Hand on keyboard with lock

Managing BACnet Secure Connect Networks

By: Zach Netsov, Product Manager, Siemens Smart Infrastructure USA

Smart buildings are more connected than ever, with previously isolated building systems now converging into one network and potentially being connected to an IT enterprise or other public access networks. If not properly designed and managed, Operational Technology (OT) networks are left vulnerable to cyberattacks. Smart buildings with increasing connectivity and a growing attack surface require IT best practices and management to also be applied to OT networks to strengthen security. BACnet Secure Connect (BACnet/SC) extends the well-known defense-in-depth cybersecurity strategy commonly practiced by IT professionals to OT networks. A properly designed and managed OT network with BACnet/SC could become a building’s last line of defense in the event of a cyberattack.

 

BACnet/SC as Part of a Defense-in-Depth Strategy

Defense-in-depth essentially treats an organization like a medieval castle. It is the simple principle that while no single security feature is perfect, adding many independent layers of defenses will make it difficult for an attacker to breach the walls, and slow them down to the point where an attack isn't worth the expense to initiate it.

 

BACnet/SC should play a part in a comprehensive defense-in-depth design. BACnet/SC’s cybersecurity features such as data encryption and certificate-based authentication provide actual security at the device and network level. In addition, BACnet/SC eliminates several long-standing IT acceptance issues with the BACnet/IP protocol. BACnet/SC replaces the unsecure User Datagram Protocol (UDP) with WebSocket Security (WSS) utilizing the TLS v1.3 encryption standard. Since there is no heavy broadcast traffic, there is no longer a need for static IP addresses for BACnet Broadcast Management Devices (BBMDs) to get across IP subnets. BACnet/SC also easily works across firewalls with Network Address Translation (NAT).

 

By itself, BACnet/SC is not a silver bullet, but its features allow it to be incorporated into a comprehensive defense-in-depth strategy to improve building cybersecurity. To do that, we need to use proven policies, procedures, and tools from the traditional cybersecurity and IT worlds – but extend them with care and understanding to the OT space.

Certificate Management

With BACnet/SC device authentication relies on having the proper certificates. Each device requires two certificates to participate on the BACnet/SC network – a common root certificate which is identical on all devices in a project regardless of device manufacturer, and individual operational certificates which are unique per device and are used for authentication of the device and encryption/decryption of traffic.

 

Certificates can be generated to be valid between one week and 25 years, depending on the need at the time of issue. Cybersecurity-conscious organizations with strong IT departments may prefer to generate short-term certificates and renew them more often to maximize security. Certificates with short validity, such as one week, may also be generated for cases where a device is needed to participate on the network temporarily. An example of a temporary certificate would be a network analyzer tool used for troubleshooting. Organizations that are not as concerned with managing security levels on a periodic basis, but still require a level of security on-going could generate certificates for the lifetime of the system.

 

A certificate authority (CA) generates and signs certificates. The entire BACnet/SC network can only have one CA. Organizations may find it easier to use an internal CA by using BACnet/SC-specific tools supplied by the vendor to generate, sign, provision, and revoke certificates, as well as exchange certificates with other vendors’ tools for interoperability. In this case the IT team or building team charged with certificate management should map out the use cases and procedures they need to efficiently secure the network.

 

Some applications call for enhanced security. In those cases, using a trusted external CA may be requested. This method requires additional workflows for certificate exchange. It’s important to understand that BACnet/SC does not currently have standardized certificate management procedures, so tools and methods may vary based on vendor.

 

Certificate management of OT devices could be handled entirely by on-site IT or building operations staff using vendor provided tools, or with collaboration from OT service providers. In either case, properly secured networks require security-conscious organizational culture and dedicated personnel responsible for device monitoring, certificate renewal, and coordination of different OT vendors on the site. This role also comes with a higher level of responsibility (in some cases including legal responsibility) as the team responsible holds the key to this secure network. IT and OT professionals must collaborate closely to ensure the OT network is properly monitored and managed.

 

Learn more about integrating BACnet/SC into a comprehensive security plan

Download the White Paper, “BACnet Secure Connect: The next generation of OT security for building operations.”