BACnet Security Challenges
BACnet started as a serial-based protocol and building operational technology (OT) systems were generally not connected to other systems inside or outside of the building. Therefore, there was no security built into the protocol and the messages were plain text. The BACnet standard was eventually adapted to include Ethernet-based networks as BACnet/IP. When BACnet/IP was introduced, building management systems (BAS/BMS) were not typically connected to the Internet and the messages remained as plain text, which is viewable by widely available packet sniffers such as WireShark. Now that BAS/BMS are widely connected to the Internet and internal IT systems, the need for BACnet security has greatly increased as hackers can easily monitor and attack BACnet/IP networks. Cyberattacks on BACnet devices can include changing setpoints, changing permissions, disabling alarms, providing false values, attacking other IT systems, etc. The impact of this could result in occupant safety issues, data loss, financial loss, and the complete shut down of a building. To improve BACnet security, BACnet Secure Connect (BACnet/SC) was introduced.
What is BACnet Secure Connect (BACnet/SC)?
BACnet Secure Connect (BACnet/SC) is an addendum to the existing BACnet specification and utilizes the TLS protocol to authenticate devices on a building automation network and encrypt their communication. The TLS protocol is widely used in online banking and shopping to secure user sessions.
BACnet/SC is defined in Annex AB of the ASHRAE 135-2020 BACnet protocol standard. That identifies it as a secure, encrypted datalink layer specifically designed to meet the requirements, policies, and constraints of IP networking infrastructures.
Key Terms for BACnet Secure Connect
Below are some key terms in which to be familiar related to BACnet/SC:
Authentication:
Every device on the BACnet/SC network has their identity verified prior to being granted access to communicate on the network. Without being authenticated, unverified devices cannot join the network, and cannot communicate with other verified devices.
Certificate:
A certificate (digital) is used to authenticate devices. Certificates has a defined lifetime and should be replaced regularly.
Encryption:
All of the information going through the BACnet/SC network is end-to-end encrypted, preventing bad actors from intercepting and decoding traffic. This prevents hackers from altering system performance and operation.
Integrity:
Information sent through a BACnet/SC connection is verified to be authentic, unaltered data from the original source.
Compatibility between BACnet/IP and BACnet/SC
BACnet/IP and BACnet/SC traffic can co-exist on the same network, but devices that use BACnet/IP and BACnet/SC are not able to directly communicate with each other and must use some type of routing or gateway device.
Comparison between BACnet/IP and BACnet/SC
| Capability | BACnet/IP | BACnet/SC |
|---|---|---|
| Data Security | Messages are unencrypted and readable as plaintext via packet sniffers | Messages are encrypted using TLS 1.3 with options for 128- and 256-bit ECC |
| Transport Protocol | IP/UDP | IP/TCP |
| Application Protocol | BACnet-defined protocol | Standard IT protocols: HTTPS and secure Web Sockets |
| Network Routing | Network broadcasts that add to network load | No broadcasts, no BACnet Broadcast Management Devices (BBMD) or static IP addresses are used |
| Network Topology | Various | Centralized via hub and spoke |
BACnet Secure Connect Certificate Management
Each BACnet/SC device must have a valid certificate installed on the device to be authenticated for communicating with other authorized BACnet/SC devices. The BACnet standard does not address how certificates are to be managed, and installing and managing certificates is left to each vendor. To ensure a high level of security in the long term, the certificates must be replaced regularly. Since this is currently a manual process, there is a tendency to create long certificate life timeframes (e.g. 5 or 10 years) to reduce certificate management expenses. There is also the challenge of multi-vendor environments and one vendor learning about the equipment installed from another vendor based on managing the certificates. The BACnet/SC Interoperability Acceleration Program is intended to help suppliers efficiently generate, exchange, and manage these files, to simplify system integration.
Veridify’s DOME platform supports automated certificate management to easily support the deployment and updating of BACnet/SC certificates at scale, eliminating the challenge of manual updating, multi-vendor interoperability, and multi-vendor privacy.