logoShaping Tomorrow's Built Environment Today

Protecting Building Automation Systems with BACnet Secure Connect

Protecting Building Automation Systems with BACnet Secure Connect

From eSociety, July 2019

A new addendum to Standard 135-2016, BACnet—A Data Communication Protocol for Building Automation and Control Networks, seeks to increase protection of building automation systems integrated into traditional IT systems, which is common practice. 

BSR/ASHRAE Addendum bj is under a 45-day Public Review from June 21 to August 5. The addendum: 

  • introduces BACnet Secure Connect Datalink Layer Option and BACnet/SC in the Application and Network Layer Specifications;

  • adds new Annex YY for the BACnet Secure Connect Datalink Layer Option and a Device_UUID Property to the Device Object;

  • extends APDU Encoding for Large APDU Sizes;

  • introduces new Error Codes for BACnet/SC; and defines Interoperability Specification Extensions for BACnet/SC and Extended 6- Octet VMAC. 

BACnet Secure Connect is IT-friendly and shifts BACnet into the application space of using well-known, accepted IP application protocols and techniques, according to Bernhard Isler, Member ASHRAE, and a former chair of the standard committee for ASHRAE Standard 135. The protocol will provide inherent means of protection for BACnet-based building automation systems, even across public internet or in shared, private IP networks.

“BACnet Secure Connect will provide cybersecurity inherently, equal to what is currently achieved using VPNs and such. No extra VPN equipment or software and according setups will be needed anymore,” he said. 

BACnet Secure Connect allows devices to protect themselves with built-in security mechanisms and should eliminate risky behavior such as placing unprotected devices directly on the internet. The new protocol eliminates broadcasts, supports DNS for name resolution, and uses industry standard security with Transport Layer Security (TLS) (née “SSL”) and Private Key Infrastructure (PKI) certificates, said David Robin, Member ASHRAE, and a member and past chair of the ASHRAE Standard 135 committee. 

Robin said all connections in BACnet Secure Connect are mutually authenticated, meaning that both ends must complete a TLS validation of the other end before they can talk to each other. BACnet communication through BACnet Secure Connect will be secured using TLS V1.3, the most modern version of TLS, said Isler. 

The BACnet standards committee released a white paper on BACnet Secure Connect in May. To read the white paper, visit.

Close