BACnet/SC I

A control center with globally distributed locations that are networked with each other via the Internet. Currently, data exchange in building automation via BACnet/IPv4 would only be possible if all locations were connected via VPN. Application examples include a company with globally distributed locations, a public authority with connected schools and gyms or a supermarket chain with its branches.

The building management system (BMS), which accesses the building's technical systems, is located in the control center. The interface to the World Wide Web is an Internet router with a firewall.

Data exchange via IPv4 is unencrypted. In addition, the control protocol DHCP (Dynamic Host Configuration Protocol) for the automatic assignment of IP addresses - advantageous for managing large networks - is not supported. In order to secure such GA networks, the complex construction of VPNs (Virtual Private Networks) was previously necessary.

In this example, the Internet router transmits the data to the UBR-01, which acts as a media converter with its integrated network card to translate the BACnet/IPv4 data protocol into BACnet/SC. Secondly, it encrypts the data communication.

The Internet IP router of the control center either has a static IP address to the Internet or its dynamic address can be resolved via dynamic DNS. Incoming data packets are forwarded to a UBR-01 via a defined port (port forwarding). The UBR-02 functions here as an SC hub and as a BACnet router in order to be able to continue using a BMS with BACnet/IPv4.

Below the central control center, two versions are shown of how the technical building systems at the distributed locations can be connected to the control technology in this scenario.

On the right-hand side, a router is used for data transmission between the local system and the Internet, for example an IP-capable DSL router. This does not have to be port forwarding-capable. The local network not only includes its own network with BACnet/IPv4-capable devices for building automation, but also other end devices, such as PCs in the administration. Communication is not separated, which means that the other devices in the network can see the IPv4 traffic in BACnet and influence it if necessary.

To make this location fit for BACnet/SC, a UBR-02 can be used, which contains two network cards. One of the network cards routes the data into the local network for the building automation, whose end devices are thus separated from the other devices in the rest of the local network and are therefore protected. The second network card connects the site network to the BACnet/SC hub in the control center via the local Internet router. In this way, encrypted data transmission is also ensured in communication between the site and the control center.

If there is only one Internet connection in a location that is shared by the GA network, the UBR-02 can provide the greatest possible security.

The scenario on the left shows a similar local network at a company location. However, apart from BACnet/IPv4-capable devices for building automation, it does not include any other end devices. An IP-capable DSL router is also used for data transmission between the local network and the Internet, which does not need to be port-forwarding-capable, as neither fixed nor dynamically assigned IP addresses are required here. 

In contrast to the scenario on the right, the existing BACnet is translated into BACnet/SC with a UBR-01 (with only one network card) and thus encrypted. In addition, the UBR-01 - with the same network card - communicates with the BMS in encrypted form via the DSL router.

This simpler variant can be useful if the local network does not contain any other devices and the Internet connection is used exclusively for building automation.