BACnet Secure Connect makes building technologies as secure as internet banking

By Alina Matyukhina, PhD, Cybersecurity Manager at Siemens Smart Infrastructure

Buildings are no longer just passive structures – they have become smarter thanks to the evolution of new technology, including the adoption of the Internet of Things (IoT). Since IoT devices can be easily added to any network, building systems are no longer isolated physically or virtually. In fact, Internet-connected devices can be accessed and controlled from anywhere in the world. They can communicate with each other and with an organization’s IT systems, making them part of the larger enterprise-wide network. But the higher the connectivity, the higher the security concerns on the part of IT departments. With building devices communicating over the Internet, many IT leaders fear that hackers may attack an organization through its building systems and devices. This fear is justified, as most of the current building technologies are using a communication protocol created a long time before information technology (IT) and operational technology (OT) came together. Accordingly, building devices could get affected by cyberattacks, as it happened for example in 2014. This attack was aimed at hacking the HVAC system of a large retail chain and using it to infiltrate the financial system. The dimensions of this attack were serious: Credit card information for over 40 million customers was stolen. Three years later, cybercriminals stole a database of high-roller gamblers from a North American casino. They gained access through an Internet-connected thermostat in an aquarium located in the lobby.

These examples underline the importance of cybersecurity within building technologies and also draw attention to missing built-in security features in current communication protocols. Because the first standardized communication protocol, the Building Automation and Control Networks (BACnet), was created at a time when building automation systems were not connected to IT systems, security was not a significant concern. It was created to enable interoperability between cooperating building automation devices, but it did not focus on built-in security features. This changed when the building automation industry embraced digitalization. This brought together IT and OT and created demand for BACnet/IP networks, which resulted in the BACnet/IP addendum. This protocol expanded communication among OT systems, but it also laid bare potential risks. When BACnet/IP-enabled devices link to the same network as the enterprise, they may expose the entire enterprise system to data mining, tampering, or unsanctioned reconfiguration. With the threat of potential damage to building equipment, system security is a necessity and, in more and more cases, a requirement. Every day, BACnet/IP achieves the goal of expanding communication among OT systems, but it lacks the built-in network security functionality that is needed today.

BACnet security has become a leading issue. Currently, it requires a separate system that coordinates with IT to ensure the necessary network segmentation and segregation. Examples of BACnet security measures include using a Virtual Local Area Network (VLAN), a firewall, a Virtual Private Network (VPN), or Media Access Control (MAC)-address filtering with whitelists to protect BACnet devices. Many organizations have chosen VPNs to resolve the BACnet/IP security problem for remote BACnet connections and VLANs for the local separation of BACnet from the IT network. A VPN encrypts data at the sending end and decrypts it at the receiving end. However, widespread adoption of VPNs has not happened because they are complex and costly to create and manage. VLANs are a way to establish several mutually separated logical networks on one shared physical infrastructure. While VLANs are quite common today to separate IT from OT, they are cumbersome to coordinate, require special hardware, and don’t solve the core problem that anyone who somehow accesses the (V)LAN also would gain full access to the building automation system. Other organizations use proprietary protocols, a practice that is becoming less accepted daily. As a result, most BACnet networks are not sufficiently protected today.

While current efforts may offer some level of segregation, they do not provide a comprehensive cybersecurity solution. From a building automation perspective, the solution needs to be at the device and building network level, and it needs to provide authentication and encryption. Incorporating better security into the BACnet protocol presents a logical core solution. If hackers attack an organization through its BACnet systems, a solid BACnet security solution will be the last line of defense.

To solve the security issue, the American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) published an addendum to the BACnet protocol: BACnet Secure Connect (BACnet/SC). The new BACnet/SC protocol adds encryption at the device and systems communication level, eliminating many of the concerns building owners, facility managers and IT professionals have had with BACnet. Unlike BACnet/IP, which lacks built-in security functionality, BACnet/SC is designed to be even more secure than online banking. It uses the same type of communication encryption that banks rely on for financial transactions, but it requires a mutual TLS handshake. In online banking, the initial authentication step is only single sided: The bank uses TLS to authenticate its genuineness to the user, but not vice versa. Therefore, bank customers have to use other means to authenticate themselves as legitimate users, such as PINs, TANs, or smartphone verification. BACnet/SC elegantly avoids this problem with its use of mutual TLS authentication. It certifies the authenticity of BACnet protocol packets on both ends, thus reducing the possibility of fake communication.

The goal of BACnet/SC is to solve many of the challenges of deploying BACnet on IP-based networks. BACnet/SC is a virtual datalink that is added directly into the BACnet protocol stack under the BACnet Network Layer in the application. The upper BACnet layers, specifically the application layer and network layer, have not changed at all. Therefore, BACnet/SC is compatible with any previous and future versions of BACnet. That means building owners and managers do not need to replace devices, nor will they lose any capabilities from an existing BACnet system. For them, it is just a new TLS-secured datalink for their BACnet-enabled devices.

BACnet/SC’s cybersecurity technologies are not new. They come directly from the IT world. The design’s architecture, for example, is centered around a hub. It uses a hub-and-spoke principle based on TLS-secured WebSockets to connect devices to a hub and a secured unicast routing mechanism between such hubs. This is an improvement over BACnet/IP, which uses UDP broadcasts and BACnet Broadcast Management Devices (BBMDs). Historically, BBMDs have been a challenge to configure in large systems. Today, BACnet/SC can replace that approach in many applications. With BACnet/SC, a network may have several hubs that route messages between devices. For security purposes, BACnet/SC hubs will only forward messages between BACnet/SC devices that have the right TLS certification. As for the BACnet language itself, it remains largely untouched, meaning building operations do not have to train for a new protocol.

With its built-in security features, BACnet/SC offers significant benefits for securing an organization’s OT network. It is an open and free-to-use standard that applies best practices from the IT world, using state-of-the-art security while working well with existing firewalls. By its very design, BACnet/SC also makes it easier to extend building communication across site boundaries: As it is always the nodes which establish the connection to their central hub, the latter can be hosted not just on-site, but literally anywhere, allowing for far more flexible topologies than in the past. It even improves the security of end-to-end device communication over insecure networks. The end-to-end encryption in BACnet/SC protects the BACnet data by converting the wrapper that surrounds it into a cipher or code. The encryption creates additional barriers. On top of that, the authentication procedures allow only certified users and devices to be on the network.

All these new features were implemented in response to the industry’s needs. As new technology and regulations continue to drive demand for stronger security measures, BACnet/SC is expected to become a new normal for all kinds of projects: from small facilities such as kindergartens and high schools to large critical infrastructures such as airports, healthcare systems, and utilities. To help industries adjust to the new normal, big technology companies such as Siemens are working very closely with ASHRAE and are deeply involved in the development of BACnet/SC, helping to solve its outstanding challenges. This collaboration enables an exchange on the technological and regulatory side, making it easier for investors, building owners, facility operators and IT managers to be informed about new security functionalities of building devices and systems.

Follow