BACnet/SC (BACnet Secure Connect)

Around 25 million devices currently exchange their data via BACnet, the first version of which was published in 1995. The cross-manufacturer communication standard now has its own security infrastructure and is therefore fit for the requirements of digitalization.

Closed networks and long innovation cycles - building automation initially had completely different requirements in terms of operational security than information technology (IT). However, internet technologies, the convergence of IT and building automation (BA) as well as cloud-based applications require a high level of protection for communication - such as access restriction, authentication, authorization and encryption.

Minimize risks

Added to this is the German government's KRITIS strategy. It has set itself the goal of protecting critical infrastructures that supply the state, economy and society with key goods and services. Whether an airport, chemical plant or municipal property - more and more BA operators have to prove that they can guarantee security of supply. This also applies to BACnet networks, which until now could only be secured accordingly at great expense. With BACnet Secure Connect (BACnet/SC), there is now a technology for establishing secure communication connections with comparatively little effort. Because what is common in IT will also ensure network and information security for building automation in the future.

A number of challenges need to be overcome in order to complete this process successfully. For example, security awareness in building automation is nowhere near as pronounced as in IT. Anyone scouring the Internet in search of unsecured BACnet networks, for example, will quickly - and often - find them. At the same time, building technology cannot simply be handed over to the security-proven IT administration without jeopardizing the device manufacturer's warranty. Pragmatic ways are therefore needed to implement the new standard in such a way that operators can use it without any problems. Accordingly, it now uses several mechanisms that have proven themselves in information technology.

From hub to node

First of all, the network topology changes visibly with BACnet/SC. Previously, the initial connection setup in BACnet was carried out with broadcasts, sometimes with the support of so-called BACnet Broadcast Management Devices (BBMD) - a method that is not common in IT. For this reason, a different approach was chosen for the configuration: Each network is given a central point, the so-called hub. It controls the data traffic between any number of nodes (end devices). It also analyzes the data traffic to determine whether information should be forwarded to a single node or all nodes. A direct connection can also be established for direct communication between two nodes.

At the same time, BACnet/SC contains a failover mechanism that ensures that the system remains functional even if the hub fails or is switched off for maintenance. This new topology considerably simplifies configuration, commissioning and management. At the same time, BBMDs and their configuration become superfluous.

Encryption and certificates

TCP (Transmission Control Protocol) with WebSocket is used for secure data transmission - two reliable mechanisms based on the Internet protocol IP, which is used almost everywhere in IT. TCP/IP replaces the UDP (User Data Protocol) network protocol layer previously used by BACnet and TLS is used for tap-proof and tamper-proof communication. TLS (Transport Layer Security) is also widely used in IT as the basis for secure web access (https).

For encryption, it should be noted that a company-wide procedure must be created for the necessary digital certificates. The certification and registration authorities responsible for the Internet as part of public key infrastructures are not specified in BACnet/SC. This allows a BA operator to take its individual network structures into account.

The security mechanisms have been defined as an additional data link layer in BACnet for easy implementation in existing networks. In addition, the new standard is downward compatible in the current revision 22. This has the advantage that existing equipment can communicate with new BACnet/SC devices via corresponding routers. Investment security is therefore guaranteed.

Start now!

However, it is already apparent that the first manufacturers are coming onto the market with the necessary devices to make a BACnet network SC-capable. Waiting and seeing is therefore not an option. Rather, operators should take action now, because security is not created simply by setting up or adding BACnet/SC-capable devices to a network. Rather, it is first necessary to create a security awareness that includes everyone involved with a BACnet network.

Operators should also familiarize themselves with the details of Revision 22 in order to plan the transition: What does it mean to switch from UDP to IP with TLS? What is necessary from a technical perspective to make the transition as smooth as possible? Are additional devices or lines required? What needs to be done to create and sign digital certificates and upload them to the field devices? What tools are available for the changeover? Where can you benefit from the mechanisms of the existing IT?

As far as the new product range is concerned, BACnet/SC is a technology that most BA manufacturers will implement in the future. Smaller companies may be quicker to market with new products than larger ones. It may also be worth looking out for manufacturers who have worked on the current revision. It can also be useful for property operators to obtain advice in general or company-specific training courses. In this way, it will be possible to use BACnet/SC successfully in your own property.

MBS is at the forefront

As far as the new product range is concerned, BACnet/SC is a technology that most BA manufacturers will implement in the future. MBS GmbH, which was actively involved in Revision 22, is also gradually upgrading its products. Last year, together with Delta Controls, it provided all manufacturers with a free test environment for secure communication with BACnet/SC. This was the first German cooperation to offer encrypted data transmission via the Internet for a distributed test network.

BACeye/SC, the popular software for network diagnostics, is now available, which considerably simplifies the commissioning, maintenance, diagnosis and repair of networks for building automation. BACeye/SC combines the features of the proven BACeye 2.0 tool with the full range of BACnet/SC functions - such as access restriction, authentication, authorization and encryption. It can be used in protected communication environments and allows encrypted browsing. Products of this type will contribute to the successful use of BACnet/SC in your own property.

Invitation to the virtual plugfest with BACnet/SC

A test environment for secure communication with BACnet/SC, which was set up on the initiative of Delta Controls with MBS GmbH, is now available to all manufacturers. "We would like to invite you to connect to our virtual platform free of charge," says Dusko Lukanic-Simpson, Managing Director of Delta Controls Germany GmbH in Leinfelden-Echterdingen. 

The aim is to set up multi-vendor communication to demonstrate to property operators that data exchange with BACnet/SC works well and securely. The impetus for this collaboration came from the consistent application of the new security infrastructure: Delta Controls initially linked test setups of its own building management system enteliWEB with BACnet/SC at its various company locations. In the next step, they were connected to products from MBS GmbH, whose Universal Router UBR 01, gateways and software are also already equipped with BACnet/SC. 

The two BACnet/SC pioneers welcome any manufacturer who would like to accompany them on this journey and are happy to make their network available. "There is now a BACnet/SC network that can be used as a test system for secure data communication regardless of location," emphasizes Nils-Gunnar Fritz, Managing Director of MBS GmbH in Krefeld. 

To the Plugfest ⟩