in commercial and indus-
trial facilities have been estimated to double the ability of
buildings to shed electrical loads quickly [4]. However, con-
necting different information technology systems, software
applications, and platforms to communicate and exchange
data offers many challenges. This increased functionality
introduces new vulnerabilities that are susceptible to cyber
attack vectors that can spoof data, manipulate control settings,
and modulate device disconnects [5]. Data and control signals
must be transferred reliably and securely through complex
networks while completely avoiding cyber attacks [6].
Communication systems for DR activities require sophis-
ticated security protocols. The exchange or transmission of

2169-3536
2017 IEEE. Translations and content mining are permitted for academic research only.
VOLUME 5, 2017 Personal use is also permitted, but republication/redistribution requires IEEE permission. 11063
See http://www.ieee.org/publications_standards/publications/rights/index.html for more information.
 C. B. Jones, C. Carter: Trusted Interconnections Between a Centralized Controller and Commercial Building HVAC Systems
data between devices must be trusted to avoid privacy leaks,
malicious denial-of-service attacks, and undetected modifi-
cations of information by unauthorized individuals or sys-
tems [7]. Wang and Lu [8] warns that the operations of critical
systems can be delayed, blocked or corrupted by denial-of-
service attacks. Also, targeted attacks, that disrupt sensor
values, change system settings or modify control commands,
can create safety problems or equipment damage.
Robust and trusted network connections are critical for
expanding DR capabilities in commercial buildings. This
work developed and tested a device that will improve net-
work connectivity for DR applications while minimizing
the potential for successful cyber attacks. The proposed
Building Automation Intrusion Detection System (BAIDS)
bridges the private BAS local area network (LAN) with
the internet or public network as shown in Figure 1. The
private LAN interconnects devices within a limited area and
restricts outside access. Alternatively, the public network
allows anyone access to other networks or the internet. The
bridge between the public and private networks grants a
centralized controller the ability to establish two-way com-
munication with existing BAS control networks. This allows
for more detailed control configurations that incorporate
dispatchable loads from a large set of buildings. It can
also consider occupant comfort as a control parameter. The
BAIDS was tested in an hardware-in-the-loop experiment that
connected a building zone thermal model, a photovoltaic (PV)
array, and a building automation testbed. The experiment
also tested passive cyber intrusion detection capabilities by
FIGURE 1. The Building Automation Intrusion Detection System (BAIDS)
connects building automation controls devices located on a local area
network (LAN) directly with a centralized controller. The centralized
controller is then able to implement demand response activities at a
larger scale while considering a broad range of parameters such as
occupant comfort.
11064
analyzing inbound and outbound traffic on the local and
public networks.
The network traffic monitoring systems deployed within
the BAIDS device included the collection and analysis of
network traffic. The traffic was collected using a network
sensor that read message values and the associated metadata.
It then inserted the information into an onboard elasticsearch
database. The data was accessed by an Adaptive Resonance
Theory (ART) neural network that first learned normal
behavior. It was then presented with previously unseen traffic
and was able to detect two types of cyber attacks. The first
attack was an unauthorized attempt to access the BAIDS
device using SSH. The second malicious activity was a cyber-
physical attack from inside the BAS that shut off lights and
the HVAC fan. The ART algorithm successfully identified the
attacks with minimal false positives.
II. BACKGROUND
Connecting centralized controllers with BAS has been dis-
cussed by Piette et al. [9]. Reliable connections can be
achieved using devices that comply with the Open Automated
Demand Response (OpenADR) standard [10]. The open stan-
dard provides a non-proprietary interface for utility compa-
nies to send control signals to a building system with the
intent of modifying electrical loads. The OpenADR architec-
ture uses the open internet to connect the utility or Indepen-
dent System Operator to a DR Automation Server (DRAS).
An internet connection has been used to connect the DRAS
with a Client Logic Integrated Relay (CLIR) or gateway [11].
The signal then penetrates the BAS using an internet relay
for the CLIR or through a web service client in the case of
the gateway application [12]. However, current research has
limited information regarding the security for the gateway
connection in DR applications. The BAIDS can provide the
added security necessary to create a fast and trustworthy
connection between the utility and the commercial building
control network.
A secure connection with the BAS is necessary because
cyber adversaries can easily exploit the BAS network to
attack both corporate network devices and HVAC systems.
For example, the corporate network at a Target retail store in
the United States was breached by international adversaries
who used the BAS network to access the corporate network
and were able inject code into the credit card machines [13].
The code read and delivered the card information of hundreds
of customers to the adversaries. Additionally, the common
HVAC communication protocol, known as BACnet, has many
vulnerabilities, and was not originally designed with cyber
security in mind.
Building automation professionals have recognized secu-
rity issues associated with BAS [14] and have implemented
various security measures to protect private BAS control
networks. Many of the methods include the segregation of the
BAS network from the public network. In these cases, BAS
professionals have built a secure firewall around the BAS
networks. The firewall allows authorized users to access the
VOLUME 5, 2017
C. B. Jones, C. Carter: Trusted Interconnections Between a Centralized Controller and Commercial Building HVAC Systems
controls network through virtual private network connections
or remote desktop access [15]. Proposals have also been made
to improve the communication protocol by wrapping security
into the BACnet messages [16]. However, BACnet embed-
ded security measures are not robust. For example, session
keys used to encrypt transmitted data can be manipulated.
The BACnet protocol is susceptible to man-in-the-middle
attacks, parallel interleaving attacks, and replay attacks [17].
Maintaining the integrity of the building’s public and BAS
networks is a critical task that must be conducted in parallel
with the DR controls. An interconnection device, such as
the proposed BAIDS, can provide meaningful DR control
capabilities while maintaining a high level of security.
The BAIDS connects centralized controllers directly with
individual BAS devices. The connection allows centralized
control algorithms to modulate fan speeds, turn off lights,
change thermostat states, and receive status updates. The con-
nection is achieved with a bridge between the BAS network
and the public network. The interconnection requires robust
security measures that include intrusion detection algorithms.
Intrusion detection methods have been developed for many
different applications, including building automation net-
works. The algorithms must be adaptive to accurately detect
different types of attacks. Attack methods are dynamic and
continually change with time and technology. Data mining
platforms have been developed to adapt and collect many
different types of features that describe network topologies
and traffic [18]. Anomaly detection frameworks have focused
on the BACnet protocol and have used modern databases
and advanced analysis methods such as an inductive rule
learning algorithm to classify traffic with very low false
positive rates [19]. Other detection algorithms have identified
anomalies at very low error rates using an artificial neural
network [20]. Tonejc et al. [21] compared clustering, random
forests, one-class support vector machines, and support vec-
tor dimensionality reduction unsupervised machine learning
algorithms for anomaly detection in BACnet networks.
Past approaches have been shown to be effective. Yet, many
including the support vector machine, require training and
testing data sets in order to analyze new data streams. The
ART algorithm, on the other hand, has the ability to learn
behavior, store the memory, and then delete past data. This
allows the BAIDS device to operate without a large amount
of data storage and limits its need for communication with
an off-site storage system. The present work tested the ART
algorithm’s ability to learn normal behavior and then identify
brute-force and cyber-physical attacks.
III. METHODOLOGY
Modernization of the electric grid can include the integration
of large-scale, on-demand control of commercial building
HVAC equipment. The simultaneous control of numerous
HVAC equipment can be coordinated from a centralized
platform in a secure and reliable manner. This type of con-
trol has the potential to synchronize building power demand
with renewable energy output. For example, DR can be
VOLUME 5, 2017
used to smooth cloud-driven intermittency as described by
Mammoli et al. [22]. This synchronization requires a direct
connection between the renewable energy resources and
building HVAC equipment. The BAIDS provides this link
with a cyber secure, bidirectional connection that provides
reliable communication with existing HVAC devices for
advanced DR control. This paper reports on a hardware-
in-the-loop experiment that used an actual PV array and a
highly functional building automation testbed. The experi-
ments tested the ability of the BAIDS to transfer DR signals
to the control network while providing a high level of cyber
oversight to prevent malicious activity.
A. BUILDING AUTOMATION INTRUSION
DETECTION SYSTEM
The BAIDS was deployed in a Raspberry Pi (RPi) linux
computer that connected the public and private networks and
had 1 GB of ram and 32 GB of memory. The RPI is a
cost effective, reliable, and energy efficient computer that
has been applied to various applications [23]. For example,
the RPI has been used as a data management server [24], it
has been applied to smart grid applications [25], and it has
been integrated into PV systems for advanced monitoring
and analysis [26]. In the present work, the RPI was used to
control HVAC devices, monitor network traffic, and display
performance results.
The RPI was equipped with Python programming language
code to transmit control signals, monitor network activity, and
detect traffic anamolies. Custom Python code was developed
to retrieve PV output data, calculate the fan motor control
signal, and then transmit the signal to the actual control
device. The transmission of the control signal was achieved
using custom Python code that could communicate with
the BACnet protocol. The network monitoring code used
Pcapy Python extension module, which uses the libcap packet
capture library that can discover transmitted and received
messages. The RPI device was also used to store and display
system performance and network traffic data. This stor-
age and visualization system was provided by elasticsearch
database and Kibana HMI. The RPI was also equipped
with ART algorithm Python code that analyzed traffic every
minute.
B. TESTBED & PHOTOVOLTAIC ARRAY
Commercial buildings typically have multiple rooms for
office space, conference rooms, and other uses. The rooms
are designed strategically for heating and cooling by defining
thermal zones. A thermal zone is a space within a building
that can include one or more rooms that are controlled by
a single thermostat. The conditioning of the thermal zones
can be controlled using a BAS. The Building Automation
Control System (BACS) testbed, located at Sandia National
Laboratory, was built to simulate common BAS used to heat
and cool thermal zones. The testbed has several controllers,
boiler, lighting, energy meter, chiller, fan, duct work dampers,
and thermostats (T-Stat). Figure 2 shows the infrastructure
11065
 C. B. Jones, C. Carter: Trusted Interconnections Between a Centralized Controller and Commercial Building HVAC Systems
FIGURE 2. The building automation testbed includes various building
HVAC equipment and controls such as a chiller, boiler, fan, etc. This
experiment used the thermostat (T-Stat), zone damper, damper actuator,
fan motor, and the BAS controller. The BAS used the standard
communication protocol called BACnet to transmit message. This protocol
was used by the Building Automation Intrusion Detection Device (BAIDS)
to synchronize fan power demand with the local photovoltaic array
generation.
used in this experiment, including the T-Stat, zone damper,
damper actuator, fan motor, and the BAS controller.
The experiment used the commercially available control
system, known as Delta Controls, to simulate a typical cool-
ing of a single thermal zone. The system uses the BACnet
protocol to transfer control messages. It was originally oper-
ating on a secure LAN that was segregated from any public
network. The experiment connected the BAIDS device to the
BAS LAN and a public network. This connection allowed for
DR signals to be sent from a nearby PV power plant to the
HVAC fan.
FIGURE 3. The data collection device for the actual photovoltaic array
measured the produced power and quickly sent the value to the Building
Automation Intrusion Detection System (BAIDS). The signal was then
processed by BAIDS and used to control the testbed fan motor.
On the other side of the laboratory was a 10.8kW PV array
(Figure 3) that had a monitoring system connected to a public
network. The PV array consisted of four strings each with
10 modules in series that terminated at a single inverter. The
inverter was connected to the electric grid. The monitoring
system collected DC data from a combiner box and AC data
from the inverter. The measured AC output from the PV array
was sent to the BAIDS device and was used to control the fan
motor in the BACS testbed. The testbed and the PV array were
11066
connected through as simple network topology that included
the BAIDS as a key link between the public and private
networks.
FIGURE 4. The demonstration had multiple network connections. First,
local weather and solar PV data was accessed through an API on the
public network. Second, control signals and performance feedback were
sent and received on the private network connection. Additionally, the
BAS and public network traffic were monitored on the spam and public
ethernet connections respectively. The BAIDS used a Raspberry Pi (RPi) to
connect the two networks. The RPi ran Python programming language
scripts to send signals and monitor traffic. It also used elastic-search
database to store and view historical data.
C. NETWORK TOPOLOGY
The network topology connected the PV array with the BACS
testbed HVAC devices as shown in Figure 4. A hypertext
transfer protocol (HTTP) application programming inter-
face (API) was used to transfer the data from the PV mon-
itoring system to the BAIDS device. The BAIDS device was
connected to the public network through the ethernet 1 (eth1)
connection provided by a network switch. The BAIDS device
was also connected to the BAS switch through the ethernet 0
(eth0) spam port and the ethernet 2 (eth2) private network.
The spam port, labeled as eth0, connection was used to
monitor all the traffic in the BAS network and perform intru-
sion detection evaluations. The eth2 network connection was
established to send control signals to the BAS devices. This
connection was also used to connect the zone thermal model
with the testbed. For example, the air flow rate, measured by
a pitot tube sensor, was sent to the thermal model in real-
time. Finally, the weather, solar PV, HVAC performance, and
network traffic data could be visualized in a human machine
interface (HMI). The HMI was developed using elasticsearch
database and Kabana visualization tools.
D. HARDWARE-IN-THE-LOOP SETUP
The experiment integrated an actual solar PV plant and a real
fan motor/damper system with a virtual thermal zone model.
The setup created a hardware-in-the-loop situation where the
actual damper position was dependent on the temperature
output of the zone model. Also, the fan motor speed was
VOLUME 5, 2017
C. B. Jones, C. Carter: Trusted Interconnections Between a Centralized Controller and Commercial Building HVAC Systems
a function of the power output produced by the solar PV
array. The experiment showed that an HVAC fan could be
synchronized with a PV plant using a cyber secure connection
without degrading the occupant comfort.
FIGURE 5. The hardware-in-the-loop experiment connected the BAIDS
device to the BACS testbed. BAIDS controlled the testbed fan based on
the solar PV power. The output from the fan and damper system was
input into the zone model located within the BAIDS device. The output
from the model was then sent to the thermostat within the testbed.
The experiment had four significant connections that were
necessary to provide reliable DR. The connections, shown in
Figure 5, included:
1) HTTP API:
a) Actual Solar PV → BAIDS fan control algorithm
b) Actual ambient temperature → Zone model
2) BACnet UDP/IP Control Signal:
a) BAIDS fan control algorithm → Testbed fan
motor
3) BACnet UDP/IP Sensor Message:
a) Mass flow rate (ṁ) sensor → Zone model
b) Sensor → elasticsearch database
4) Database Query:
a) Zone model temperature → BAIDS fan control
algorithm (and BACS testbed thermostat)
The HTTP API connection provided the most current solar
PV power production value (PPV ). The PPV value was used
as an input for the fan controller equation:
   31
PPV − min(PPV )
%Speed = (max(Pfan motor ))
max(PPV ) − min(PPV )
(1)
Equation 1 provided a scaling of the PPV to define the fan
motor speed. It applied the affinity law properties where the
fan power is equal to the cube of the speed. The control
signal (s) sent to the actual fan motor in the BASC testbed
using BACnet UDP/IP was defined by a simple if state-
ment (2):
( Bidirectional connections with existing BAS networks
%Speed (Eqn. 1), if 21.6◦ C ≥ Tz ≤ 23.8◦ C
s= (2)
no command, otherwise
VOLUME 5, 2017
where s was equal to the fan speed, calculated in Equation 1,
when the zone temperature was between 21.6 and 23.8◦ C
during the occupied hours of 8 in the morning to 5 in the
afternoon. When the temperature was outside of the defined
threshold, no command was sent and the fan motor and
the system operated as instructed by the existing control
software.
The actual air flow from the fan travelled through duct
work to a damper controlled by an actuator. The flow that
passed the damper section was measured by a pitot tube
sensor and the value was sent to the zone model using BACnet
UDP/IP read commands. The zone model also made queries
of the HTTP API to collect the most recent ambient temper-
ature value. Based on these two actual inputs the zone model
ran a first order differential equation to compute the zone
temperature (3):
d
M Tz = Q̇ + ṁCp (Ts − Tz ) (3)
dt
where M is the air mass inside the zone,
Tz is the zone temperature,
Q̇ is the thermal load,
ṁ is the mass flow rate of air to heat or cool the space,
Cp is the specific heat capacity of air, and
Ts is the supply air temperature
The thermal load (Q̇) was computed for a zone that was
3 meter long by 4 meters wide and 2.4 meters tall. Three of
the wall surfaces had adjacent interior walls and one surface
had an exterior wall that faced west. The thermal load for the
zone was defined by (4):
Q̇ = Q̇interior + UA(Text,int − Tz ) (4)
where Q̇interior is the interior load,
UA is the heat transfer coefficient times the surface area,
Text,int is either adjacent space temperature,
Tz is the zone temperature.
The interior load was estimated based on a standard occu-
pancy of one person and one computer during normal busi-
ness hours of 8 in the morning until 5 in the evening. The
heat transfer coefficient was assumed to be 2W/m2 K for the
four walls. The Text temperature was the outside tempera-
ture extracted from the HTTP API and Tint was a constant
value of 20◦ C that represented the adjacent interior space
temperatures.
The model was run every minute and output the zone
temperature at the particular instance. This output was stored
in the onboard database and was sent to the testbed control
system. The value was read on the actual thermostat and it was
accessed by the damper control system. The damper actuator
modulated independently based on the difference between the
zone temperature and the set-point value.
E. NETWORK TRAFFIC SENSOR
require that control networks remain accessible to the out-
side world. However, accessible internet connections allow
11067
 C. B. Jones, C. Carter: Trusted Interconnections Between a Centralized Controller and Commercial Building HVAC Systems
adversaries to access critical data, devices, and equipment.
Therefore, BAS are often connected on private networks that
do not allow public access. The BAIDS provides access to the
private BAS networks by creating a secure bridge between
the public and private BAS network. The secure connection
required the implementation of a passive intrusion detection
system (IDS) that monitored traffic on both the public and
private networks.
Passive IDS provides security in networks and comput-
ers by identifying unauthorized access and misuse in real
time [27]. The monitoring provides critical alerts that identify
potential attacks. It can also help operators find vulnerabili-
ties within the system. In this experiment, IDS was embedded
inside of the BAIDS to monitor traffic along two network
segments. The monitoring was performed using custom
developed Python script.
The Python sensor monitored and classified TCP, UDP,
ICMP traffic based on the following rules:
1) Unknown source IP: Inbound and outbound traffic that
originated at an unknown IP address.
2) Unknown destination IP: Inbound and outbound traffic
that terminated at an unknown IP address.
3) Unknown source port: Inbound and outbound traffic
that originated at an unknown port.
4) Unknown destination port: Inbound and outbound traf-
fic that terminated at an unknown port.
5) BAS traffic: Frequency of inbound and outbound traffic
from each device in the BAS network.
6) BAIDS traffic: Frequency of inbound and outbound
traffic from the public network.
The Python script used the existing pcapy library to capture
network packets. Pcapy is highly effective when used in con-
junction with a packet-handling package such as Impacket.
Impacket is a collection of Python classes for constructing
and dissecting network packets. The network traffic data was
stored in the database and accessed by the IDS algorithm.
F. INTRUSION DETECTION ALGORITHM
Artificial neural networks (ANN) are a form of machine
learning that emulate a simplified version of an animal’s
nervous system for the purposes of acquiring and storing
knowledge. ANN provide a high level learning system that
can perform complex computations, and calculate many non-
linear problems. The BAIDS device used an ART ANN
to learn normal traffic behavior and then detect abnormal
activity that could represent potentially harmful cyber attacks.
The unsupervised ANN algorithm was created by Grossberg
and Carpenter and includes various versions (ART 1, ART 2,
ART 3, and Fuzzy ART). ART 1 is an architecture that can
be used for clustering of binary inputs only [28]. ART 2
improved upon the ART 1 architecture to support continuous
inputs. Fuzzy ART, used in the present work, incorporates
fuzzy set theory into the pattern recognition process [29].
The Fuzzy ART approach can provide stable categorization of
analog input patterns. The fuzzy logic improves the general-
ization of the algorithm which increases its ability to perform
11068
classification. The ART algorithm incorporates a vigilance
parameter (ρ), which can be characterized as a similarity
parameter. This parameter is used to judge the similarity
between all of the input patterns.
FIGURE 6. Flow diagram of ART training algorithm where inputs are
normalized in the F0 layer. Then category choice and vigilance are
processed in the F1 layer. The final F2 layer is where the templates are
created and stored.
The basic structure of the Fuzzy ART architecture is shown
in Figure 6. This flow chart describes the interconnection of
the different layers that are designated as F0, F1, and F2. The
F0 layer is for the normalization and complement coding of
the input values, and is considered a preprocessing operation.
The F1 layer, which includes the choice and vigilance calcu-
lations, performs the recognition of features in the data. This
process includes a reset that is based on a vigilance a param-
eter (ρ), and is considered the orienting subsystem [30]. The
final layer, F2, is where the categorization occurs. Similar to
other ANN architectures, the Fuzzy ART has a weight (or
template) matrix where the algorithm stores expectations or
memory.
The template matrix computations occur between the
F1 and F2 layers. First, the free parameters α, ρ, and β must
be set. The choice parameter, α, can assume values between 0
and infinity, but is typically very small. The learning rate, β,
is often set to 1. The vigilance parameter, ρ, must be between
0 and 1, and determines the fineness of the clusters. The first
step finds the templates that match best with the input pattern
according to Equation 5:
|X ∧ Tj |
c= (5)
α + |Tj |
Then, a vigilance test is computed using the best choice
template from Equation 5 and the input using Equation 6.
|X ∧ Tj |
≥ρ (6)
|Tj |
If the template (T) does not pass the vigilance test then the
algorithm checks to see if there are other templates available.
If there are no templates available then a new template is
created based on Equation 7:
Tjnew = X (7)
VOLUME 5, 2017
C. B. Jones, C. Carter: Trusted Interconnections Between a Centralized Controller and Commercial Building HVAC Systems
If there are templates available then Equation 5 and 6 are com-
puted again. Finally, if the template and input pass vigilance
then the template is updated according to Equation 8:
update
Tj = β(X ∧ Tjold ) + (1 − β)Tjold
where X is the preprocessed input matrix,
Tj is the template (weight) vector,
c is the choice function vector and
∧ is the fuzzy set theory conjunction or minimum operator.
The ART architecture is useful for pattern recognition and
categorization because it can adapt easily to significant vari-
ations through a normalization. It can also recognize subtle
differences in input patterns which is critical for accurate
decision making. Additionally, the algorithm can perform
detailed recognition of features and is guaranteed to converge
on a solution. The memory can easily be stored and accessed
in the onboard database. These attributes make it a good
candidate for evaluating BAS and other network traffic data
streams.
G. CYBER ATTACK TESTS
The BAIDS device was presented with two types of attacks:
(1) brute-force attack on the BAIDS device from the public
network, and (2) cyber-physical attack that altered HVAC
and lighting states in the BAS. The brute-force attack is
where an attacker attempts to guess the correct passwords or
passphrases with the intent to eventually gain access or shut
down the system. In this experiment, the simulated attacker
attempted to gain entry using the secure shell (SSH) protocol.
The attacker made 4 consecutive unsuccessful attempts using
common usernames and passwords. The second cyber test
was successfully executed on the BAS.
The BAS is a type of cyber-physical system that has various
mechanisms (fans, lights, etc) controlled and monitored by
computer-based algorithms. The simulated adversary in the
test gained access to the system and was able to identify
critical control points in the BAS. The adversary was then
able to deploy code that sent signals to the fan motor and
light switches that altered the states in a negative manner.
This attack and the brute-force threat had unique network
traffic signatures that were analyzed by the unsupervised
ART algorithm.
The network traffic was archived in the onboard database
included a timestamp, packet length, header length, check-
sum, source address, destination address, source port, desti-
nation port, ttl, protocol, and IP version. The brute-force test
used inbound and outbound data to detect abnormal behavior
(Table 1). The analysis included more than 38,000 training
data and over 2,400 testing data points for the inbound and
outbound traffic data points. The cyber-physical attack test
used over 1 million training data points and attempted to
detect anomalies within a testing data set that contained more
than 57,000 data points as shown in Table 1.
The IDS algorithm on the BAIDS first pre-processed
the collected data by computing the communication fre-
quency (hits/minute) that occurred between the destination
VOLUME 5, 2017
TABLE 1. Training and testing data set sizes for the brute-force and
cyber-physical attack tests.
(8)
FIGURE 7. The network traffic packet information (frequency, packet
length, and checksum) was used to train the Adaptive Resonance Theory
algorithm so that it could identify cyber attacks. The known network
activity was labeled in classes 0 to N. However, unknown and potentially
malicious traffic was labeled as -1.
and source IP address for each minute of the day. The pre-
processing also computed the one minute average packet
length and checksum. Each instance of the three values were
presented to the ART algorithm as shown in Figure 7. During
training the ART algorithm learned inbound and outbound
traffic on the public network for the brute-force test and BAS
traffic for the cyber-physical test. The algorithm developed
a set of templates (or categories) that represented the traf-
fic characteristics for each connection. The templates were
stored in the onboard database. Then, during testing the ART
algorithm used the stored templates to analyze previously
unseen frequency, packet length, and checksum data points.
The algorithm labeled each known instance with a label
between 0 and N that were created during the training stage.
Unknown instances were labeled with a -1. The -1 indicated
that it could not find a class for the inputs and was considered
novel. The instances labeled with -1 were then compared with
the time that the attacks were implemented to determine if the
ART algorithm had accurately detected malicious network
activity correctly.
IV. RESULTS
The BAIDS was used in a hardware-in-the-loop experiment.
The experiment demonstrated the ability to perform advanced
HVAC fan control across multiple IT networks while main-
taining a trustworthy data connection. Fan control signals
were sent from a nearby PV array data acquisition system
on the public network, through the BAIDS interconnection
device, and finally to the fan motor controller in the local
BAS network. The control signal was used to synchronize
the HVAC load with the electrical production from the PV
power plant. The experiment used the actual fan and damper
system in conjunction with a building zone thermal model
with the intent to simulate the fan control performance. The
IDS embedded in the BAIDS device passively monitored
inbound and outbound traffic on the public and local net-
works. The traffic patterns were evaluated successfully using
the ART ANN.
11069
 C. B. Jones, C. Carter: Trusted Interconnections Between a Centralized Controller and Commercial Building HVAC Systems

A. ADVANCED HVAC FAN CONTROL

The existing BAS controlled the fan motor speed based on
the duct static pressure. The static pressure sensor value
increased or decreased when the fan speed or the zone damper
position was modified. This fan control script, written in the
Delta Controls Software, was not changed for this experi-
ment. Instead, the BAIDS interconnection device performed
an override of the existing system and controlled the fan
motor directly. When the zone temperature exceeded the tem-
perature limits, described in Equation 2, BAIDS relinquished
the override and the fan operated under the Delta Controls
command.

FIGURE 9. A 3 hour period on September 4, 2106 where the fan power

remained below the PV power output during smooth and intermittent PV
electrical production.

FIGURE 8. The fan and PV power had similar profiles over this three day
span. The BAIDS device was able to use the PV data to control the fan so
that it matched with the power produced.

The advanced control of the HVAC fan synchronized the

fan motor power with the electrical output from the PV array.
The fan power matched the PV production patterns as shown
in Figure 8. The fan motor followed the PV profile during
smooth and intermittent PV electricity production. The con-
trol was able to modulate the fan quickly in response to the
FIGURE 10. The modeled thermal zone used in the hardware-in-the-loop
experiment had reasonable temperatures during occupied hours. The
temperature did not exceed 21.6◦ C or drop below 23.8◦ C.

reduced PV power production caused by clouding conditions.

During clouding conditions the fan speed was reduced so that
the power profile remained below the PV power output.
The interconnection between the PV array monitoring
device and the fan motor control was not inhibited by the
BAIDS device. The signal was sent at a one minute interval
and allowed for the fan motor to adjust to PV output changes.
Fan speed adjustments to maintain synchronization during
intermittent PV power output can be seen over a 3 hour period
on September 4, 2016 in Figure 9. Figure 9 graphs the fan
power and PV output at one minute intervals. The fan power
was able to stay below the PV power profile for most of
the time. Additionally, the air flow rate provided by the fan
did not negatively impact the comfort level for the simulated
zone.
The fan control experiment was conducted over a six day
period in September. The zone model used the actual outside
temperature measured by NOAA and the actual air flow
rate produced by the HVAC fan in the BACS testbed. The
outside air temperature ranged from low of 18◦ C to a high of
32◦ C over the six day period. The experiment required that
the building zone connected to the fan and damper system
maintain a comfortable temperature. The zone temperature
was able to remain between 21.6 and 23.8◦ C during occupied
hours when outside air temperatures exceeded 32◦ C. For
example, the zone temperature results are plotted over the
same two day period as Figure 8 in Figure 10. The temper-
ature in the zone remained between the required thresholds
during the day and increased to above 25◦ C during the unoc-
cupied hours. The fan control and zone model simulation was
conducted in parallel with the cyber security monitoring.
B. NETWORK TRAFFIC PACKET COLLECTION
The BAIDS was used to connect the public and private
network. The interconnection provided a necessary bridge

11070 VOLUME 5, 2017

C. B. Jones, C. Carter: Trusted Interconnections Between a Centralized Controller and Commercial Building HVAC Systems
that sent signals to and from the BAS private network. The
connection allowed for fast, and reliable DR control of indi-
vidual BAS devices. The trustworthy connection was made
possible through the implementation of a passive IDS. The
IDS was embedded in the interconnection device and was
able to monitor, store, and analyze incoming and outgoing
messages on the private and public networks.
The IDS successfully monitored and stored network traffic
in near real-time. The messages were recorded in an onboard
elasticsearch database. The database was structured so that
inbound and outbound traffic on the public and private net-
works were stored as separate tables. In addition, the system
monitored all of the network traffic in the BAS and recorded
all IP addresses and ports in real-time. At the same time, all
the traffic that communicated directly with the BAIDS device
on the public network was detected and stored.
FIGURE 11. Activity that originated from unknown IP addresses on the
BAS network. Each color represents a different IP address.
The incoming traffic observed from unknown IP addresses,
shown in Figure 11, revealed the frequency at which each IP
address was contacted over a 15 minute period on the private
network. The different color bars in Figure 11 represent the
particular IP address that sent a message. The frequency for
each of the IP addresses remained below 20 hits per minute
from hour 19:21 to 19:25 and then went up to above 50 hits
per minute at 19:26. The lowest communication frequency
for the IP address was around 10 hits per minute and the
highest was above 80. The large peaks could be a potential
indication of malicious cyber behavior. Hackers could be
attempting to alter the state of the system by connecting with
the particular device at a higher rate than usual. However,
more detailed analysis would be required to make these kind
of determinations. The present work used the ART neural
network to analyze network messages and detect potentially
malicious activity.
C. INTRUSION DETECTION
The cyber security capabilities of the BAIDS interconnection
device where tested against artificially induced brute-force
VOLUME 5, 2017
and cyber-physical attacks. The attacks were detected through
the analysis of the collected and stored network traffic data.
The one minute frequency, average packet length, and aver-
age checksum were presented to the ART neural network for
training and testing. The training process considered close
to 2 million data points collected on the public and private
networks. The IDS detected potential cyber-physical threats
by analyzing the private network activity. The brute-force
threats were monitored on the public network.
The ART algorithm evaluated the outbound and inbound
traffic on the public network in order to detect a brute-force
threat. The training data set for the outbound traffic is shown
on the left side of Figure 12. The different colors represent
the various IP addresses that were contacted by the BAIDS
device. The traffic behavior with the different IP addresses
varied; some of the network communications between the
BAIDS and public network devices had scattered behavior
and others were consistent over time. The BAS traffic, used to
evaluate the cyber-physical attack, showed consistent behav-
ior for four devices as shown on the right side of Figure 12.
The training data was used by the ART algorithm to learn
normal network traffic activity. The gained knowledge was
then applied to cyber threat situations with the intent to detect
unwanted attacks accurately.
FIGURE 12. The monitored traffic on the public and private networks
were evaluated using the traffic frequency, average packet size, and
average checksum attributes. The different colored markers describe the
behavior for each device. The public network data defines the
communication between various devices and BAIDS. The private network
data defines the behavior for four different devices.
Cyber attacks were detected accurately by the ART algo-
rithm in the public and private networks. The ART algo-
rithm trained on each of the normal data set using a free
parameter ρ value equal to 0.92. It identified the brute force
attack by labeling outbound and inbound traffic data as nor-
mal or abnormal. For example, the ART algorithm flagged
abnormal behavior in the outbound data set as shown in
Figure 13. In this case, the traffic data had a higher frequency,
larger than the normal packet size, and a normal checksum
for a two minute period which occurred from hour 16:57
to 16:59. This matched exactly with the simulated hacking
event. The successful identification of the brute-force attack
was achieved with only one false positive result. The same
approach was used to detect the cyber-physical attack on the
private network.
The cyber-physical attack impacted three HVAC control
devices in the private network. The malicious code altered the
11071
 C. B. Jones, C. Carter: Trusted Interconnections Between a Centralized Controller and Commercial Building HVAC Systems
FIGURE 13. The intrusion detection system was able to detect the
brute-force attack using the Adaptive Resonance Theory neural network.
It quickly identified abnormal behavior.
FIGURE 14. The intrusion detection system was able to detect the
cyber-physical attack. The Adaptive Resonance Theory neural network
identified abnormal behavior by evaluating traffic that originated from
various devices. The upside down triangles show the abnormal traffic that
came from the hackers computer.
states of numerous systems connected to the HVAC control
system. Unfortunately, the BAIDS device was not able to
stop it from occurring, nor was it able to react to the attack
and return the states back to normal. However, it was able to
accurately detect the event and identify the devices impacted.
The ART algorithm detected abnormal behavior from the
adversary’s device as shown in Figure 14 by evaluating the
source IP information. The destination IP address results pro-
duced by the ART algorithm identified each of the impacted
devices. The algorithm had a 100% true positive rate and
flagged only two false alarms.
V. CONCLUSION
Direct control of HVAC devices from a centralized loca-
tion for DR can be achieved using an intelligent and secure
interconnection device. The BAIDS successfully bridged two
networks to provide direct communication between an HVAC
control devices and a solar PV array. The hardware-in-the-
loop experiment successfully synchronized the fan motor
11072
power with the PV electrical output without disturbing the
thermal comfort levels inside a simulated thermal zone of a
building. At the same time, one second monitoring of network
traffic on the private and public networks was implemented
to perform passive intrusion detection. The network data was
collected and made available through a HMI database inter-
face. The network data was then used by an ART algorithm
to identify anomalies and potentially malicious activity.
Future work will expand on this work to upgrade the
controls and provide active intrusion detection capabilities.
The goal is to improve interoperability between the utility
and commercial building operators. Improved interoperabil-
ity will allow for DR to occur without imposing discomfort
to the building occupants. For example, utilities could work
with building operators to connect with a large amount of
dispatchable loads, receive feedback to adjust controls, and
target the best loads for the utility and the users at any given
moment in time. This most be done with cyber security in
mind.
Real-time cyber threat analysis using learning based algo-
rithms has the potential to monitor, evaluate, and flag traffic
at specific ports and IP addresses. The current work tested a
single ANN algorithm. The next step is to perform detailed
experiments that test the abilities of various algorithms to
identify threats on BAS. The experiment will evaluate the
algorithms ability to analyze network traffic anomalies and
state changes in the cyber-physical system.
ACKNOWLEDGMENT
Sandia National Laboratories is a multimission laboratory
managed and operated by National Technology and Engineer-
ing Solutions of Sandia, LLC., a wholly owned subsidiary
of Honeywell International, Inc., for the U.S. Department
of Energy’s National Nuclear Security Administration under
contract DE-NA0003525.
REFERENCES
[1] P. Palensky and D. Dietrich, ‘‘Demand side management: Demand
response, intelligent energy systems, and smart loads,’’ IEEE Trans. Ind.
Informat., vol. 7, no. 3, pp. 381–388, Aug. 2011.
[2] P. Siano, ‘‘Demand response and smart grids—A survey,’’ Renew. Sustain.
Energy Rev., vol. 30, pp. 461–478, Feb. 2014.
[3] S. Kiliccote, D. Olsen, M. D. Sohn, and M. A. Piette, ‘‘Characterization of
demand response in the commercial, industrial, and residential sectors in
the United States,’’ Wiley Interdisciplinary Rev., Energy Environ., vol. 5,
no. 3, pp. 288–304, May 2016.
[4] N. M. Watson, J. Page, S. Kiliccote, and M. A. Piette, ‘‘Fast auto-
mated demand response to enable the integration of renewable resources,’’
Lawrence Berkeley National Lab., Berkeley, CA, USA, Tech. Rep. LBNL-
5555E, Jun. 2012.
[5] S. Clements and H. Kirkham, ‘‘Cyber-security considerations for the smart
grid,’’ in Proc. IEEE PES Gen. Meet., Jul. 2010, pp. 1–5.
[6] Y. Yan, Y. Qian, H. Sharif, and D. Tipper, ‘‘A survey on smart
grid communication infrastructures: Motivations, requirements and chal-
lenges,’’ IEEE Commun. Surveys Tuts., vol. 15, no. 1, pp. 5–20,
Feb. 2013.
[7] Y. Yan, Y. Qian, H. Sharif, and D. Tipper, ‘‘A survey on cyber security for
smart grid communications,’’ IEEE Commun. Surveys Tuts., vol. 14, no. 4,
pp. 998–1010, Oct. 2012.
[8] W. Wang and Z. Lu, ‘‘Cyber security in the Smart Grid: Survey and
challenges,’’ Comput. Netw., vol. 57, no. 5, pp. 1344–1371, Apr. 2013.
[Online]. Available: http://www.sciencedirect.com/science/article/
pii/S1389128613000042
VOLUME 5, 2017
C. B. Jones, C. Carter: Trusted Interconnections Between a Centralized Controller and Commercial Building HVAC Systems
[9] M. A. Piette, O. Sezgen, D. S. Watson, N. Motegi, C. Shockman, and
L. ten Hope, ‘‘Development and evaluation of fully automated demand
response in large facilities,’’ Lawrence Berkeley Nat. Lab., Berkeley,
CA, USA, Tech. Rep. LBNL-55085, Mar. 2004. [Online]. Available:
http://escholarship.org/uc/item/4r45b9zt
[10] G. Ghatikar and R. Bienert, ‘‘Smart grid standards and systems interoper-
ability: A precedent with OpenADR,’’ in Proc. Grid Interop Forum, 2011,
pp. 1–7.
[11] C. McParland, ‘‘OpenADR open source toolkit: Developing open source
software for the Smart Grid,’’ in Proc. IEEE Power Energy Soc. Gen. Meet.,
Jul. 2011, pp. 1–7.
[12] M. A. Piette, G. Ghatikar, S. Kiliccote, D. Watson, E. Koch, and
D. Hennage, ‘‘Design and operation of an open, interoperable automated
demand response infrastructure for commercial buildings,’’ J. Comput.
Inf. Sci. Eng., vol. 9, no. 2, p. 021004, May 2009. [Online]. Available:
http://dx.doi.org/10.1115/1.3130788
[13] N. Research. (2016). How To Protect Corporate Building Networks
From Cyber Attacks. [Online]. Available: http://www.forbes.com/sites/
pikeresearch/2016/09/13/cybersecurity-and-intelligent-buildings/
[14] M. Peacock and M. N. Johnstone, ‘‘An analysis of security issues in build-
ing automation systems,’’ in Proc. 12th Austral. Inf. Secur. Manage. Conf.,
Jan. 2014, pp. 100–104. [Online]. Available: http://ro.ecu.edu.au/ism/170
[15] C. Neilson, ‘‘Securing a control systems network,’’ BACnet Today Suppl.
ASHRAE J., vol. 55, no. 11, pp. b18–b22, Nov. 2013.
[16] D. G. Holmberg, ‘‘Secure messaging in BACnet,’’ BACnet Today Suppl.
ASHRAE J., vol. 47, no. 11, pp. B23–B26, Nov. 2005.
[17] W. Granzer, F. Praus, and W. Kastner, ‘‘Security in building automation
systems,’’ IEEE Trans. Ind. Electron., vol. 57, no. 11, pp. 3622–3630,
Nov. 2010.
[18] W. Lee, S. J. Stolfo, and K. W. Mok, ‘‘A data mining framework for
building intrusion detection models,’’ in Proc. IEEE Symp. Secur. Privacy,
May 1999, pp. 120–132.
[19] Z. Pan, S. Hariri, and Y. Al-Nashif, ‘‘Anomaly based intrusion detection
for Building Automation and Control networks,’’ in Proc. IEEE/ACS 11th
Int. Conf. Comput. Syst. Appl. (AICCSA), Nov. 2014, pp. 72–77.
[20] M. Johnstone, M. Peacock, and J. D. Hartog, ‘‘Timing attack
detection on BACnet via a machine learning approach,’’ in Proc.
Austral. Inf. Secur. Manage. Conf., Jan. 2015. [Online]. Available:
http://ro.ecu.edu.au/ism/181
[21] J. Tonejc, S. Guttes, A. Kobekova, and J. Kaur, ‘‘Machine learning methods
for anomaly detection in BACnet networks,’’ J. Univ. Comput. Sci., vol. 22,
no. 9, pp. 1203–1224, 2016.
[22] A. Mammoli, H. Barsun, R. Burnett, J. Hawkins, and J. Simmins, ‘‘Using
high-speed demand response of building HVAC systems to smooth cloud-
driven intermittency of distributed solar photovoltaic generation,’’ in Proc.
IEEE PES Transmiss. Distrib. Conf. Expo. (T D), May 2012, pp. 1–10.
[23] W. Anwaar and A. Shah, ‘‘Energy efficient computing: A comparison of
raspberry PI with modern devices,’’ Int. J. Comput. Inf. Technol., vol. 4,
no. 2, pp. 410–413, Mar. 2015.
[24] P. Paethong, M. Sato, and M. Namiki, ‘‘Low-power distributed NoSQL
database for IoT middleware,’’ in Proc. 15th ICT Int. Student Project
Conf. (ICT-ISPC), May 2016, pp. 158–161.
[25] H. G. Jamuna and S. Hugar, ‘‘Smarter grid embedded in an Internet of
Things,’’ Int. J. Eng. Technol., vol. 2, no. 3, p. 1, Jun. 2016.
[26] C. B. Jones et al., ‘‘Wondering what to blame? Turn PV performance
assessments into maintenance action items through the deployment of
learning algorithms embedded in a Raspberry Pi device,’’ in Proc. IEEE
43rd Photovoltaic Specialists Conf. (PVSC), Jun. 2016, pp. 0261–0266.
VOLUME 5, 2017
[27] B. Mukherjee, L. T. Heberlein, and K. N. Levitt, ‘‘Network intrusion
detection,’’ IEEE Netw., vol. 8, no. 3, pp. 26–41, May 1994.
[28] G. A. Carpenter and S. Grossberg, ‘‘A massively parallel architecture for a
self-organizing neural pattern recognition machine,’’ Comput. Vis. Graph.
Image Process., vol. 37, no. 1, pp. 54–115, 1987.
[29] G. A. Carpenter, S. Grossberg, and D. B. Rosen, ‘‘Fuzzy ART: Fast
stable learning and categorization of analog patterns by an adap-
tive resonance system,’’ Neural Netw., vol. 4, no. 6, pp. 759–771,
1991.
[30] M. Georgiopoulos, I. Dagher, G. L. Heileman, and G. Bebis, ‘‘Proper-
ties of learning of a fuzzy ART variant,’’ Neural Netw., vol. 12, no. 6,
pp. 837–850, Jul. 1999.
C. BIRK JONES was born in Santa Fe,
NM, USA. He received the B.S. degree in civil and
environmental engineering from the University of
California at Davis, Davis, CA, USA, in 2004, and
the M.S. degree in construction engineering and
the Ph.D. degree in mechanical engineering from
the University of New Mexico, Albuquerque, NM,
in 2009 and 2015, respectively.
He was a Structural Engineer involved in
designing trusses and inspected bridges. He spent
some time in construction retrofitting large and small commercial building.
He was also a Mechanical Engineer involved in assessing building perfor-
mance using models and advanced learning algorithms to identify faults. He
is currently a Senior Member of the Technical Staff with the Sandia National
Laboratories, Photovoltaics and Distributed System Integration Department.
His research interests include photovoltaic system reliability, building HVAC
fault detection, demand response, and renewable energy integration.
CEDRIC CARTER, Jr., was born and raised in
Valdosta, GA, USA, and later moved to Durham,
NC, USA, at the age of 15. He received the B.S.
and M.S. degrees in computer science (informa-
tion assurance) from North Carolina A&T State
University (NCAT).
While at NCAT, he conducted research at
Indiana University Bloomington in parallel com-
puting with multi-core machines. He also interned
at Shell Oil Company, Houston, TX, USA, and
Cisco Systems, Raleigh, NC. He is currently with the Sandia National
Laboratories, Resilient Control Systems Department. His research interests
include cyber-physical assessments and threat deterrent development. He
was a recipient of the National Science Foundation Scholarship for Service.
11073