Your introduction to BACnet Secure Connect

BACnet Secure Connect (BACnet/SC) with David Fisher and Bernhard Isler
Chatting with Bernhard Isler and David Fisher on BACnet/SC

Everyone’s growing more aware of the need for cybersecurity. There have been so many cyberattacks in recent years, it’s almost impossible to ignore. But there’s long been a view that cybersecurity is only an IT issue. Historically, building automation with BACnet has taken a different approach to cybersecurity, leading to confusion.

That’s changing in a big way with BACnet Secure Connect (BACnet/SC). This new technology will help keep your networks secure going forward, with new best practices that are IT-friendly and still backwards compatible with existing BACnet systems. But what does it all mean, and what do you need to know?

We recently hosted a webinar on BACnet/SC with special guests Bernhard Isler from Siemens and David Fisher from PolarSoft, two main figures behind BACnet/SC. We talked about how BACnet Secure Connect will affect everyday users, and what else you should know about keeping your systems secure.

Watch our webinar recording below, and be sure to download Bernhard Isler, David Fisher, and Michael Osborne's whitepaper on BACnet Secure Connect. The diagrams in this webinar and blog post were from the BACnet/SC whitepaper, published by ASHRAE. 

The opinions expressed in this webinar are those of the authors, and do not necessarily represent the views of ASHRAE, SSPC 135, Siemens, PolarSoft, or Optigo Networks.

As BACnet/SC is not yet a published standard, it is possible that in its final form BACnet/SC may deviate from what is presented here.

We dug into a lot of topics, including:

  • Why BACnet Secure Connect? (from 2:30 to 6:07)
  • What does BACnet look like pre-Secure Connect? (from 6:07 to 8:36)
  • What does pre-BACnet/SC over Internet look like? (from 8:36 to 9:54)
  • What is BACnet/SC? (from 9:54 to 14:17)
  • Hubs, and their role in BACnet/SC
  • How does the backward compatibility work? (from 25:23 to 36:53)
  • The BACnet/SC timeline (from 36:53 to 42:38)
  • Questions and final remarks (from 42:38 onwards)

Read our Q&A with David and Bernhard from our BACnet/SC webinar!

What is BACnet Secure Connect?

As David and Bernhard explained, BACnet Secure Connect is a way to transmit BACnet messages in a secure fashion.

What does this security look like? Well, it’s a lot more IT-friendly. It employs accepted IT standards for security (TLS 1.3), strong encryption, and it functions across both firewalls and the public Internet. Don’t worry, though, BACnet/SC is also 100% backward-compatible with the systems you have installed today. David and Bernhard stressed that in order to use BACnet/SC, you don’t have to throw anything away, and you won’t be losing any BACnet capability in an existing system.

Why was BACnet Secure Connect developed?

BACnet Secure Connect was originally developed to address certain features of BACnet/IP that were not IT-friendly. So, the working group began discussing how to make BACnet more IT-friendly and, by extension, more secure.

Traditional BACnet

Traditional BACnet, with no Secure Connect

Traditional BACnet systems are often secured through Virtual Private Networks (VPNs) and the like. This helps prevent hackers from seeing and joining the network’s BACnet traffic, but it requires a fair bit of setup, which isn’t always a simple process. Many other BACnet systems aren’t secured at all, through VPNs or otherwise. In these cases, the system runs totally open, so the BACnet messages are not secure and they are visible to anyone.

Now, if BACnet is not run over the Internet, the hackers would need physical access to the facility in order to attack the system.

Traditional BACnet with no Secure Connect, run over the Internet

If BACnet is run over the Internet, however, hackers do not need physical access to the facility in order to attack the system. This is where VPNs or some other form of security is even more important on the BACnet system. Again, though, VPNs often require a lot of setup, maintenance, and management.

There was a clear need for a simpler form of robust security for BACnet systems, and the working group stepped up with BACnet/SC.

How does BACnet Secure Connect work?

BACnet Secure Connect uses WebSocket connections over TLS for BACnet message transport. The BACnet messages stay the same, but they are strongly encrypted in transport. And you can’t just plug in a BACnet device and begin communicating with other devices on the network: BACnet/SC requires that devices have a properly signed certificate on the device to join the network.

How does BACnet Secure Connect work?

Note that the "hub" in the BACnet/SC sense is not the physical network hub that many out there are likely used to. The term is used because it logically follows the idea of a "hub,” just as a bicycle wheel has a hub, or What'sApp uses a logically central service for distributing messages.

A BACnet/SC hub is a software function that can be on a router or other hardware, or it can be completely virtual. No change is required for existing switch-based Ethernet and other IP infrastructure.

Hubs in BACnet Secure Connect can deliver broadcasts

Hubs in BACnet/SC can deliver broadcasts, as well, taking on part of the functionality of BACnet Broadcast Management Devices (BBMDs). Ergo, you don’t need BBMDs anymore; they’re just unnecessary in this scenario.

Now, the hub is of course playing a central role to the BACnet network here, so losing functionality on the hub would be a big problem. That’s why you can implement redundant hubs, for failover protection.

Redundant hubs are a away to protect in the case of a failover

All of this might sound big and new — which it is! — but it’s important to note that BACnet/SC is 100% backwards compatible. The technology is designed so that you don’t have to rip anything out of the walls.

How does backwards compatibility work in BACnet/SC

As you can see in the diagram above, very little changes in the BACnet infrastructure with BACnet/SC. All that really changes is that the wrapper surrounding the BACnet messages in transit are securely encrypted.

What is the BACnet/SC release timeline?

BACnet Secure Connect is currently living with the protocol’s committee. Once it’s approved, it will be up to the vendors to figure out how it’s implemented on devices.  

While some of the timeline is up in the air for the release, here is a rough sketch of how you can expect BACnet/SC will move forward in the coming year(s).

  • June 2019: Third Public Review
  • July 2019: SSPC Comments Resolution
  • Q3 2019: ISC Review Cycle if needed
  • ~Q4 2019: ASHRAE publishes (this is a guess)
  • ~2020 onwards: Vendors implement and begin releasing new products (this is a guess as well)

For more information on BACnet, download our whitepapers!

Recent Blog Posts

At Optigo, we love learning about industry trends: artificial Intelligence and machine learning, data tagging, the push towards personalization in our buildings… 

There are many different issues that can crop up on IP and Ethernet networks. 

It is a truth universally acknowledged, that an MS/TP network rife with problems probably has bad wiring. 

In building automation, there’s a growing — and very apparent — need for Project Haystack and tagging. 

BACnet gets compared to a lot of other protocols on the market, including LonWorks, Modbus, and KNX. In this article, we break down the advantages and disadvantages of each protocol.

Recent Projects

Data center expansion with OTI and Optigo Connect

DATA CENTER EXPANSION

Stack Infrastructure is a portfolio of hyperscale computing data centers. OTI completed work on Phases I and II, and returned for the Phase III build-out of a 4-megawatt data hall and brand new central plant. The Optigo Connect network put in place in Phases I and II was expanded on this project. The team achieved quick roll-out of a large, multi-service redundant network using the Optigo OneView management interface. Going forward, the facility management team can use OneView to remotely monitor equipment, manage power usage, and meet up-time goals.

Optigo Connect MR Soluciones The Landmark

THE LANDMARK

The Landmark is a sophisticated mixed-use high-rise in Mexico. The owners wanted to integrate all OT systems in the skyscraper, while maintaining separate networks for each application. The Landmark is the fourth joint project between Optigo Networks and MR Soluciones. Together, these companies provide robust services to meet any challenge.

Australian Bureau of Statistics at 45 Benjamin Way with Delta Building Automation

45 BENJAMIN WAY

Delta Building Automation (Australia) had a big job renovating the Headquarters for the Australian Bureau of Statistics (ABS) at 45 Benjamin Way. The building owner wanted to improve the building’s energy use and increase their National Australian Built Environment Rating System (NABERS) score to more than 4.5 stars, out of a possible total of six. Securing the network both internally and externally was a big priority, as well.

Penn State University Optigo Networks Visual BACnet

PENN STATE UNIVERSITY

When Tom Walker looked at Penn State University’s Navy Yard network, he saw huge issues. The system was busy and loud, to the point where the overrun network was bringing down the entire building. Because this was happening on the MS/TP network, pinpointing the problem would mean boots on the ground to segment and test the chain, piece by piece.

Penn State University Optigo Networks Visual BACnet

PENN STATE UNIVERSITY

When Tom Walker first started working at Penn State University four years ago, there were a lot of network issues. Buildings were dropping offline. Broadcast traffic was pushing 90,000 packets per hour. Walker was on the phone almost every single night because devices were down or had to be reset.

 

Torre Manacar Mexico City Optigo Connect

TORRE MANACAR

When MR Soluciones began work on Torre Manacar, they knew they needed a flexible and scalable network infrastructure to support a wide array of integrated systems. Optigo Networks was a natural fit for the massive project, designing a robust network at a competitive cost.

short

SHORT PUMP TOWN CENTER

Short Pump Town Center, an upscale retail center, underwent a complete renovation in 2014. The flexibility of Optigo Networks’ solution meant the retail center’s unknown final design was not a barrier to placing IP surveillance equipment in the field.

BOULEVARD MALL

BOULEVARD MALL

Optigo Networks connected New York-based Boulevard Mall’s security surveillance devices in December 2015, using a Passive Daisy Chain topology.

Visual BACnet tech support team

TECH SUPPORT TEAM

One tech support team at a manufacturer purchased an account with Visual BACnet in April 2017, for technical problems around the world.

Aster Conservatory Green Optigo Connect

ASTER CONSERVATORY GREEN

The Aster Conservatory Green is a community comprising 352 residences across 24 low-rise buildings. The buildings use advanced surveillance and access control technology, including 40 HD video cameras and 60 FOB-access-tele-entry points for access control.