Today’s smart buildings are more flexible and functional than ever before thanks to connected building automation systems that control HVAC, energy, lighting, access control, and fire systems. However, the rise of connected devices that enable smart buildings can also create security challenges and leave buildings vulnerable to cyberattacks.
The building automation industry is actively addressing cybersecurity risks by implementing enhanced security features. BACnet, the leading building automation protocol, recently released BACnet Secure Connect (BACnet/SC), a new data link, as part of the standard. BACnet/SC brings cybersecurity and IT-acceptance to Operational Technology (OT) networks. It adds an encryption layer to communication and requires device authentication using certificates, which makes OT networks less vulnerable to cyberattacks. Unlike BACnet/IP, BACnet/SC employs IT best practices that solve many IT-acceptance issues. With BACnet/SC there is no need for static IP addresses; no BBMDs required to cross IP subnets; works well with NAT, and there is no heavy broadcast traffic on the network.
Owners, integrators, and operators will need to take a stepwise approach in transitioning to BACnet/SC as enabled devices are released to market. Here are some considerations for building stakeholders who wish to strengthen their OT network security.
Existing buildings versus new construction
Existing buildings: Building stakeholders will need to plan and manage BACnet/SC integration and security improvements for their building’s existing OT network. Today, more than 1,200 manufacturers incorporate the BACnet standard into a broad range of interoperable building automation products. Buildings with existing BACnet systems already contain BACnet/IP and BACnet MS/TP devices. BACnet/SC can be integrated into these existing networks using BACnet routers. Older devices will not meet the significant computing resource requirements needed to make them compatible with a firmware update to BACnet/SC. New devices will be released with BACnet/SC-native support, or as ready for firmware updates to support BACnet/SC in the near future.
Introducing BACnet/SC into an existing BACnet system begins by logically partitioning the building and structuring the project into individual BACnet logical networks of different data link types. Integration can then start with a small BACnet/SC logical network "island" which connects to BACnet/IP and BACnet MS/TP networks using BACnet routers. There should be a plan in place to upgrade the remaining unsecure networks as the devices on those networks become obsolete and replacement products become available.
New construction. New building automation networks will initially be designed using both currently available BACnet devices as well as newly available BACnet/SC-native or BACnet/SC-ready devices, with a plan to upgrade unsecure parts of the network as new devices and firmware updates are released to market. Workstations and primary controllers should be the first priority for BACnet/SC integrations because they are more likely to be on shared networks with public access such as enterprise networks or the internet, and there is less pressure to secure networks deep inside the building for now.
Keep in mind that BACnet/SC’s security does not extend to unsecured network segments outside of the BACnet/SC logical part of the network. Traditional methods of securing unsecure OT network segments such as VLANs and VPNs still need to be used until the entire network is secured with full BACnet/SC compatibility. Traditional methods of securing networks should be kept in place to provide an additional layer of security even after a full BACnet/SC system is deployed, so long as they don’t prevent interoperability and data accessibility that supports smart building goals.
IT and OT Collaboration
IT and OT professionals will need to work closely together to deploy secure smart building automation networks that leverage BACnet/SC. With BACnet/SC, previously separated OT networks such as HVAC, energy, lighting, access control, and fire can converge and IT best practices including cybersecurity and certificate management can be implemented on this new secure OT network.
In new construction, BACnet/SC also allows IT and OT the option to design the entire building IP infrastructure together, taking the building’s overall bandwidth requirements into consideration. Running the previously separated networks on the same physical infrastructure, with some well-established cybersecurity tactics such as firewalls between IT and OT in place, maintains maximum network security. IT/OT network convergence eliminates the cost and complexity of running separate network segments and allows for better network monitoring and management workflow, while also enabling smart building applications which require data to flow throughout the organization.
Designing the BACnet/SC Network
Buildings that contain a mix of BACnet networks with BACnet/IP, BACnet MS/TP, and BACnet/SC are not inherently secure. Simply adding BACnet/SC will not secure the entire network since the same physical layer – Ethernet, and network layer – IP are likely to be shared with the unsecure BACnet/IP protocol. This means that initially, OT networks will be designed very much like they are designed today. In these networks, BACnet/SC communication is only secure between the BACnet/SC hub and node devices. For now, these mixed networks should be treated like an unsecure BACnet/IP network until a full BACnet/SC system is achieved, or until BACnet firewalls are introduced. Another option for securing network segments is using routers and firewalls with deep packet inspection or other IT practices for managing network traffic. BACnet/SC drastically improves OT network security, but by itself is not a silver bullet. BACnet/SC provides a powerful set of tools to be incorporated into a multilayered defense in depth approach, which can significantly strengthen the building’s cybersecurity.
Learn more about integrating BACnet/SC into a comprehensive security plan from our white paper, “BACnet Secure Connect: The next generation of OT security for building operations.”
Published: January 26, 2022