While 56-bit DES encryption has been a standard feature of BACnet since it was first launched on the market, it has gone mostly unused in practice. Since fall 2019, however, an extension of the standard has been available in the form of BACnet Secure Connect (BACnet/SC), which sets the bar for the most up-to-date cybersecurity measures.
Aside from the security concerns, BACnet projects have traditionally often faced resistance from IT managers, with the use of broadcast messages and the somewhat unconventional assignment of the port number (dec. 47808 = hex BAC0) frequently met with skepticism.
In a bid to address these concerns, three clear objectives were set for the development of BACnet/SC:
- enhanced cybersecurity through the use of the latest TLS 1.3 standard and X.509 certificates
- IT-friendliness achieved by leveraging established IT standards and protocols
- downward compatibility (routing) with existing BACnet systems
Technical configuration of BACnet Secure Connect
BACnet/SC uses WebSockets based on the TCP protocol for communication. These WebSockets are based on relaying HTTPS connections, which IT departments are familiar with as a well-known and established procedure. It makes no difference whether the currently prevalent IPv4 or IPv6 is used, and even the media (data link layer) may vary – for example, Ethernet, Wi-Fi, 4G, or 5G. BACnet/SC complements the existing eight data link layers, such as BACnet/IP or MS/TP, ensuring that existing BACnet networks can be easily connected to a secure BACnet/SC infrastructure (BACnet routing).
BACnet/SC is based on a ‘hub-and-spoke’ architecture, where all communication and device authentication are handled through a central hub known as the primary hub (PH). In the event of a communication failure, a failover hub (FH) takes over this role. This is ideally connected to a different power supply and located in a separate fire zone and IT segment. The option is also available for two devices to communicate with each other directly (direct connect), for example, to ensure better scalability or share important messages. In this case, the devices authenticate each other mutually.
For remote access from outside via the insecure Internet, PH and FH can also be hosted off-site in cloud systems. The local firewall is also very IT-friendly in terms of the necessary configuration and therefore straightforward to operate. Only outgoing HTTPS traffic needs to be enabled, which is typically already configured in most IT networks.