BACnet/SC (BACnet Secure Connect) heralds a new age of modern IT infrastructure. Thus, it is finally possible to encrypt the approximately 25 million BACnet devices installed worldwide due to the 100% compatibility with already existing BACnet IP or BACnet MS/TP networks. Complex BBMD configurations, static IP addresses or unencrypted telegrams are now a thing of the past! With BACnet/SC, segments, networks, buildings or even entire properties can be connected easily and securely.
What is BACnet/SC?
The new communication via BACnet/SC extends the existing BACnet standard and fulfills the well-known cross-manufacturer interoperability. Independent laboratories test BACnet/SC-compatible devices, which are subsequently certified by BACnet-International. In this way, a high and manufacturer-independent quality is ensured. For compatibility with the specific management functions in the new BACnet/SC communication standard, compatible devices must also be certified with the new BACnet profile B-SCHUB (BACnet Secure Connect Hub).
How is BACnet/SC structured?
Difference to BACnet
BACnet-Secure Connect, BACnet/SC for short, is a new protocol layer in the OSI/ISO layer model of the BACnet standard. This integration into the existing BACnet standard brings the advantage of 100% compatibility between BACnet IP or BACnet MS/TP networks and the BACnet/SC network.
This means that existing BACnet IP and BACnet MS/TP networks are encrypted into a BACnet/SC network by BACnet routing. To switch to encrypted, multi-vendor data transmission via BACnet-Secure Connect, it is therefore not necessary to reprogram the BACnet objects.
How does BACnet/SC work?
The hub-and-spoke topology is used for communication between the BACnet/SC devices. One of the BACnet/SC devices is configured as a hub (primary hub) and manages the communication and data transfer of the encrypted BACnet objects. All other BACnet/SC network nodes are configured as simple nodes and communicate to the Primary Hub. There may be a maximum of one Primary Hub in the entire BACnet Secure Connect network. In contrast, the number of simple nodes is unlimited. In order to guarantee a high level of reliability, BACnet/SC offers the special feature of configuring a further reserve hub (failover hub) in addition to the primary hub. In the event that the primary hub fails, the failover hub automatically takes over communication management in the BACnet Secure Connect network. The configuration of a failover hub is optional.
With the OPEN.WRX controller, we deliver the first BACnet/SC certified controller on the market that can be used as both a primary and failover hub to safely operate buildings.
High network flexibility through hub-and-spoke topology
The hub-and-spoke topology also offers you a high degree of network flexibility when setting up and expanding the network. New BACnet/SC participants can be integrated quickly and easily by providing them with the appropriate network number and the address (IP address or host name) of the device configured as a hub. A complex BBMD (BACnet Broadcast Management Device) configuration is no longer necessary. Furthermore, it is now possible to address the network subscribers via dynamic IP addresses, which provides significantly more flexibility for network setup, network configuration and change management during operation.
Further advantages of encrypted communication
Encrypted communication offers the additional advantage that a separate VPN connection no longer needs to be established to access the BACnet objects of a building. Using well-known tools such as BACeye/SC, participants remotely access the BACnet objects of a building directly and perform a configuration or a visualization.
Modern security mechanism: TLS 1.3 standard
To ensure secure and encrypted communication, BACnet/SC relies on modern security mechanisms such as the current TLS 1.3 standard. This offers 256-bit encryption and uses the public key infrastructure. In order for BACnet/SC devices to be able to communicate with each other in encrypted form, certain certificates must therefore be exchanged. The exchange of certificates is used to authenticate the participants among themselves, thereby uniquely identifying them and ensuring that communication is authorized. Certificate exchange is the key element in the new BACnet standard.
Each BACnet/SC participant requires a “private key” and a “public key“, which is exchanged as a signed “operational certificate” during communication. Messages are encrypted and decrypted with the help of these two keys.
To ensure a high level of security in the long term, the certificates must be replaced regularly.
BACnet/SC in building automation
For building automation, the new BACnet standard plays a central role, since the BACnet protocol was previously unencrypted. The BACnet protocol offers the highest level of interoperability in building automation. Therefore, it is used in many projects to achieve vendor independence of the installed systems. Furthermore, due to its manufacturer-independent standardized semantics, BACnet is ideally suited for networking different systems with each other.
Both are relevant factors for the fact that more than 25 million BACnet devices have been installed to date. Encryption of BACnet communication using BACnet-Secure Connect paves the way for the BACnet standard into the future of building automation. Because IT security is playing an increasingly central role due to increasing networking.
Areas of application of the BACnet/SC network
A stand-alone BACnet/SC network can be easily set up in a building in that all network participants are BACnet/SC-capable devices. In this way, all BACnet communication in a building is completely encrypted.
In case you have already installed BACnet networks in the building, BACnet/SC is ideal to include and encrypt the existing BACnet communication. For this purpose, an automation station or gateway is used that integrates the previous BACnet-IP or BACnet-MS/TP networks and routes them to BACnet/SC.
Further BACnet/SC-capable devices in the building then ensure that the backbone in your building is secure and encrypted by means of BACnet/SC and that only the branches on the floors, for example, contain the unencrypted BACnet IP or BACnet MS/TP network.
BACnet/SC in central building management
Here, the central building control system or management operating equipment (MBE) is installed remotely from the building, making secure access to data into the building essential. BACnet-Secure Connect establishes encrypted communication and data transfer between the building and the BACnet/SC devices located there and the remotely installed MBE. In this case, the management operating device must also support the BACnet/SC protocol.
The same principle of networking can also be used to interconnect several buildings and thus several BACnet/SC networks. In this way, data transmission between individual buildings within a property is fully encrypted.
BACnet/SC provides the previously missing and increasingly important IT security in building automation
BACnet-Secure Connect supplements the previous BACnet standard as a new protocol layer. In addition to 100% compatibility with existing BACnet networks, it also offers high interoperability between different systems in building automation.
The implemented network and security mechanisms comply with the standards from the modern IT world and offer considerably more flexibility in network setup, configuration or change management during operation. Challenging for the building automation industry will be the management of certificates that must be included in all BACnet/SC-enabled devices and renewed regularly to guarantee and maintain secure data transmission.