According to BACnet International, BACnet Secure Connect (BACnet/SC) is an addendum to the BACnet protocol released by the ASHRAE BACnet Committee. It is a secure, encrypted communication datalink layer that is specifically designed to meet the requirements, policies, and constraints of minimally managed to professionally managed IP infrastructures.
BACnet/SC is an important addition to the toolbox of product designers to develop more secure building automation products and systems. It does not replace existing BACnet options but complements them. In the end, it is one piece of the larger industry effort to address the growing need for cybersecurity in building systems.
To help speed development of BACnet/SC, BACnet International created a reference implementation that was made available to BACnet International members in the form of source code on SourceForge. Contemporary Controls was an early adopter and worked with other BACnet International members to ensure interoperability of the technology. For many years, Contemporary Controls has been providing BACnet connectivity products for BACnet/IP and BACnet MS/TP networks. Adding BACnet/SC connectivity is a natural extension of the company's "Building on BACnet" product line.
BACnet/IP and BACnet MS/TP data transmissions are not encrypted, so to operate over highly secure datalinks, BACnet/SC was invented. Implementing a secure strategy does not necessarily mean replacing existing equipment. With an understanding of the system requirements and an appreciation of the available connectivity options, it is possible to implement a cost-effective hybrid system that complies with security needs while retaining much of which already exists.
BACnet/SC allows two BAS devices to establish a highly secure and encrypted connection, over which conventional BACnet messages can be sent and received. This involves encryption, decryption, and certification using well established technologies from the IT world, such as WebSocket and Transport Layer Security (TLS). Another goal of the BACnet/SC initiative was to eliminate the need for BACnet Broadcast Message Device (BBMD) which can be confusing to manage on larger IP networks. A BBMD allows broadcast messages, commonly used with the BACnet protocol, to span multiple IP subnets. To accomplish encryption while eliminating the need for a BBMD resulted in a hub and spoke architecture where all secure BACnet transmissions initiated by nodes pass through a centralized hub. The hub decides to which nodes an initiating transmission is to be sent. In the case of a broadcast, all nodes would receive it. Since a centralized hub is a single point of failure, a backup hub or failover hub is typically used. In this situation, the centralized hub is called the primary hub.
Transport Layer Security (TLS) relies on the use of Certificates and Keys for data encryption, device authentication, and data integrity (i.e. no tampering). Keys occur in pairs (public/private key) and are used for encryption/decryption. A session key for communication may be generated after initial key exchange for added security. Certificates are used for authentication and encryption. The public key is part of the certificate while the private key is secret to the device.
The certificates are issued by a Certificate Authority (CA). All devices must have the certificates issues by the same CA to communicate. The device can get the certificate directly from the CA or send a Certificate Signing Request (CSR) to the CA to get the corresponding certificate.
While it is possible to have a BACnet/SC workstation or controller, it is more likely to have legacy BACnet/IP, BACnet MS/TP, or even BACnet Ethernet stations that are not secure. To create a secure node from a legacy station, a BACnet router to BACnet/SC node is required. The Contemporary Controls BASrouterSC router has two 10/100 Mbps Ethernet ports. One Ethernet port provides a BACnet/SC node connection while the other Ethernet port is for legacy BACnet/IP or BACnet Ethernet. The BASrouterSC router has another connectivity feature. It has two BACnet MS/TP ports allowing for the routing of legacy BACnet MS/TP networks to BACnet/SC. If more Ethernet ports are required, simple unmanaged or managed Ethernet switches can be connected to either the BACnet/SC port or BACnet/IP port, but it is critical to keep these two Ethernet networks separate otherwise security is compromised. The BACnet/SC node port is to connect to a BACnet/ SC primary hub and optionally to a BACnet/SC failover hub using an Ethernet switch.
Within the BACnet/SC datalink, the BASrouterSC router is considered a BACnet/SC node communicating with a BACnet/SC hub. However, the BASrouterSC router can be configured as BACnet/SC hub. This can be useful when dealing with smaller BACnet/SC networks.