Introduction to BACnet/SC A Secure Alternative to BACnet/IP

Jim Butler CTO Cimetrics Inc.

For the past several years, the members of the BACnet IT working group I chair have been developing a more secure method of communication for BACnet based on widely used IT standards. This method exclusively applies to communication on IP networks, and we are calling it "BACnet/SC" or “BACnet Secure Connect.”  I believe BACnet/SC will become a popular alternative to BACnet/IP in the future.

(Important note: At the time this article is being written BACnet/SC is approaching its third public review; it has not yet been approved for inclusion into the BACnet standard.)

BACnet/IP has been widely deployed since it was added to the BACnet standard in 1999.  BACnet/IP does not have any built-in network security functionality, so the most common methods of securing BACnet/IP networks are to place BACnet/IP devices within VPNs and VLANs, which typically requires the cooperation of the customer’s IT department. These methods have provided adequate network security for many buildings, but there are many situations in which something different or something more is needed.

By contrast, BACnet/SC has its own network security mechanisms--it provides encryption of messages and device authentication. For that reason, I expect BACnet/SC devices will be able to be deployed on networks that lack other security mechanisms, including the public Internet.  For additional security, BACnet/SC devices can be deployed within VLANs or VPNs.

The following table summarizes several significant differences between BACnet/IP and BACnet/SC:

Those who have a lot of experience deploying BACnet/IP-based systems are aware of some of its challenges. Perhaps the biggest challenge with BACnet/IP is managing BACnet broadcast messages in large systems. The BBMD (BACnet Broadcast Management Device) was invented to allow a single BACnet/IP network to span multiple IP subnetworks by forwarding BACnet broadcast messages through IP routers, but properly configuring BBMDs has proven to be tricky in large systems.

The standard does not require BACnet/IP devices to use static IP addresses, but most manufacturers recommend this configuration for all of their devices. By contrast, dynamic IP addresses are heavily used in mainstream IT networks. This has become a source of friction between BAS personnel and IT personnel as increasing numbers of BACnet/IP devices are connected to networks managed by the facility’s IT department.

With BACnet/SC we have solved many of the challenges of deploying BACnet on IP-based networks, but in the process, we have introduced a few new issues you will need to keep in mind.  Increased security comes at a cost, and the working group is doing what it can do to make the cost manageable.

[an error occurred while processing this directive] First of all, I should emphasize that BACnet/SC networks will be able to be connected to other BACnet networks (BACnet/IP, MS/TP, etc.) using BACnet routers. We haven’t changed the structure of any of the BACnet application layer and network layer messages.

BACnet/SC is based on standard, commonly used IT network protocols--WebSockets and TLS in particular. The use of TLS (a descendant of SSL) and digital certificates are the basis for the security features of BACnet/SC. TLS is widely used for secure communication between web browsers and web servers (the technology used in https:// web sites), so it is one of the most important Internet protocols.

To the relief of many, BACnet/SC does not use BBMDs! Instead, a BACnet/SC network will typically have one or two BACnet/SC hubs whose function is to forward both broadcast and unicast messages between BACnet/SC devices. Note that BACnet/SC hubs will only forward messages to/from BACnet/SC devices that have the right type of TLS certificate for a particular BACnet/SC network.

I have skipped over many important details of BACnet/SC in this short article. If you are interested in learning more, I encourage you to read the white paper "BACnet Secure Connect" written by members of the BACnet IT working group.

About the author

Jim Butler is CTO of Cimetrics Inc., a Boston-based company that provides analytical services and BACnet communication products to the buildings industry. Jim has been contributing to the development of the BACnet standard for almost 25 years. He is currently the convener of the BACnet IT working group which since 2009 has been developing a new method of BACnet communication that is now called BACnet/SC. Jim was also the founding manager of BACnet Testing Laboratories (BTL).