BACnet/SC (BACnet Secure Connect)

Around 25 million devices currently exchange their data via BACnet, the first version of which was published in 1995. The cross-manufacturer communication standard now has its own security infrastructure and is therefore fit for the requirements of digitalization.

Closed networks and long innovation cycles - building automation initially had completely different requirements in terms of operational security than information technology (IT). However, internet technologies, the convergence of IT and building automation (BA) as well as cloud-based applications require a high level of protection for communication - such as access restriction, authentication, authorization and encryption.

Minimize risks

Added to this is the German government's KRITIS strategy. It has set itself the goal of protecting critical infrastructures that supply the state, economy and society with key goods and services. Whether an airport, chemical plant or municipal property - more and more BA operators have to prove that they can guarantee security of supply. This also applies to BACnet networks, which until now could only be secured accordingly at great expense. With BACnet Secure Connect (BACnet/SC), there is now a technology for establishing secure communication connections with comparatively little effort. Because what is common in IT will also ensure network and information security for building automation in the future.

A number of challenges need to be overcome in order to complete this process successfully. For example, security awareness in building automation is nowhere near as pronounced as in IT. Anyone scouring the Internet in search of unsecured BACnet networks, for example, will quickly - and often - find them. At the same time, building technology cannot simply be handed over to the security-proven IT administration without jeopardizing the device manufacturer's warranty. Pragmatic ways are therefore needed to implement the new standard in such a way that operators can use it without any problems. Accordingly, it now uses several mechanisms that have proven themselves in information technology.

From hub to node

First of all, the network topology changes visibly with BACnet/SC. Previously, the initial connection setup in BACnet was carried out with broadcasts, sometimes with the support of so-called BACnet Broadcast Management Devices (BBMD) - a method that is not common in IT. For this reason, a different approach was chosen for the configuration: Each network is given a central point, the so-called hub. It controls the data traffic between any number of nodes (end devices). It also analyzes the data traffic to determine whether information should be forwarded to a single node or all nodes. A direct connection can also be established for direct communication between two nodes.

At the same time, BACnet/SC contains a failover mechanism that ensures that the system remains functional even if the hub fails or is switched off for maintenance. This new topology considerably simplifies configuration, commissioning and management. At the same time, BBMDs and their configuration become superfluous.

Encryption and certificates

TCP (Transmission Control Protocol) with WebSocket is used for secure data transmission - two reliable mechanisms based on the Internet protocol IP, which is used almost everywhere in IT. TCP/IP replaces the UDP (User Data Protocol) network protocol layer previously used by BACnet and TLS is used for tap-proof and tamper-proof communication. TLS (Transport Layer Security) is also widely used in IT as the basis for secure web access (https).

For encryption, it should be noted that a company-wide procedure must be created for the necessary digital certificates. The certification and registration authorities responsible for the Internet as part of public key infrastructures are not specified in BACnet/SC. This allows a BA operator to take its individual network structures into account.

The security mechanisms have been defined as an additional data link layer in BACnet for easy implementation in existing networks. In addition, the new standard is downward compatible in the current revision 22. This has the advantage that existing equipment can communicate with new BACnet/SC devices via corresponding routers. Investment security is therefore guaranteed.

Start now!

However, it is already apparent that the first manufacturers are coming onto the market with the necessary devices to make a BACnet network SC-capable. Waiting and seeing is therefore not an option. Rather, operators should take action now, because security is not created simply by setting up or adding BACnet/SC-capable devices to a network. Rather, it is first necessary to create a security awareness that includes everyone involved with a BACnet network.

Operators should also familiarize themselves with the details of Revision 22 in order to plan the transition: What does it mean to switch from UDP to IP with TLS? What is necessary from a technical perspective to make the transition as smooth as possible? Are additional devices or lines required? What needs to be done to create and sign digital certificates and upload them to the field devices? What tools are available for the changeover? Where can you benefit from the mechanisms of the existing IT?

As far as the new product range is concerned, BACnet/SC is a technology that most BA manufacturers will implement in the future. Smaller companies may be quicker to market with new products than larger ones. It may also be worth looking out for manufacturers who have worked on the current revision. It can also be useful for property operators to obtain advice in general or company-specific training courses. In this way, it will be possible to use BACnet/SC successfully in your own property.

MBS is at the forefront

As far as the new product range is concerned, BACnet/SC is a technology that most BA manufacturers will implement in the future. MBS GmbH, which was actively involved in Revision 22, is also gradually upgrading its products. Last year, together with Delta Controls, it provided all manufacturers with a free test environment for secure communication with BACnet/SC. This was the first German cooperation to offer encrypted data transmission via the Internet for a distributed test network.

BACeye/SC, the popular software for network diagnostics, is now available, which considerably simplifies the commissioning, maintenance, diagnosis and repair of networks for building automation. BACeye/SC combines the features of the proven BACeye 2.0 tool with the full range of BACnet/SC functions - such as access restriction, authentication, authorization and encryption. It can be used in protected communication environments and allows encrypted browsing. Products of this type will contribute to the successful use of BACnet/SC in your own property.