Control Network Newsletter
Understanding BACnet/SC for Easy IT Integration
BACnet/SC addresses the increasing cybersecurity requirements of modern building management systems (BMSs) by enabling secure, user-friendly integration of building automation networks into existing IT infrastructure. To achieve this, BACnet/SC leverages Transport Layer Security (TLS) to implement well established Internet security controls, such as authentication, encryption, and data integrity protection.
Basics of TLS (Certificates, Keys, and Certificate Authority)
TLS relies on the use of certificates and keys for data encryption, device authentication, and data integrity (i.e., no tampering). Keys occur in pairs (public/private key) and are used for encryption/decryption.
Certificates are used for authentication and encryption. They are typically issued and managed by a trusted third-party a Certificate Authority (CA). A well-known CA—such as Verisign, Comodo, GoDaddy, Let's Encrypt—can provide access to a website seamlessly over the public internet. These trusted CAs only provide certificates to websites that have a public IP address. They won't do this for devices on an internal network with private IP addresses.
As BMS devices typically reside on an internal network, systems integrators can generate self-signed certificate to make their browser trust these devices. Self-signed certificates are appropriate for development/testing environments, internal network websites, and providing secure webpages for devices. The company or developer responsible for the website or software creates and signs the certificate using the owner's private key. Unlike certificates issued by a trusted CA, self-signed certificates are not verified by an external third-party.
BACnet/IP vs BACnet/SC
BACnet/IP and BACnet/SC both operate over the IP layer. BACnet/IP uses unencrypted communication over the UDP port, while BACnet/SC is connection-based using TCP ports for encrypted communication. BACnet/IP uses broadcast messages for the discovery process and allows any BACnet/IP device to participate in the network. BACnet/SC with TCP connections introduces the concept of "hub" and "node" devices. Nodes (or end devices) primarily communicate with each other via the hub using directed messages, and there are no broadcast messages.
BACnet/SC gives systems integrators and developers a standardized approach for improving system security while maintaining compatibility with existing BACnet solutions. It enhances established BACnet technologies by addressing the growing requirement of cybersecurity in building systems.
To learn more, download the white paper, Understanding BACnet/SC for Easy IT Integration.