Innovations in Comfort, Efficiency, and Safety Solutions.
|Introduction to BACnet/SC
A Secure Alternative to BACnet/IP
For the past
several years, the members of the BACnet IT working group I chair have
been developing a more secure method of communication for BACnet based
on widely used IT standards. This method exclusively applies to
communication on IP networks, and we are calling it "BACnet/SC" or
“BACnet Secure Connect.” I believe BACnet/SC will become a
popular alternative to BACnet/IP in the future.
(Important note: At the time this article is being written BACnet/SC is approaching its third public review; it has not yet been approved for inclusion into the BACnet standard.)
BACnet/IP has been widely deployed since it was added to the BACnet standard in 1999. BACnet/IP does not have any built-in network security functionality, so the most common methods of securing BACnet/IP networks are to place BACnet/IP devices within VPNs and VLANs, which typically requires the cooperation of the customer’s IT department. These methods have provided adequate network security for many buildings, but there are many situations in which something different or something more is needed.
By contrast, BACnet/SC has its own network security mechanisms--it provides encryption of messages and device authentication. For that reason, I expect BACnet/SC devices will be able to be deployed on networks that lack other security mechanisms, including the public Internet. For additional security, BACnet/SC devices can be deployed within VLANs or VPNs.
The following table summarizes several significant differences between BACnet/IP and BACnet/SC:
Those who have a lot of experience deploying BACnet/IP-based systems
are aware of some of its challenges. Perhaps the biggest challenge with
BACnet/IP is managing BACnet broadcast messages in large systems. The
BBMD (BACnet Broadcast Management Device) was invented to allow a
single BACnet/IP network to span multiple IP subnetworks by forwarding
BACnet broadcast messages through IP routers, but properly configuring
BBMDs has proven to be tricky in large systems.
The standard does not require BACnet/IP devices to use static IP addresses, but most manufacturers recommend this configuration for all of their devices. By contrast, dynamic IP addresses are heavily used in mainstream IT networks. This has become a source of friction between BAS personnel and IT personnel as increasing numbers of BACnet/IP devices are connected to networks managed by the facility’s IT department.
With BACnet/SC we have solved many of the challenges of deploying BACnet on IP-based networks, but in the process, we have introduced a few new issues you will need to keep in mind. Increased security comes at a cost, and the working group is doing what it can do to make the cost manageable.
First of all, I should emphasize that BACnet/SC networks will be able to be connected to other BACnet networks (BACnet/IP, MS/TP, etc.) using BACnet routers. We haven’t changed the structure of any of the BACnet application layer and network layer messages.
BACnet/SC is based on standard, commonly used IT network protocols--WebSockets and TLS in particular. The use of TLS (a descendant of SSL) and digital certificates are the basis for the security features of BACnet/SC. TLS is widely used for secure communication between web browsers and web servers (the technology used in https:// web sites), so it is one of the most important Internet protocols.
To the relief of many, BACnet/SC does not use BBMDs! Instead, a BACnet/SC network will typically have one or two BACnet/SC hubs whose function is to forward both broadcast and unicast messages between BACnet/SC devices. Note that BACnet/SC hubs will only forward messages to/from BACnet/SC devices that have the right type of TLS certificate for a particular BACnet/SC network.
I have skipped over many important details of BACnet/SC in this short article. If you are interested in learning more, I encourage you to read the white paper "BACnet Secure Connect" written by members of the BACnet IT working group.
About the author
Jim Butler is CTO of Cimetrics Inc., a Boston-based company that
provides analytical services and BACnet communication products to the
buildings industry. Jim has been contributing to the development of the
BACnet standard for almost 25 years. He is currently the convener of
the BACnet IT working group which since 2009 has been developing a new
method of BACnet communication that is now called BACnet/SC. Jim was
also the founding manager of BACnet Testing Laboratories (BTL).
[Click Banner To Learn More]
[Home Page] [The Automator] [About] [Subscribe ] [Contact Us]