BACnet Security Challenges
BACnet started as a serial-based protocol and building operational technology (OT) systems were generally not connected to other systems inside or outside of the building. Therefore, there was no security built into the protocol and the messages were plain text. The BACnet standard was eventually adapted to include Ethernet-based networks as BACnet/IP. When BACnet/IP was introduced, building management systems (BAS/BMS) were not typically connected to the Internet and the messages remained as plain text, which is viewable by widely available packet sniffers such as WireShark. Now that BAS/BMS are widely connected to the Internet and internal IT systems, the need for BACnet security has greatly increased as hackers can easily monitor and attack BACnet/IP networks. Cyberattacks on BACnet devices can include changing setpoints, changing permissions, disabling alarms, providing false values, attacking other IT systems, etc. The impact of this could result in occupant safety issues, data loss, financial loss, and the complete shut down of a building. To improve BACnet security, BACnet Secure Connect (BACnet/SC) was introduced.
What is BACnet Secure Connect (BACnet/SC)?
BACnet Secure Connect (BACnet/SC) is an addendum to the existing BACnet specification and utilizes the TLS protocol to authenticate devices on a building automation network and encrypt their communication. The TLS protocol is widely used in online banking and shopping to secure user sessions.
BACnet/SC is defined in Annex AB of the ASHRAE 135-2020 BACnet protocol standard. That identifies it as a secure, encrypted datalink layer specifically designed to meet the requirements, policies, and constraints of IP networking infrastructures.
Key Terms for BACnet Security
Below are some key terms in which to be familiar related to security for building controls:
Authentication:
Ensuring that every device on the building network has their identity verified prior to being granted access to communicate on the network. Without being authenticated, unverified devices cannot join the network, and cannot communicate with other verified devices.
Certificate:
A certificate (digital) is used to authenticate devices. Certificates has a defined lifetime and should be replaced regularly.
Encryption:
Encryption is a way to encode information so that no one else can read it without the keys to decode it. This prevents bad actors from intercepting and decoding traffic, and prevents hackers from altering system performance and operation.
Integrity:
Information sent through a secure connection is verified to be authentic, unaltered data from the original source.
Compatibility between BACnet/IP and BACnet/SC
BACnet/IP and BACnet/SC traffic can co-exist on the same network, but devices that use BACnet/IP and BACnet/SC are not able to directly communicate with each other and must use some type of routing or gateway device.
Comparison between BACnet/IP and BACnet/SC
| Capability | BACnet/IP | BACnet/SC |
|---|---|---|
| Data Security | Messages are unencrypted and readable as plaintext via packet sniffers | Messages are encrypted using TLS 1.3 with options for 128- and 256-bit ECC |
| Transport Protocol | IP/UDP | IP/TCP |
| Application Protocol | BACnet-defined protocol | Standard IT protocols: HTTPS and secure Web Sockets |
| Network Routing | Network broadcasts that add to network load | No broadcasts, no BACnet Broadcast Management Devices (BBMD) or static IP addresses are used |
| Network Topology | Various | Centralized via hub and spoke |
BACnet Secure Connect Certificate Management
Each BACnet/SC device must have a valid certificate installed on the device to be authenticated for communicating with other authorized BACnet/SC devices. The BACnet standard does not address how certificates are to be managed, and installing and managing certificates is left to each vendor. To ensure a high level of security in the long term, the certificates must be replaced regularly. Since this is currently a manual process, there is a tendency to create long certificate life timeframes (e.g. 5 or 10 years) to reduce certificate management expenses. There is also the challenge of multi-vendor environments and one vendor learning about the equipment installed from another vendor based on managing the certificates. The BACnet/SC Interoperability Acceleration Program is intended to help suppliers efficiently generate, exchange, and manage these files, to simplify system integration.
Veridify’s DOME platform supports automated certificate management to easily support the deployment and updating of BACnet/SC certificates at scale, eliminating the challenge of manual updating, multi-vendor interoperability, and multi-vendor privacy.
Beyond BACnet/SC - DOME's Value-Add Capabilities
DOME and BACnet/SC both provide the following core capabilities:
- Support BACnet/IP
- Device Authentication
- Encryption of Packet-Level Data
DOME provides the following additional capabilities for more comprehensive automation security and to make deploying a secure BACnet network easy:
- Supports other protocols: Fox, Modbus TCP, SNMP, H.264, DNP3, Ethernet/IP, HART-IP (any TCP/UDP protocol)
- Provides security for existing, installed devices
- Enables BACnet/SC protections to existing, installed devices
- Complete system solution with a cloud-based management platform
- Maintains existing network topology
- Supports BACnet Broadcast Management Devices (BBMD)
- Easily deployed by existing technicians
- No Cyber expertise needed
- Automated third-party certificate management
- End-to-end NIST Zero-Trust Compliance
- Authenticates BACnet MS/TP devices behind a BACnet Gateway
- Prevents unauthorized access to device management features and other non-BACnet services
- Extensible for future support of end-to-end encryption across BACnet/IP to BACnet MS/TP