Everyone’s growing more aware of the need for cybersecurity. There have been so many cyberattacks in recent years, it’s almost impossible to ignore. But there’s long been a view that cybersecurity is only an IT issue. Historically, building automation with BACnet has taken a different approach to cybersecurity, leading to confusion.
That’s changing in a big way with BACnet Secure Connect (BACnet/SC). This new technology will help keep your networks secure going forward, with new best practices that are IT-friendly and still backwards compatible with existing BACnet systems. But what does it all mean, and what do you need to know?
We recently hosted a webinar on BACnet/SC with special guests Bernhard Isler from Siemens and David Fisher from PolarSoft, two main figures behind BACnet/SC. We talked about how BACnet Secure Connect will affect everyday users, and what else you should know about keeping your systems secure.
Watch our webinar recording below, and be sure to download Bernhard Isler, David Fisher, and Michael Osborne's whitepaper on BACnet Secure Connect. The diagrams in this webinar and blog post were from the BACnet/SC whitepaper, published by ASHRAE.
The opinions expressed in this webinar are those of the authors, and do not necessarily represent the views of ASHRAE, SSPC 135, Siemens, PolarSoft, or Optigo Networks.
As BACnet/SC is not yet a published standard, it is possible that in its final form BACnet/SC may deviate from what is presented here.
We dug into a lot of topics, including:
- Why BACnet Secure Connect? (from 2:30 to 6:07)
- What does BACnet look like pre-Secure Connect? (from 6:07 to 8:36)
- What does pre-BACnet/SC over Internet look like? (from 8:36 to 9:54)
- What is BACnet/SC? (from 9:54 to 14:17)
- Hubs, and their role in BACnet/SC
- How does the backward compatibility work? (from 25:23 to 36:53)
- The BACnet/SC timeline (from 36:53 to 42:38)
- Questions and final remarks (from 42:38 onwards)
What is BACnet Secure Connect?
As David and Bernhard explained, BACnet Secure Connect is a way to transmit BACnet messages in a secure fashion.
What does this security look like? Well, it’s a lot more IT-friendly. It employs accepted IT standards for security (TLS 1.3), strong encryption, and it functions across both firewalls and the public Internet. Don’t worry, though, BACnet/SC is also 100% backward-compatible with the systems you have installed today. David and Bernhard stressed that in order to use BACnet/SC, you don’t have to throw anything away, and you won’t be losing any BACnet capability in an existing system.
Why was BACnet Secure Connect developed?
BACnet Secure Connect was originally developed to address certain features of BACnet/IP that were not IT-friendly. So, the working group began discussing how to make BACnet more IT-friendly and, by extension, more secure.
Traditional BACnet systems are often secured through Virtual Private Networks (VPNs) and the like. This helps prevent hackers from seeing and joining the network’s BACnet traffic, but it requires a fair bit of setup, which isn’t always a simple process. Many other BACnet systems aren’t secured at all, through VPNs or otherwise. In these cases, the system runs totally open, so the BACnet messages are not secure and they are visible to anyone.
Now, if BACnet is not run over the Internet, the hackers would need physical access to the facility in order to attack the system.
If BACnet is run over the Internet, however, hackers do not need physical access to the facility in order to attack the system. This is where VPNs or some other form of security is even more important on the BACnet system. Again, though, VPNs often require a lot of setup, maintenance, and management.
There was a clear need for a simpler form of robust security for BACnet systems, and the working group stepped up with BACnet/SC.
How does BACnet Secure Connect work?
BACnet Secure Connect uses WebSocket connections over TLS for BACnet message transport. The BACnet messages stay the same, but they are strongly encrypted in transport. And you can’t just plug in a BACnet device and begin communicating with other devices on the network: BACnet/SC requires that devices have a properly signed certificate on the device to join the network.
Note that the "hub" in the BACnet/SC sense is not the physical network hub that many out there are likely used to. The term is used because it logically follows the idea of a "hub,” just as a bicycle wheel has a hub, or What'sApp uses a logically central service for distributing messages.
A BACnet/SC hub is a software function that can be on a router or other hardware, or it can be completely virtual. No change is required for existing switch-based Ethernet and other IP infrastructure.
Hubs in BACnet/SC can deliver broadcasts, as well, taking on part of the functionality of BACnet Broadcast Management Devices (BBMDs). Ergo, you don’t need BBMDs anymore; they’re just unnecessary in this scenario.
Now, the hub is of course playing a central role to the BACnet network here, so losing functionality on the hub would be a big problem. That’s why you can implement redundant hubs, for failover protection.
All of this might sound big and new — which it is! — but it’s important to note that BACnet/SC is 100% backwards compatible. The technology is designed so that you don’t have to rip anything out of the walls.
As you can see in the diagram above, very little changes in the BACnet infrastructure with BACnet/SC. All that really changes is that the wrapper surrounding the BACnet messages in transit are securely encrypted.
What is the BACnet/SC release timeline?
BACnet Secure Connect is currently living with the protocol’s committee. Once it’s approved, it will be up to the vendors to figure out how it’s implemented on devices.
While some of the timeline is up in the air for the release, here is a rough sketch of how you can expect BACnet/SC will move forward in the coming year(s).
- June 2019: Third Public Review
- July 2019: SSPC Comments Resolution
- Q3 2019: ISC Review Cycle if needed
- ~Q4 2019: ASHRAE publishes (this is a guess)
- ~2020 onwards: Vendors implement and begin releasing new products (this is a guess as well)