Your introduction to BACnet Secure Connect

Chatting with Bernhard Isler and David Fisher on BACnet/SC
BACnet Secure Connect (BACnet/SC) with David Fisher and Bernhard Isler

Everyone’s growing more aware of the need for cybersecurity. There have been so many cyberattacks in recent years, it’s almost impossible to ignore. But there’s long been a view that cybersecurity is only an IT issue. Historically, building automation with BACnet has taken a different approach to cybersecurity, leading to confusion.

That’s changing in a big way with BACnet Secure Connect (BACnet/SC). This new technology will help keep your networks secure going forward, with new best practices that are IT-friendly and still backwards compatible with existing BACnet systems. But what does it all mean, and what do you need to know?

We recently hosted a webinar on BACnet/SC with special guests Bernhard Isler from Siemens and David Fisher from PolarSoft, two main figures behind BACnet/SC. We talked about how BACnet Secure Connect will affect everyday users, and what else you should know about keeping your systems secure.

Watch our webinar recording below, and be sure to download Bernhard Isler, David Fisher, and Michael Osborne's whitepaper on BACnet Secure Connect. The diagrams in this webinar and blog post were from the BACnet/SC whitepaper, published by ASHRAE. 

The opinions expressed in this webinar are those of the authors, and do not necessarily represent the views of ASHRAE, SSPC 135, Siemens, PolarSoft, or Optigo Networks.

As BACnet/SC is not yet a published standard, it is possible that in its final form BACnet/SC may deviate from what is presented here.

We dug into a lot of topics, including:

  • Why BACnet Secure Connect? (from 2:30 to 6:07)
  • What does BACnet look like pre-Secure Connect? (from 6:07 to 8:36)
  • What does pre-BACnet/SC over Internet look like? (from 8:36 to 9:54)
  • What is BACnet/SC? (from 9:54 to 14:17)
  • Hubs, and their role in BACnet/SC
  • How does the backward compatibility work? (from 25:23 to 36:53)
  • The BACnet/SC timeline (from 36:53 to 42:38)
  • Questions and final remarks (from 42:38 onwards)

Read our Q&A with David and Bernhard from our BACnet/SC webinar!

What is BACnet Secure Connect?

As David and Bernhard explained, BACnet Secure Connect is a way to transmit BACnet messages in a secure fashion.

What does this security look like? Well, it’s a lot more IT-friendly. It employs accepted IT standards for security (TLS 1.3), strong encryption, and it functions across both firewalls and the public Internet. Don’t worry, though, BACnet/SC is also 100% backward-compatible with the systems you have installed today. David and Bernhard stressed that in order to use BACnet/SC, you don’t have to throw anything away, and you won’t be losing any BACnet capability in an existing system.

Why was BACnet Secure Connect developed?

BACnet Secure Connect was originally developed to address certain features of BACnet/IP that were not IT-friendly. So, the working group began discussing how to make BACnet more IT-friendly and, by extension, more secure.

Traditional BACnet

BACnet Secure Connect (BACnet/SC) with David Fisher and Bernhard Isler

Traditional BACnet systems are often secured through Virtual Private Networks (VPNs) and the like. This helps prevent hackers from seeing and joining the network’s BACnet traffic, but it requires a fair bit of setup, which isn’t always a simple process. Many other BACnet systems aren’t secured at all, through VPNs or otherwise. In these cases, the system runs totally open, so the BACnet messages are not secure and they are visible to anyone.

Now, if BACnet is not run over the Internet, the hackers would need physical access to the facility in order to attack the system.

BACnet Secure Connect (BACnet/SC) with David Fisher and Bernhard Isler

If BACnet is run over the Internet, however, hackers do not need physical access to the facility in order to attack the system. This is where VPNs or some other form of security is even more important on the BACnet system. Again, though, VPNs often require a lot of setup, maintenance, and management.

There was a clear need for a simpler form of robust security for BACnet systems, and the working group stepped up with BACnet/SC.

How does BACnet Secure Connect work?

BACnet Secure Connect uses WebSocket connections over TLS for BACnet message transport. The BACnet messages stay the same, but they are strongly encrypted in transport. And you can’t just plug in a BACnet device and begin communicating with other devices on the network: BACnet/SC requires that devices have a properly signed certificate on the device to join the network.

BACnet Secure Connect (BACnet/SC) with David Fisher and Bernhard Isler

Note that the "hub" in the BACnet/SC sense is not the physical network hub that many out there are likely used to. The term is used because it logically follows the idea of a "hub,” just as a bicycle wheel has a hub, or What'sApp uses a logically central service for distributing messages.

A BACnet/SC hub is a software function that can be on a router or other hardware, or it can be completely virtual. No change is required for existing switch-based Ethernet and other IP infrastructure.

BACnet Secure Connect (BACnet/SC) with David Fisher and Bernhard Isler

Hubs in BACnet/SC can deliver broadcasts, as well, taking on part of the functionality of BACnet Broadcast Management Devices (BBMDs). Ergo, you don’t need BBMDs anymore; they’re just unnecessary in this scenario.

Now, the hub is of course playing a central role to the BACnet network here, so losing functionality on the hub would be a big problem. That’s why you can implement redundant hubs, for failover protection.

BACnet Secure Connect (BACnet/SC) with David Fisher and Bernhard Isler

All of this might sound big and new — which it is! — but it’s important to note that BACnet/SC is 100% backwards compatible. The technology is designed so that you don’t have to rip anything out of the walls.

BACnet Secure Connect (BACnet/SC) with David Fisher and Bernhard Isler

As you can see in the diagram above, very little changes in the BACnet infrastructure with BACnet/SC. All that really changes is that the wrapper surrounding the BACnet messages in transit are securely encrypted.

What is the BACnet/SC release timeline?

BACnet Secure Connect is currently living with the protocol’s committee. Once it’s approved, it will be up to the vendors to figure out how it’s implemented on devices.  

While some of the timeline is up in the air for the release, here is a rough sketch of how you can expect BACnet/SC will move forward in the coming year(s).

  • June 2019: Third Public Review
  • July 2019: SSPC Comments Resolution
  • Q3 2019: ISC Review Cycle if needed
  • ~Q4 2019: ASHRAE publishes (this is a guess)
  • ~2020 onwards: Vendors implement and begin releasing new products (this is a guess as well)

For more information on BACnet, download our whitepapers!

Recent Blog Posts

The consulting specifying engineer of today is venturing into totally new territory: Division 25.

If you’re tired of going on site to capture BACnet data, look no further than your JACE.

OT Networks Overview

The latest release from Visual BACnet brings huge convenience and time saving for users with JACE controllers.

With the new 2.6.0 update for Visual BACnet, we have introduced a Linux Capture Tool. Similar to our Windows Capture Tool, now Linux users can capture BACnet IP and MS/TP traffic right from their computers.

Recent Projects

Coventry University

COVENTRY UNIVERSITY

Chris Goodman, the Senior BMS Technician at Coventry University, had broadcast storms that were happening more and more frequently. 

Ongoing construction due to Coventry’s campus expansion meant lots of new activity, with technicians installing new devices and making network changes. Already juggling these constant additions and alterations, Goodman and his small team then had to deal with the subsequent broadcast storms. As the broadcast storms became more frequent, Goodman and his team needed a solution.

Find out how Visual BACnet helped Chris solve the broadcast storms and improve Network Health in our free case study!

Data center expansion with OTI and Optigo Connect

DATA CENTER EXPANSION

Stack Infrastructure is a portfolio of hyperscale computing data centers. OTI completed work on Phases I and II, and returned for the Phase III build-out of a 4-megawatt data hall and brand new central plant. The Optigo Connect network put in place in Phases I and II was expanded on this project. The team achieved quick roll-out of a large, multi-service redundant network using the Optigo OneView management interface. Going forward, the facility management team can use OneView to remotely monitor equipment, manage power usage, and meet up-time goals.

Optigo Connect MR Soluciones The Landmark

THE LANDMARK

The Landmark is a sophisticated mixed-use high-rise in Mexico. The owners wanted to integrate all OT systems in the skyscraper, while maintaining separate networks for each application. The Landmark is the fourth joint project between Optigo Networks and MR Soluciones. Together, these companies provide robust services to meet any challenge.

Australian Bureau of Statistics at 45 Benjamin Way with Delta Building Automation

45 BENJAMIN WAY

Delta Building Automation (Australia) had a big job renovating the Headquarters for the Australian Bureau of Statistics (ABS) at 45 Benjamin Way. The building owner wanted to improve the building’s energy use and increase their National Australian Built Environment Rating System (NABERS) score to more than 4.5 stars, out of a possible total of six. Securing the network both internally and externally was a big priority, as well.

Penn State University Optigo Networks Visual BACnet

PENN STATE UNIVERSITY

When Tom Walker looked at Penn State University’s Navy Yard network, he saw huge issues. The system was busy and loud, to the point where the overrun network was bringing down the entire building. Because this was happening on the MS/TP network, pinpointing the problem would mean boots on the ground to segment and test the chain, piece by piece.

Penn State University Optigo Networks Visual BACnet

PENN STATE UNIVERSITY

When Tom Walker first started working at Penn State University four years ago, there were a lot of network issues. Buildings were dropping offline. Broadcast traffic was pushing 90,000 packets per hour. Walker was on the phone almost every single night because devices were down or had to be reset.

 

Torre Manacar Mexico City Optigo Connect

TORRE MANACAR

When MR Soluciones began work on Torre Manacar, they knew they needed a flexible and scalable network infrastructure to support a wide array of integrated systems. Optigo Networks was a natural fit for the massive project, designing a robust network at a competitive cost.

short

SHORT PUMP TOWN CENTER

Short Pump Town Center, an upscale retail center, underwent a complete renovation in 2014. The flexibility of Optigo Networks’ solution meant the retail center’s unknown final design was not a barrier to placing IP surveillance equipment in the field.

BOULEVARD MALL

BOULEVARD MALL

Optigo Networks connected New York-based Boulevard Mall’s security surveillance devices in December 2015, using a Passive Daisy Chain topology.

Visual BACnet tech support team

TECH SUPPORT TEAM

One tech support team at a manufacturer purchased an account with Visual BACnet in April 2017, for technical problems around the world.