Johnson Controls
Shared Screenshot Jci Cyber 64650e3763444

BACnet Secure Connect Offers Next-Level BAS Cybersecurity

May 18, 2023
As BAS rapidly becomes integrated with broader IT systems, the need to provide a holistic approach to cybersecurity is critical. BACnet/SC aims to do just that.

The evolution and IT convergence of Digital Building Technologies started in earnest in the mid-90s, with more and more basic building systems, including telephony, physical security, lighting as well as HVAC and other building automation sensors and equipment migrating to internet protocol (IP).

As building owners sought more advanced ways to accumulate and access data, the increased bandwidth and speeds of IP were the most logical solution. Compared to the BACnet MS/TP protocol, BACnet/IP is the fast communication protocol that meets the needs of today’s building systems and has been an ANSI standard since 1995 and an ISO standard since 2003.

Increasing demand for detailed information on operations and costs is driving facility managers to task today’s Building Automation Systems (BAS) with providing more data, more often, from more devices. BAS are becoming increasingly sophisticated and are now shifting from IP-based to cloud-hosted systems, and often need to be integrated with other IT infrastructures.

As BAS rapidly becomes integrated with broader IT systems, with more than 95% of BAS now residing on shared networks, the need to provide a holistic approach to cybersecurity is critical. In addition, the U.S. Executive Order 14028, published in May 2021, focuses on improving the nation’s cybersecurity and will lead to additional enforcement of standards to prevent cybersecurity incidents, enhancement of supply chain security and more.

To adhere to evolving cybersecurity standards and help protect vulnerable networks, facility managers need to consider the most up-to-date technology and security protocols, including the latest standard, BACnet Secure Connect (BACnet/SC).

What is BACnet/SC?

A decade in development and first launched in November 2019 by the American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE) and BACnet International, BACnet/SC enables secure communication between different devices and systems in a building automation network, protecting against cyber threats such as hacking, data breaches, and other types of cyber-attacks.

It also provides the flexibility to choose from different security levels based on specific requirements, making it an adaptable solution for a wide range of building automation systems. BACnet/SC adds a significant level of cybersecurity protection, while still maintaining communication interoperability between BAS nodes.  

BACnet/SC is defined in Annex AB of the ASHRAE 135-2020 BACnet protocol standard. That identifies it as a secure, encrypted datalink layer specifically designed to meet the requirements, policies, and constraints of IP networking infrastructures.

How It Works

BACnet/SC allows two BAS devices to establish a highly secure and encrypted connection using TCP-based WebSocket protocol. The devices exchange certificates and authenticate each other using Transport Layer Security (TLS). Once the devices are authenticated, they can begin exchanging encrypted messages.

BACnet/SC is a sophisticated network security solution that uses standards widely accepted by the IT community, and it addresses many concerns IT professionals had with the original BACnet/IP protocol.  

Benefits of BACnet/SC

While not every BAS installation may benefit from BACnet/SC – generally only those with higher-than-average security needs — adopting BACnet/SC allows for better integration and interoperability between different devices and systems. It can provide many benefits for building owners, facility managers and IT professionals, including:

  • Security: BACnet/SC uses strong encryption to protect data and provides secure message transport using the standard IP application protocol, Secure WebSocket, which is an extension to HTTPS and runs over Transport Layer Security (TLS). A major difference in BACnet/SC compared to previous BACnet iterations is the use of asymmetric cryptography. This cryptographic system uses two different keys, a public key and a private key, to encrypt and decrypt data. The public key can be shared with anyone, while the private key is usually only known by the device or owner. This allows for highly secure communication between two parties, even if they do not trust each other;
  • Reliability: BACnet/SC uses a reliable connection-oriented protocol to ensure that messages are not lost or corrupted, it works easily with common firewall devices and is not dependent on network broadcast messaging;
  • Ease-of-Implementation: Utilizing BACnet/SC reduces the burden on IT teams by eliminating the need for static IP addresses and simplifies configuration by eliminating BACnet/IP Broadcast Management Devices (BBMDs). The technology also easily handles changes in network topology;
  • Compatibility: BACnet/SC is fully compatible with existing BACnet systems and devices through normal BACnet routing and uses shared IP networks with no VPN setup required. It can also be implemented on any IPv4 or IPv6 network.

Planning for a Cybersecure Future

The bottom line: BACnet/SC is the newest standard for BAS cybersecurity, it can help minimize cyber risk and should be considered alongside a number of other IT best practices as part of a comprehensive BAS cybersecurity strategy.

For those customers who are looking to gain a higher level of security and help protect their BAS against unauthorized access, data piracy, or other cyber threats, BACnet/SC is an appropriate solution. 

ASHRAE standards for BACnet/IP are expected to continue to evolve. Leading BAS providers like Johnson Controls have adopted BACnet/SC compatibility and can help building owners and facility managers determine when and how best to adopt BACnet/SC to ensure a cybersecure future.

##########

Chris Lane is the director of product management for Building Automation System (BAS) products at Johnson Controls. In this role, Lane leads a team of product managers responsible for defining strategy and direction for the firm’s global portfolio of BAS products.