Review of BACnet SC Security

With the increasing importance of security in building automation networks I thought it would be interesting to have an IT security expert review BACnet SC. Terry Kees was happy to take on the challenge.

Review of the “BACnet Secure Connect” White Paper by David Fisher, Bernhard Isler, and Michael Osborne. Written by Terry Kees.

Points to consider, I have no previous experience with the BACnet protocols or building automation, my IT experience comes from years with Sperry Univac (UNISYS), Tandem Computers, Wasatch Alliance, and the Department of Defense.

I have to say I enjoyed reviewing this article on securing BACnet infrastructures. I am basing this review on how I would react to a request to allow a BACnet Secure Connect (BACnet/SC) automation infrastructure to join a building IT Network that I managed.

Prior to even starting the review, I researched the BACnet protocols, with the emphasis being BACnet/IP, and concluded that up until this announcement for BACnet/SC, BACnet security relied on “trusted” network configurations, networks behind tightly secured firewalls and restricted software installations.

BACnet/SC is in no way a replacement for trusted networks, with current IT infrastructures and the “Internet of Things”, firewalls, security procedures, and usage restrictions are an absolute requirement.

BACnet/SC is using the latest IT standard, Transport Layer Security (TLS 1.3), to encrypt/decrypt communications between BACnet/SC enabled devices. BACnet/SC appears to be well thought-out, it uses standard internet protocols (TCP/IP), and offers DHCP with DNS as options for replacing static IP addressing configuration requirements.

The ability of BACnet/SC to utilize secure access from outside and within a facility will allow users to utilize new cloud-based applications securely.

Based on the contents of this White Paper I would approve a BACnet/SC request to connect to a shared IP or trusted network that I manage.

Please keep in mind that I am not that familiar with all the legacy BACnet components, but my overall evaluation from reading this document is that BACnet/SC is going to provide the bridge between facility managers and building IT staff to come together on providing accessible and secure networks that are going to be easier to configure and maintain.

About the Author

Terry began his IT career in 1969 with the USAF as a Cryptographic Systems Specialist. After the Air Force he spent five years with Ford Aerospace tracking and securing DoD Satellites, five years with Sperry (UNISYS) supporting Distributed Communication Processors (DCP), 10 years with Tandem Computers, and recently retired after multiple years as a contractor with DoD at Hill AFB and AFMC.