December 2008
Column -

Innovations in Comfort, Efficiency, and Safety Solutions.

(Click Message to Learn More)

BAS Use of Ethernet / IP Infrastructure II

Use of Virtual Local Area Networks

 Paul Ehrlich & Ira Goldschmidt
Building Intelligence Group

As published

January Issue - Column 

Last month we discussed some of the challenges in using a converged network as the main transport for BAS systems. In that discussion we mentioned both the advantages as well some of the challenges in sharing the network infrastructure. This month we would like to focus on the special challenge of data security. This is a topic that often does not get much attention, but is one that has a high risk if not properly addressed on any shared network installation.

New Products
Past Issues

Control Solutions, Inc

Data Security:
Information and control of building systems needs to be restricted only to qualified users. If an unauthorized user is able to gain access to these systems they could potentially not only view information, but could even change system parameters, resulting in possible issues that range from minor discomfort, to equipment damage or worse. Traditionally protection of these systems has been done through user security, requiring a valid user name and password in order to be able to access the system through the systems PC or web based interface tool.

Shared Network Risks:
When we place systems on a common network, however, there is now a new risk which occurs, which is the potential for system breach at the network level. All data that travels on an IP network must conform to a common set of formats called a data packet. Tools called sniffers, are readily available to allow for the viewing of the contents of these packets. The data packets used for BAS applications are often repeated and also utilize open standard contents such as BACnet. It is a fairly easy task for an unauthorized user (i.e. a “hacker”) to look for these packets and attempt to implement control by either using a tool or simply by forming their own “spoofed” data packet.

Reliable Controls VLAN:
There are several readily available ways to prevent this from happening. The most common solution is to have the network administrator implement a function called a “Virtual Local Area Network” or VLAN. The VLAN restricts access to the network only to those network ports or addresses that are authorized. Many systems protect this even further by only allowing designated devices (i.e. PC, controller, etc.) to be connected to a particular network port. VLAN’s provide a necessary level of protection for any BAS system that is used on a converged network, however they need to be properly configured and managed.

The other alternative for protecting systems on a shared or converged network is to use the same type of technology that is used on the Internet to send secure information such as financial transactions. This is called encryption and involves special encoding of the contents of data packets in a manner that can only be decoded by the two devices sharing the information. Work is going on to add encryption and authentication as a future addition to the BACnet standard. In the meantime the use of a converged network remains a good solution, but you need to be sure that the information is properly secured with the use of a VLAN.

About the Authors

Paul and IraPaul and Ira first worked together on a series of ASHRAE projects including the BACnet committee and Guideline 13 – Specifying DDC Controls. The formation of Building Intelligence Group provided them the ability to work together professionally providing assistance to owners with the planning, design and development of Intelligent Building Systems. Building Intelligence Group provides services for clients worldwide including leading Universities, Corporations, and Developers. More information can be found at  We also invite you to contact us directly at or



[Click Banner To Learn More]

[Home Page]  [The Automator]  [About]  [Subscribe ]  [Contact Us]


Want Ads

Our Sponsors