Security and Human-Centered Assessment of BACnet-Controlled DALI Infrastructure in an Educational Building Automation Testbed

Ariton Verush

arxiv: 2606.17089 · v1 · pith:56EEFF7Unew · submitted 2026-06-12 · 💻 cs.CR · cs.HC

Security and Human-Centered Assessment of BACnet-Controlled DALI Infrastructure in an Educational Building Automation Testbed

Ariton Verush This is my paper

Pith reviewed 2026-06-27 04:18 UTC · model grok-4.3

classification 💻 cs.CR cs.HC

keywords BACnetDALIbuilding automationcybersecurity assessmenthuman-centered securityeducational testbedsecurity tooling

0 comments

The pith

Assessing BACnet-controlled DALI infrastructure requires usable tool interfaces, physical observability, interpretable naming, and safe mental models for command priorities in addition to protocol knowledge.

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

This paper reports a case study of BACnet/IP and DALI lighting infrastructure in an educational testbed, conducted during a domotics cybersecurity hackathon. It combines network enumeration with Yabe and BACteria, object hierarchy reconstruction, physical rack inspection, and reflective analysis of how analysts learn the system. The work establishes that BACS assessment is not solely a technical protocol task but also depends on tool usability, physical visibility, clear naming conventions, and mental models that keep command priorities safe. A sympathetic reader would care because building automation systems control physical environments where incomplete assessment can leave security gaps or operational confusion. The study supplies a compact practical example for cybersecurity education and human-centered tooling design.

Core claim

Using network-oriented enumeration, object-level inspection, physical rack analysis, and reflective HCI analysis of tool-supported learning in the Thun educational testbed, the paper shows that BACS assessment is not only a technical protocol task: it also requires usable tool interfaces, physical observability, interpretable naming conventions, and safe mental models for command priorities.

What carries the argument

The integration of BACnet service enumeration and DALI group mapping with physical observability and HCI reflection on tool-supported learning.

If this is right

Cybersecurity education in building automation must incorporate hands-on tool use and physical inspection alongside protocol study.
Tool interfaces for BACS assessment should prioritize clear object hierarchies and room-level path visibility.
System naming conventions directly affect analysts' ability to form accurate mental models of command priorities.
Responsible experimentation in cyber-physical building environments benefits from combined network and physical analysis methods.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

The same combination of protocol tools and physical inspection may be needed for other building protocols such as Modbus or KNX.
Standardized educational testbeds could support development of assessment checklists that include naming and priority-model checks.
Vendors could reduce assessment difficulty by adopting consistent, room-mapped object naming practices across deployments.

Load-bearing premise

The observations and mappings obtained during the April 2026 hackathon in the Thun testbed using Yabe and BACteria are representative of typical BACnet/DALI deployments and tool-supported learning.

What would settle it

A documented BACnet/DALI assessment in another real deployment that succeeds without physical rack access, without interpretable naming, or without explicit attention to command-priority mental models would challenge the necessity of those elements.

Figures

Figures reproduced from arXiv: 2606.17089 by Ariton Verush.

**Figure 1.** Figure 1: Overview of the building automation testbed and network segmentation used during the domotics hackathon. [PITH_FULL_IMAGE:figures/full_fig_p003_1.png] view at source ↗

**Figure 2.** Figure 2: Rack 2 architecture illustrating the relationship between Siemens BACnet/IP controllers, DALI lighting infrastructure, [PITH_FULL_IMAGE:figures/full_fig_p004_2.png] view at source ↗

**Figure 4.** Figure 4: BACteria output showing device fingerprinting, sup [PITH_FULL_IMAGE:figures/full_fig_p004_4.png] view at source ↗

**Figure 5.** Figure 5: BACteria inspection of the Room 2 lighting structured [PITH_FULL_IMAGE:figures/full_fig_p005_5.png] view at source ↗

**Figure 6.** Figure 6: BACnet object 260:8, identified as Lighting command 2, with I/O address DALI-1:G=2. This object connected the BACnet object hierarchy to DALI group-level infrastructure. The physical rack inventory identified DALI devices 032 and 033 as Lunatone DALI CWWW LED dimmers for Room 1 and Room 2. The documented protocol-level interpretation therefore follows the chain: Room Segment 2 -> Lighting 2 -> Lighting co… view at source ↗

**Figure 7.** Figure 7: BACteria confirmation of a controlled property write [PITH_FULL_IMAGE:figures/full_fig_p006_7.png] view at source ↗

**Figure 9.** Figure 9: Physical Rack 2 setup used to correlate protocol-level [PITH_FULL_IMAGE:figures/full_fig_p006_9.png] view at source ↗

read the original abstract

Building automation and control systems integrate heating, ventilation, air conditioning, lighting, sensing, and management functions through specialized communication protocols. While this integration enables flexible building operation, it also creates complex cyber-physical environments that are difficult to inspect, secure, and explain to new analysts. This paper presents a practical security and human-centered case study of a BACnet/IP building automation testbed with DALI lighting infrastructure, investigated during a domotics-oriented cybersecurity hackathon in Thun, Switzerland in April 2026. The study combines network-oriented enumeration, object-level inspection, physical rack analysis, and reflective HCI analysis of tool-supported learning. Using Yabe and BACteria, the work documents observable BACnet services, reconstructs structured object hierarchies, identifies room-level lighting-control paths, and maps BACnet objects to DALI group-level infrastructure. The analysis emphasizes that BACS assessment is not only a technical protocol task: it also requires usable tool interfaces, physical observability, interpretable naming conventions, and safe mental models for command priorities. The paper contributes a compact case study of BACnet/DALI exploration in an educational testbed and discusses implications for cybersecurity education, human-centered security tooling, and responsible experimentation in cyber-physical building environments.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit. Tearing a paper down is the easy half of reading it; the pith above is the substance, this is the friction.

Desk Editor's Note private letter to a colleague

This is a descriptive case study of applying standard tools to one educational BACnet/DALI testbed, with observations on human factors but no new methods or validation.

read the letter

This paper is a case study from a 2026 hackathon that used Yabe and BACteria to enumerate BACnet services and map objects to DALI lighting groups in a single educational testbed in Thun.

It does a reasonable job laying out the concrete steps: listing observable services, reconstructing object hierarchies, identifying room-level control paths, and connecting them to physical infrastructure. The reflective notes on tool usability, naming conventions, and command priorities fit the educational goal and give a practical flavor to the report.

The soft spots are straightforward. Everything rests on one small testbed with no comparative data from commercial setups or other sites. The human-centered claims about what BACS assessment requires are presented as takeaways but come only from the authors' own reflections, with no metrics, user studies, or error analysis to support them. The stress-test concern about representativeness is accurate on the evidence given.

This is for educators or students who want a worked example of building automation inspection in a lab setting. Someone planning a similar exercise could pick up some useful details on the process.

It does not have the depth or evidence for serious peer review. It would fit as a short experience report in a workshop or education track but not as a journal submission.

Referee Report

2 major / 1 minor

Summary. The paper presents a practical security and human-centered case study of a BACnet/IP building automation testbed with DALI lighting infrastructure in an educational setting in Thun, Switzerland. Based on observations from an April 2026 domotics-oriented cybersecurity hackathon, it combines network enumeration using Yabe and BACteria, reconstruction of BACnet object hierarchies, identification of room-level lighting-control paths, and mapping of BACnet objects to DALI group infrastructure. The analysis concludes that BACS assessment requires not only technical protocol knowledge but also usable tool interfaces, physical observability, interpretable naming conventions, and safe mental models for command priorities, while discussing implications for cybersecurity education and human-centered tooling.

Significance. If the observations hold, the work provides a concrete, documented example of protocol-level exploration in a real educational testbed, highlighting practical challenges at the intersection of building automation security and human factors. This could inform the design of better analysis tools and educational approaches for cyber-physical systems, though the single-site qualitative nature limits broader claims.

major comments (2)

[Abstract] Abstract: The central claim that BACS assessment 'is not only a technical protocol task' but also requires usable tool interfaces, physical observability, interpretable naming conventions, and safe mental models for command priorities rests entirely on qualitative reflection from the single Thun testbed hackathon; no quantitative metrics, controlled evaluation, error analysis, or comparative data from other deployments are reported to establish these as general requirements rather than site-specific observations.
[Abstract] Abstract (methods and observations description): The study documents observable BACnet services, object hierarchies, and DALI mappings but provides no quantitative validation, baseline comparisons, or assessment of how representative the Yabe/BACteria enumeration and room-level mappings are of typical BACnet/DALI deployments, making the human-centered conclusions dependent on an unverified assumption of representativeness.

minor comments (1)

[Abstract] The manuscript date reference to April 2026 should be clarified for readers (e.g., whether it is a planned event or typographical).

Simulated Author's Rebuttal

2 responses · 0 unresolved

We thank the referee for the constructive comments on our case study. The work is a qualitative documentation of a single educational testbed rather than a quantitative or generalizable evaluation, and we address each point below.

read point-by-point responses

Referee: [Abstract] Abstract: The central claim that BACS assessment 'is not only a technical protocol task' but also requires usable tool interfaces, physical observability, interpretable naming conventions, and safe mental models for command priorities rests entirely on qualitative reflection from the single Thun testbed hackathon; no quantitative metrics, controlled evaluation, error analysis, or comparative data from other deployments are reported to establish these as general requirements rather than site-specific observations.

Authors: We agree the observations derive from a single-site hackathon in the Thun testbed and do not constitute quantitative validation or general requirements. The abstract presents these as conclusions from the documented case study to highlight practical human-centered challenges. We will revise the abstract to explicitly frame the points as site-specific observations from this educational deployment without implying broader generality. revision: yes
Referee: [Abstract] Abstract (methods and observations description): The study documents observable BACnet services, object hierarchies, and DALI mappings but provides no quantitative validation, baseline comparisons, or assessment of how representative the Yabe/BACteria enumeration and room-level mappings are of typical BACnet/DALI deployments, making the human-centered conclusions dependent on an unverified assumption of representativeness.

Authors: The manuscript makes no claim of representativeness for typical BACnet/DALI deployments and does not assume the Thun testbed is representative. It is presented as a case study of an educational testbed, with the contribution being the concrete documentation of services, hierarchies, mappings, and observed human factors. No quantitative validation or baselines are provided or planned, as these would exceed the qualitative case-study scope. revision: no

Circularity Check

0 steps flagged

No circularity: purely observational case study with no derivations or self-referential reductions

full rationale

The paper presents a descriptive case study of BACnet/DALI exploration in one educational testbed using specific tools during a hackathon. It reports observations (enumeration, hierarchies, mappings) and draws human-centered conclusions directly from those activities. No equations, predictions, fitted parameters, or load-bearing self-citations appear in the provided text or abstract. The central claim is framed as an emphasis from the case study itself rather than a derived result that reduces to its inputs by construction. This matches the default expectation for non-circular observational reports.

Axiom & Free-Parameter Ledger

0 free parameters · 0 axioms · 0 invented entities

The paper is an observational case study with no mathematical model, fitted parameters, or new entities postulated. No free parameters, axioms, or invented entities are required or introduced.

pith-pipeline@v0.9.1-grok · 5747 in / 1118 out tokens · 39353 ms · 2026-06-27T04:18:40.098659+00:00 · methodology

discussion (0)

Reference graph

Works this paper leans on

11 extracted references · 6 canonical work pages

[1]

BACnet Committee – ASHRAE SSPC 135,

BACnet Committee, “BACnet Committee – ASHRAE SSPC 135,” https: //bacnet.org/, n.d., accessed: 2026-06-02

2026
[2]

BACnet: The ASHRAE Building Automation and Con- trol Networking Protocol,

ASHRAE, “BACnet: The ASHRAE Building Automation and Con- trol Networking Protocol,” https://www.ashrae.org/technical-resources/ bookstore/bacnet, n.d., accessed: 2026-06-02

2026
[3]

DALI and DALI-2: Standardized Smart Lighting Con- trol and IEC 62386,

DALI Alliance, “DALI and DALI-2: Standardized Smart Lighting Con- trol and IEC 62386,” https://www.dali-alliance.org/dali/, n.d., accessed: 2026-06-02

2026
[4]

Security of building automation and control systems: Survey and future research directions,

V . Graveto, T. Cruz, and P. Sim˜oes, “Security of building automation and control systems: Survey and future research directions,”Computers & Security, vol. 112, p. 102527, 2022, https://doi.org/10.1016/j.cose.2021. 102527

work page doi:10.1016/j.cose.2021 2022
[5]

On building automation system security,

C. Morales-Gonzalez, M. Harper, M. Cash, L. Luo, Z. Ling, Q. Z. Sun, and X. Fu, “On building automation system security,”High-Confidence Computing, vol. 4, no. 3, p. 100236, 2024, https://doi.org/10.1016/j.hcc. 2024.100236

work page doi:10.1016/j.hcc 2024
[6]

A critical review of cyber-physical security for building automation systems,

G. Li, L. Ren, Y . Fu, Z. Yang, V . Adetola, J. Wen, Q. Zhu, T. Wu, K. S. Candan, and Z. O’Neill, “A critical review of cyber-physical security for building automation systems,”Annual Reviews in Control, vol. 55, pp. 237–254, 2023, https://doi.org/10.1016/j.arcontrol.2023.02.004

work page doi:10.1016/j.arcontrol.2023.02.004 2023
[7]

CYD Campus BACS Hackathon 2025 – Exploring Security for Building Automation and Control Sys- tems,

armasuisse Science and Technology, “CYD Campus BACS Hackathon 2025 – Exploring Security for Building Automation and Control Sys- tems,” https://www.ar.admin.ch/en/domotic-hackathon-cyd-campus-en, 2025, accessed: 2026-06-02

2025
[8]

Security implications of publicly reachable building automation systems,

O. Gasser, Q. Scheitle, C. Denis, N. Schricker, and G. Carle, “Security implications of publicly reachable building automation systems,” in2017 IEEE Security and Privacy Workshops (SPW), San Jose, CA, USA, 2017, pp. 199–204, https://doi.org/10.1109/SPW.2017.13

work page doi:10.1109/spw.2017.13 2017
[9]

BACnet Secure Connect Whitepaper,

ASHRAE, “BACnet Secure Connect Whitepaper,” https: //www.ashrae.org/File%20Library/Technical%20Resources/Bookstore/ BACnet-SC-Whitepaper-v15 Final 20190521.pdf, 2019, accessed: 2026-06-02

2019
[10]

User, usage and usability: Redefin- ing human centric cyber security,

M. Grobler, R. Gaire, and S. Nepal, “User, usage and usability: Redefin- ing human centric cyber security,”Frontiers in Big Data, vol. 4, 2021, https://doi.org/10.3389/fdata.2021.583723

work page doi:10.3389/fdata.2021.583723 2021
[11]

Cyber ranges and security testbeds: Scenarios, functions, tools and architecture,

M. M. Yamin, B. Katt, and V . Gkioulos, “Cyber ranges and security testbeds: Scenarios, functions, tools and architecture,”Computers & Security, vol. 88, p. 101636, 2020, https://doi.org/10.1016/j.cose.2019. 101636

work page doi:10.1016/j.cose.2019 2020

[1] [1]

BACnet Committee – ASHRAE SSPC 135,

BACnet Committee, “BACnet Committee – ASHRAE SSPC 135,” https: //bacnet.org/, n.d., accessed: 2026-06-02

2026

[2] [2]

BACnet: The ASHRAE Building Automation and Con- trol Networking Protocol,

ASHRAE, “BACnet: The ASHRAE Building Automation and Con- trol Networking Protocol,” https://www.ashrae.org/technical-resources/ bookstore/bacnet, n.d., accessed: 2026-06-02

2026

[3] [3]

DALI and DALI-2: Standardized Smart Lighting Con- trol and IEC 62386,

DALI Alliance, “DALI and DALI-2: Standardized Smart Lighting Con- trol and IEC 62386,” https://www.dali-alliance.org/dali/, n.d., accessed: 2026-06-02

2026

[4] [4]

Security of building automation and control systems: Survey and future research directions,

V . Graveto, T. Cruz, and P. Sim˜oes, “Security of building automation and control systems: Survey and future research directions,”Computers & Security, vol. 112, p. 102527, 2022, https://doi.org/10.1016/j.cose.2021. 102527

work page doi:10.1016/j.cose.2021 2022

[5] [5]

On building automation system security,

C. Morales-Gonzalez, M. Harper, M. Cash, L. Luo, Z. Ling, Q. Z. Sun, and X. Fu, “On building automation system security,”High-Confidence Computing, vol. 4, no. 3, p. 100236, 2024, https://doi.org/10.1016/j.hcc. 2024.100236

work page doi:10.1016/j.hcc 2024

[6] [6]

A critical review of cyber-physical security for building automation systems,

G. Li, L. Ren, Y . Fu, Z. Yang, V . Adetola, J. Wen, Q. Zhu, T. Wu, K. S. Candan, and Z. O’Neill, “A critical review of cyber-physical security for building automation systems,”Annual Reviews in Control, vol. 55, pp. 237–254, 2023, https://doi.org/10.1016/j.arcontrol.2023.02.004

work page doi:10.1016/j.arcontrol.2023.02.004 2023

[7] [7]

CYD Campus BACS Hackathon 2025 – Exploring Security for Building Automation and Control Sys- tems,

armasuisse Science and Technology, “CYD Campus BACS Hackathon 2025 – Exploring Security for Building Automation and Control Sys- tems,” https://www.ar.admin.ch/en/domotic-hackathon-cyd-campus-en, 2025, accessed: 2026-06-02

2025

[8] [8]

Security implications of publicly reachable building automation systems,

O. Gasser, Q. Scheitle, C. Denis, N. Schricker, and G. Carle, “Security implications of publicly reachable building automation systems,” in2017 IEEE Security and Privacy Workshops (SPW), San Jose, CA, USA, 2017, pp. 199–204, https://doi.org/10.1109/SPW.2017.13

work page doi:10.1109/spw.2017.13 2017

[9] [9]

BACnet Secure Connect Whitepaper,

ASHRAE, “BACnet Secure Connect Whitepaper,” https: //www.ashrae.org/File%20Library/Technical%20Resources/Bookstore/ BACnet-SC-Whitepaper-v15 Final 20190521.pdf, 2019, accessed: 2026-06-02

2019

[10] [10]

User, usage and usability: Redefin- ing human centric cyber security,

M. Grobler, R. Gaire, and S. Nepal, “User, usage and usability: Redefin- ing human centric cyber security,”Frontiers in Big Data, vol. 4, 2021, https://doi.org/10.3389/fdata.2021.583723

work page doi:10.3389/fdata.2021.583723 2021

[11] [11]

Cyber ranges and security testbeds: Scenarios, functions, tools and architecture,

M. M. Yamin, B. Katt, and V . Gkioulos, “Cyber ranges and security testbeds: Scenarios, functions, tools and architecture,”Computers & Security, vol. 88, p. 101636, 2020, https://doi.org/10.1016/j.cose.2019. 101636

work page doi:10.1016/j.cose.2019 2020