BACnet/SC: A Secure Alternative to BACnet/IP
•Download as PPTX, PDF•
0 likes•2,676 views
Jim Butler, covener of BACnet IT Working group, CTO of Cimetrics presents: BACnet/SC Overview: - A secure BACnet option for TCP/IP networks - Will improve network security in any deployment scenario - Not yet finalized!! - Backward-compatible with existing BACnet deployments and devices - Built on standard IT network protocols: WebSockets and TLS 1.2+ - NAT and firewall friendly - Static IP addresses are not required - No more UDP broadcasts and BBMDs What is secure about BACnet/SC? - Encrypted communication (TLS) - Site-based authentication of devices (TLS) - New: Carrier for user authorization data (OAuth 2)
More Related Content
What's hot
What's hot (20)
Similar to BACnet/SC: A Secure Alternative to BACnet/IP
Similar to BACnet/SC: A Secure Alternative to BACnet/IP (20)
More from Cimetrics Inc
More from Cimetrics Inc (20)
Recently uploaded
Recently uploaded (20)
BACnet/SC: A Secure Alternative to BACnet/IP
- 1. BACnet/SC: A “Secure” Alternative to BACnet/IP Jim Butler Cimetrics Inc.
- 2. About Cimetrics • BACnet communication products (since 1995) • BACnet protocol stacks • Routers, gateways, meter interfaces, … • Building system analytics (since 2000) • FDD software (SaaS) • Professional services 2
- 3. BACnet/IP Overview • Widely used BAS backbone network protocol • Published in 1999 • Employs UDP for communication on TCP/IP networks • Static IP addresses are typically used • DNS is not used • Can easily span multiple IP subnets • … but the management of broadcast messages can be tricky in practice • Can be used in a NAT environment, but not easily 3
- 4. Securing BACnet/IP networks • BACnet/IP has no native security features! • Common ”secure” deployment options: • Physically separate BAS network • Dedicated VLAN(s) or VPN for BAS 4
- 5. IP Router D1 D2 D3 D4 IP Subnet A IP Subnet B BBMD A BBMD B 6 A Simple BACnet/IP Network
- 6. 7 IP Router D1 D2 D3 D4 IP Subnet A IP Subnet B BBMD A BBMD B D5 IP Subnet C Foreign Device BACnet/IP Foreign Device Registration
- 7. 8 IP Subnet A IP Subnet B BBMD A BBMD B D5 IP Subnet C Foreign Device BACnet/IP Broadcast Message Forwarding
- 8. 99 IP Subnet A IP Subnet B BBMD A BBMD B D5 IP Subnet C Foreign Device BACnet/IP Broadcast Message Forwarding IP Subnet D BBMD D BBMD E IP Subnet E BBMD F IP Subnet F
- 9. 101010 IP Subnet A IP Subnet B BBMD A BBMD B D5 IP Subnet C Foreign Device BACnet/IP Broadcast Message Forwarding IP Subnet D BBMD D BBMD E IP Subnet E BBMD F IP Subnet F
- 10. 1212121212 IP Subnet A IP Subnet B BBMD A BBMD B D5 IP Subnet C Foreign Device BACnet/IP Broadcast Message Forwarding IP Subnet D BBMD D BBMD E IP Subnet E BBMD F IP Subnet F
- 11. 131313131313 BACnet/IP and Network Address Translation (NAT) IP Router with NAT BACnet BBMD/Router IP Router with NAT BACnet BBMD/Router Private IP Network B Private IP Network A D1 D2 D3 D4 “Public” IP Network
- 12. BACnet/SC Overview • A “secure” BACnet option for TCP/IP networks • Will improve network security in any deployment scenario • Not yet finalized!!! • Backward-compatible with existing BACnet deployments and devices • Built on standard IT network protocols: WebSockets and TLS 1.2+ • NAT and firewall friendly • Static IP addresses are not required • No more UDP broadcasts and BBMDs 14
- 13. What is “secure” about BACnet/SC? • Encrypted communication (TLS) • Site-based authentication of devices (TLS) • New: Carrier for user authorization data (OAuth 2) 15
- 14. 16 BACnet/SC Logical Network Topology PP PP BACnet/SC Primary Hub BACnet/SC Regular Node hub connection Fisher, Isler and Osborne (2018) BACnet/SC hubs link devices
- 15. Peer-to-Peer Direct Connections 17 Fisher, Isler and Osborne (2018) PP optional direct connection
- 16. 18 Hub redundancy Fisher, Isler and Osborne (2018)
- 17. 19 Secure communication on unsecure networks Fisher, Isler and Osborne (2018) The Facility PP FF BACnet/SC devices
- 18. 20 Remote access through firewall Fisher, Isler and Osborne (2018)
- 19. 21 Integration with “insecure” BACnet devices Fisher, Isler and Osborne (2018)
- 20. Learn more about BACnet/SC http://www.bacnet.org/Bibliography/B-SC-Whitepaper- v10_Final_20180710.pdf 2019 ASHRAE Winter Conference: “Securing BACnet Networks: Present and Future” (Seminar 47) 22
- 21. Takeaways • BACnet/SC will be a “secure” alternative to BACnet/IP. • BACnet/SC complements VLANs and other existing security methods. • Security comes at a cost. 23
- 22. Backup Slides 24
- 23. 25 Fisher, Isler and Osborne (2018)
- 24. 26
Editor's Notes
- BACnet/SC: The SC stands for "secure connect".
- A little about Cimetrics: we have been involved in the development of the BACnet standard since 1994. Our experience providing BACnet products to the controls industry and to their customers motivated us to develop HVAC analytics software in order to find ways to improve the performance of building systems.
- I think that most of you are already generally familiar with BACnet/IP, but I would like to review its general characteristics so that we can see how BACnet/SC differs.
- BACnet/IP is like other BACnet data links in that it is easy to add a device to a network. That is one consequence of the fact that BACnet/IP has no native security features, so securing a BACnet/IP network typically involves setting up one or more dedicated VLANs. This works pretty well as long as the VLANs are set up correctly.
- Here is a diagram of a simple BACnet/IP network. The devices D1-D4 can directly communicate with each other through the IP routing infrastructure using unicast messages. However, BACnet/IP broadcast messages are blocked by the IP router, so we invented BBMDs in order to forward BACnet broadcasts between IP subnets.
- Foreign devices typically reside on IP subnets that don't have a BBMD. They can register with a BBMD in order to fully participate in a BACnet/IP network. In this diagram, foreign device D5 has registered with BBMD "B".
- When device D5 wants to send a BACnet broadcast to all of the devices in the BACnet/IP network, it sends the broadcast to BBMD "B", which locally broadcasts the message on IP subnet "B" and forwards the broadcast to BBMD "A", which in turn locally broadcasts the message on IP subnet "A".
- BACnet/IP networks can become much more complicated in a big system. In this diagram, the BACnet/IP network consists of devices connected to six different IP subnets. This is an example of a "full mesh" BBMD configuration, because every BBMD is configured to forward broadcasts to every other BBMD. A full mesh configuration does not scale well.
- In order to limit the propagation of broadcast traffic, BBMDs can be configured in various ways. In this diagram, BBMD "B" will see all of the broadcast messages in the BACnet/IP network, but BBMD "D" will not see broadcast messages that originate in IP subnets "A", "E", and "F".
- Other BBMD configurations are possible, depending on where broadcast messages need to go. Unfortunately we have found that many controls technicians are unfamiliar with how to set up BBMDs in order to optimize the flow of broadcast traffic in a particular system.
- It is also possible to use BACnet/IP in an environment in which network address translation is used. Not only does this require the proper configuration of BBMD/Routers, but the NATting IP routers also require special configuration.
- Now let's talk about BACnet/SC. First I should mention that the BACnet/SC specification is still under development, but I expect that it will be approved sometime in the latter part of next year. BACnet/SC is a "secure" alternative to BACnet/IP, and it has some other benefits. For example, BBMDs are not used! But most importantly, BACnet/SC uses TLS, a secure transport protocol...
- Why do we say that BACnet/SC is "secure"? It provides encrypted communication and device authentication, both of which are enabled by the TLS protocol. Only devices that have an operating certificate signed by the site's certificate authority can join that site's BACnet/SC network.
- Let's look at the architecture of a BACnet/SC network. One essential device is the hub. Every other device establishes a secure connection to the hub. The hub is responsible for forwarding all broadcast messages between the other devices. As well, the hub can forward unicast messages; in this respect it differs from a BBMD. Note that the hub can be anywhere that can be reached by the other BACnet/SC devices.
- Devices can optionally attempt to establish peer-to-peer connections for exchanging unicast messages. This improves the performance of the network and reduces the dependency on the hub.
- Another way to reduce the dependency on the hub is to add a second hub. In the event of a failure of the primary hub, devices will establish a connection to the secondary or failover hub.
- Let's look at a few possible deployment scenarios. In this first scenario, BACnet/SC is used to secure the communication between devices connected to networks that are considered to be "unsecure".
- In this scenario, BACnet/SC is used to enable communication between Internet-connected devices (such as the operator workstation in this diagram) and a network of BACnet/IP devices that are behind a firewall. Note that the primary and failover hubs are in "the cloud". The OWS and the BACnet router establish a BACnet/SC connection to the primary and failover hubs.
- Here is one more scenario, which shows a system containing both BACnet/SC devices and other BACnet devices. BACnet routers provide the glue that connects the different BACnet networks. Since the primary and failover hubs are behind a firewall, the Internet-connected laptop will need some means to establish a BACnet/SC connection to those hubs through the firewall.
- If you are interested in learning more about BACnet/SC, there is a white paper that you can freely download from bacnet dot org. BACnet/SC will also be discussed during a seminar in the upcoming ASHRAE conference in January.
- Here is what I hope that you will take away from this talk... BACnet/SC will be able to be used instead of BACnet/IP when additional network security is needed. I should emphasize that you can use BACnet/SC with VLANs and other existing network security infrastructure. But of course, security comes at a cost, for example the need for additional device configuration and the maintenance of a certificate authority. Thank you for your attention.
- The BACnet/SC protocol stack
- Here is a scenario in which multiple retail stores are connected using BACnet/SC over the Internet.