Introduction to BACnet/SC - A Secure Alternative to BACnet/IP

by Svetlana Lyons March 28, 2019

Introduction to BACnet/SC - A Secure Alternative to BACnet/IP

Our CTO of Cimetrics Jim Butler gave an interview to Automated Building.com whose April theme is Holistic CybersecurityCybersecurity solutions cannot be a self-serving or an isolated approach they need to be part of a Holistic solution. And one of the parts is BACnet Secure Connect (BACnet/SC) - a popular alternative to BACnet/IP in the future. Here he explains the basics of BACnet/SC. Also, you can learn more details on BACnet/SC in this video:

 

For the past several years, the members of the BACnet IT working group I chair have been developing a more secure method of communication for BACnet based on widely used IT standards. This method exclusively applies to communication on IP networks, and we are calling it "BACnet/SC" or “BACnet Secure Connect.”  I believe BACnet/SC will become a popular alternative to BACnet/IP in the future.

(Important note: At the time this article is being written BACnet/SC is approaching its third public review; it has not yet been approved for inclusion into the BACnet standard.)

BACnet/IP has been widely deployed since it was added to the BACnet standard in 1999.  BACnet/IP does not have any built-in network security functionality, so the most common methods of securing BACnet/IP networks are to place BACnet/IP devices within VPNs and VLANs, which typically requires the cooperation of the customer’s IT department. These methods have provided adequate network security for many buildings, but there are many situations in which something different or something more is needed.

By contrast, BACnet/SC has its own network security mechanisms--it provides encryption of messages and device authentication. For that reason, I expect BACnet/SC devices will be able to be deployed on networks that lack other security mechanisms, including the public Internet.  For additional security, BACnet/SC devices can be deployed within VLANs or VPNs.

The following table summarizes several significant differences between BACnet/IP and BACnet/SC:

BACnet/IP and BACnet/SC comparison

Those who have a lot of experience deploying BACnet/IP-based systems are aware of some of its challenges. Perhaps the biggest challenge with BACnet/IP is managing BACnet broadcast messages in large systems. The BBMD (BACnet Broadcast Management Device) was invented to allow a single BACnet/IP network to span multiple IP subnetworks by forwarding BACnet broadcast messages through IP routers, but properly configuring BBMDs has proven to be tricky in large systems. 

The standard does not require BACnet/IP devices to use static IP addresses, but most manufacturers recommend this configuration for all of their devices. By contrast, dynamic IP addresses are heavily used in mainstream IT networks. This has become a source of friction between BAS personnel and IT personnel as increasing numbers of BACnet/IP devices are connected to networks managed by the facility’s IT department.

With BACnet/SC we have solved many of the challenges of deploying BACnet on IP-based networks, but in the process, we have introduced a few new issues you will need to keep in mind.  Increased security comes at a cost, and the working group is doing what it can do to make the cost manageable.

First of all, I should emphasize that BACnet/SC networks will be able to be connected to other BACnet networks (BACnet/IP, MS/TP, etc.) using BACnet routers. We haven’t changed the structure of any of the BACnet application layer and network layer messages.

BACnet/SC is based on standard, commonly used IT network protocols--WebSockets and TLS in particular. The use of TLS (a descendant of SSL) and digital certificates are the basis for the security features of BACnet/SC. TLS is widely used for secure communication between web browsers and web servers (the technology used in https:// web sites), so it is one of the most important Internet protocols.

To the relief of many, BACnet/SC does not use BBMDs! Instead, a BACnet/SC network will typically have one or two BACnet/SC hubs whose function is to forward both broadcast and unicast messages between BACnet/SC devices. Note that BACnet/SC hubs will only forward messages to/from BACnet/SC devices that have the right type of TLS certificate for a particular BACnet/SC network.

I have skipped over many important details of BACnet/SC in this short article. If you are interested in learning more, I encourage you to read the white paper "BACnet Secure Connect" written by members of the BACnet IT working group.

More about BACnet Security:

Proposed Data Link Would Improve the Network Security of BACnet-based Building Automation Systems

Current Status of Cyber Security in the BAS Industry




Svetlana Lyons
Svetlana Lyons

Author



Leave a comment

Comments will be approved before showing up.


Also in Cimetrics News

BACnet Protocol Stack tutorial Part 1
BACnet Protocol Stack tutorial Part 1

by Svetlana Lyons August 20, 2019

In series of articles - BACnet Protocol Stack tutorials we will discuss what BACnet Stack is, what kind of stack to use for what kind of purposes and generally talk about BACnet.

Read More

Bi-Weekly CyberSecurity Recap August 2019
Bi-Weekly CyberSecurity Recap August 2019

by Svetlana Lyons August 12, 2019

New Building systems cybersecurity program, How physical systems integrators can monetize cybersecurity, CABA research program “Intelligent Buildings and Cybersecurity”, How Local Governments Can Address Cybersecurity Challenges.

Read More

Bi-Weekly CyberSecurity Recap End of July 2019
Bi-Weekly CyberSecurity Recap End of July 2019

by Svetlana Lyons July 29, 2019

IoT Cybersecurity Improvement Act calls for deployment standards, Artificial Intelligence for Security, Public Cloud Security, NSA Launches Cybersecurity Directorate and more..

Read More

cimetrics.com Legal Terms and Conditions

June 29, 2016

cimetrics.com (the "Site") is owned by Cimetrics Inc. ("Cimetrics").

PLEASE READ THESE TERMS AND CONDITIONS CAREFULLY BEFORE USING THIS SITE.  YOU MAY NOT USE THIS SITE IF YOU DO NOT ACCEPT THE TERMS AND CONDITIONS.

Terms of Use

The information herein provided is for general informative purposes only, and no warranties or representations are made with respect thereto. The information may contain inaccuracies or typographical errors.  The information provided is subject to change at any time, and without notice. Changed information may include, but is not limited to, technical specifications and pricing. Binding declarations are only given after detailed enquiries.

BECAUSE THE INFORMATION IS NOT WARRANTED, ALL LIABILITY FOR THE ACCURACY OF THE INFORMATION IS EXPRESSLY EXCLUDED.

IN NO EVENT SHALL CIMETRICS, ITS OFFICERS, DIRECTORS, EMPLOYEES, PARENTS, AFFILIATES, SUCCESSORS OR ASSIGNS, BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OR PERFORMANCE OF THE CIMETRICS SITE, WITH THE DELAY OR INABILITY TO USE THE CIMETRICS SITE OR RELATED SERVICES, THE PROVISION OF OR FAILURE TO PROVIDE SERVICES, OR FOR ANY INFORMATION, SOFTWARE, PRODUCTS, SERVICES AND RELATED GRAPHICS OBTAINED THROUGH THE CIMETRICS SITE, OR OTHERWISE ARISING OUT OF THE USE OF THE CIMETRICS SITE, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF CIMETRICS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES. BECAUSE SOME STATES/JURISDICTIONS DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES, THE ABOVE LIMITATION MAY NOT APPLY TO YOU. IF YOU ARE DISSATISFIED WITH ANY PORTION OF THE CIMETRICS SITE, OR WITH ANY OF THESE TERMS OF USE, YOUR SOLE AND EXCLUSIVE REMEDY IS TO DISCONTINUE USING THE CIMETRICS SITE.

Passwords

If you have been given a Password in order to gain access to certain information on this Site, or any other affiliates’ website, then you agree, as a condition of receiving said Password, that you shall keep the Password confidential. You shall only disclose the Password to your employees or agents who have a need to know. You are solely responsible for all activities that occur using your Password.

If you become aware of any unauthorized use of your Password, you agree to notify Cimetrics immediately.  Cimetrics reserves the right to revoke your Password access at any time for any reason whatsoever.

Copyrights and Trademarks

All information provided on the web pages of Cimetrics.com is protected by copyright. It is prohibited to copy, process, modify or commercially distribute this information without the express written permission of Cimetrics.

Analytika, Infometrics, Metermetrics, BACstac, BACstac/DN, Secured by Cimetrics™ and BAS-o-matic are trademarks or registered trademarks of Cimetrics.  The Analytika, Cimetrics, Infometrics and Metermetrics logos are trademarks or registered trademarks of Cimetrics.  All other trademarks are owned by their respective companies.

Links to Other Websites

This Site may from time to time contain links to other websites ("Linked Site") or other Internet information sources ("Third Party Source"). These links are provided solely as a convenience to users of this Site and do not constitute an endorsement, sponsorship or recommendation by Cimetrics.  Each Third Party Source or Linked Site may have its own terms of use and privacy policy. Cimetrics is not responsible for the content, availability, or policies of any Linked Site or Third Party Source, or any additional links contained therein.

Privacy

Please read the privacy policy for this Site, which is incorporated into these Terms and Conditions by reference.