Our CTO of Cimetrics Jim Butler gave an interview to Automated Building.com whose April theme is Holistic Cybersecurity. Cybersecurity solutions cannot be a self-serving or an isolated approach they need to be part of a Holistic solution. And one of the parts is BACnet Secure Connect (BACnet/SC) - a popular alternative to BACnet/IP in the future. Here he explains the basics of BACnet/SC. Also, you can learn more details on BACnet/SC in this video:
For the past several years, the members of the BACnet IT working group I chair have been developing a more secure method of communication for BACnet based on widely used IT standards. This method exclusively applies to communication on IP networks, and we are calling it "BACnet/SC" or “BACnet Secure Connect.” I believe BACnet/SC will become a popular alternative to BACnet/IP in the future.
(Important note: At the time this article is being written BACnet/SC is approaching its third public review; it has not yet been approved for inclusion into the BACnet standard.)
BACnet/IP has been widely deployed since it was added to the BACnet standard in 1999. BACnet/IP does not have any built-in network security functionality, so the most common methods of securing BACnet/IP networks are to place BACnet/IP devices within VPNs and VLANs, which typically requires the cooperation of the customer’s IT department. These methods have provided adequate network security for many buildings, but there are many situations in which something different or something more is needed.
By contrast, BACnet/SC has its own network security mechanisms--it provides encryption of messages and device authentication. For that reason, I expect BACnet/SC devices will be able to be deployed on networks that lack other security mechanisms, including the public Internet. For additional security, BACnet/SC devices can be deployed within VLANs or VPNs.
The following table summarizes several significant differences between BACnet/IP and BACnet/SC:
Those who have a lot of experience deploying BACnet/IP-based systems are aware of some of its challenges. Perhaps the biggest challenge with BACnet/IP is managing BACnet broadcast messages in large systems. The BBMD (BACnet Broadcast Management Device) was invented to allow a single BACnet/IP network to span multiple IP subnetworks by forwarding BACnet broadcast messages through IP routers, but properly configuring BBMDs has proven to be tricky in large systems.
The standard does not require BACnet/IP devices to use static IP addresses, but most manufacturers recommend this configuration for all of their devices. By contrast, dynamic IP addresses are heavily used in mainstream IT networks. This has become a source of friction between BAS personnel and IT personnel as increasing numbers of BACnet/IP devices are connected to networks managed by the facility’s IT department.
With BACnet/SC we have solved many of the challenges of deploying BACnet on IP-based networks, but in the process, we have introduced a few new issues you will need to keep in mind. Increased security comes at a cost, and the working group is doing what it can do to make the cost manageable.
First of all, I should emphasize that BACnet/SC networks will be able to be connected to other BACnet networks (BACnet/IP, MS/TP, etc.) using BACnet routers. We haven’t changed the structure of any of the BACnet application layer and network layer messages.
BACnet/SC is based on standard, commonly used IT network protocols--WebSockets and TLS in particular. The use of TLS (a descendant of SSL) and digital certificates are the basis for the security features of BACnet/SC. TLS is widely used for secure communication between web browsers and web servers (the technology used in https:// web sites), so it is one of the most important Internet protocols.
To the relief of many, BACnet/SC does not use BBMDs! Instead, a BACnet/SC network will typically have one or two BACnet/SC hubs whose function is to forward both broadcast and unicast messages between BACnet/SC devices. Note that BACnet/SC hubs will only forward messages to/from BACnet/SC devices that have the right type of TLS certificate for a particular BACnet/SC network.
I have skipped over many important details of BACnet/SC in this short article. If you are interested in learning more, I encourage you to read the white paper "BACnet Secure Connect" written by members of the BACnet IT working group.
More about BACnet Security:
Comments will be approved before showing up.
cimetrics.com Legal Terms and Conditions
June 29, 2016
cimetrics.com (the "Site") is owned by Cimetrics Inc. ("Cimetrics").
PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THIS SITE. YOU MAY NOT USE THIS SITE IF YOU DO NOT ACCEPT THE TERMS AND CONDITIONS.
The information herein provided is for general informative purposes only, and no warranties or representations are made with respect thereto. The information may contain inaccuracies or typographical errors. The information provided is subject to change at any time, and without notice. Changed information may include, but is not limited to, technical specifications and pricing. Binding declarations are only given after detailed enquiries.
BECAUSE THE INFORMATION IS NOT WARRANTED, ALL LIABILITY FOR THE ACCURACY OF THE INFORMATION IS EXPRESSLY EXCLUDED.
If you have been given a Password in order to gain access to certain information on this Site, or any other affiliates’ website, then you agree, as a condition of receiving said Password, that you shall keep the Password confidential. You shall only disclose the Password to your employees or agents who have a need to know. You are solely responsible for all activities that occur using your Password.
If you become aware of any unauthorized use of your Password, you agree to notify Cimetrics immediately. Cimetrics reserves the right to revoke your Password access at any time for any reason whatsoever.
Copyrights and Trademarks
All information provided on the web pages of Cimetrics.com is protected by copyright. It is prohibited to copy, process, modify or commercially distribute this information without the express written permission of Cimetrics.
Analytika, Infometrics, Metermetrics, BACstac, BACstac/DN, Secured by Cimetrics™ and BAS-o-matic are trademarks or registered trademarks of Cimetrics. The Analytika, Cimetrics, Infometrics and Metermetrics logos are trademarks or registered trademarks of Cimetrics. All other trademarks are owned by their respective companies.
Links to Other Websites