Beckhoff – BACnet as a secure standard in building automation

November 22, 2023
Beckhoff

BACnet Secure Connect – Making building automation secure

 

When the BACnet (building automation and control networks) standard was first released in 1995, cybersecurity was not yet a concern in the field of building automation. The open and interoperable nature of BACnet contributed to its quick and widespread adoption; however, global networking and the integration of the Internet into building automation equipment now pose new challenges for IT security. This is where BACnet Secure Connect comes in to tackle these evolving concerns.

 

While 56-bit DES encryption has been a standard feature of BACnet since it was first launched on the market, it has gone mostly unused in practice. Since fall 2019, however, an extension of the standard has been available in the form of BACnet Secure Connect (BACnet/SC), which sets the bar for the most up-to-date cybersecurity measures.

Frank Schubert has been working in the Building Automation Marketing & Training department at Beckhoff Automation GmbH & Co. KG, Verl, since 2015. He has been involved with the BACnet standard since 1997, is a member of the Marketing and Technical Working Groups in the BACnet Interest Group Europe, and active in the BACnet Committee SSPC-135 at ASHRAE, supporting the ongoing development of the BACnet standard.

Frank Schubert has been working in the Building Automation Marketing & Training department at Beckhoff Automation GmbH & Co. KG, Verl, since 2015. He has been involved with the BACnet standard since 1997, is a member of the Marketing and Technical Working Groups in the BACnet Interest Group Europe, and active in the BACnet Committee SSPC-135 at ASHRAE, supporting the ongoing development of the BACnet standard.

 

Aside from the security concerns, BACnet projects have traditionally often faced resistance from IT managers, with the use of broadcast messages and the somewhat unconventional assignment of the port number (dec. 47808 = hex BAC0) frequently met with skepticism.

In a bid to address these concerns, three clear objectives were set for the development of BACnet/SC:

  • enhanced cybersecurity through the use of the latest TLS 1.3 standard and X.509 certificates
  • IT-friendliness achieved by leveraging established IT standards and protocols
  • downward compatibility (routing) with existing BACnet systems

 

Technical configuration of BACnet Secure Connect

BACnet/SC uses WebSockets based on the TCP protocol for communication. These WebSockets are based on relaying HTTPS connections, which IT departments are familiar with as a well-known and established procedure. It makes no difference whether the currently prevalent IPv4 or IPv6 is used, and even the media (data link layer) may vary – for example, Ethernet, Wi-Fi, 4G, or 5G. BACnet/SC complements the existing eight data link layers, such as BACnet/IP or MS/TP, ensuring that existing BACnet networks can be easily connected to a secure BACnet/SC infrastructure (BACnet routing).

BACnet/SC is based on a ‘hub-and-spoke’ architecture, where all communication and device authentication are handled through a central hub known as the primary hub (PH). In the event of a communication failure, a failover hub (FH) takes over this role. This is ideally connected to a different power supply and located in a separate fire zone and IT segment. The option is also available for two devices to communicate with each other directly (direct connect), for example, to ensure better scalability or share important messages. In this case, the devices authenticate each other mutually.

For remote access from outside via the insecure Internet, PH and FH can also be hosted off-site in cloud systems. The local firewall is also very IT-friendly in terms of the necessary configuration and therefore straightforward to operate. Only outgoing HTTPS traffic needs to be enabled, which is typically already configured in most IT networks.

 

Use of certificates

The TLS1.3 standard uses X.509 certificates, which are signed by a central certificate authority (CA) to allow devices to trust each other. When a device presents the certificate to the hub, it checks details such as its validity, expiration date, and CA authentication.

The CA does not have to be provided externally; it can be operated locally as part of the IT infrastructure using software like OpenSSL, but proper access control is essential to prevent security breaches.

 

Organizational challenges for building automation

All of these technical requirements give rise to a whole host of new organizational tasks and challenges in practice. Cyber certificates are only secure if they are regularly replaced; those with very long (e.g., several years’) or even unlimited validity are worthless. If the certificate for a device expires and is not renewed, it is no longer possible to communicate with that device until the certificate is updated. This raises the question during projects of who is responsible for these tasks and for performing regular updates: the system integrator during annual maintenance, the facility manager, or the IT department?

TwinCAT 3 from Beckhoff integrates all important subsystems such as BACnet and also supports BACnet rev. 14 with TwinCAT 3 BACnet (TF8020).

TwinCAT 3 from Beckhoff integrates all important subsystems such as BACnet and also supports BACnet rev. 14 with TwinCAT 3 BACnet (TF8020).

 

To automate this process, the BACnet standard defines a procedure in which a device generates a certificate signing request (CSR) as a file. This file is then transferred to the CA, where it is signed and returned to the device as a signed certificate. With this procedure in place, certificates can be replaced with minimal effort and therefore updated at regular intervals.

 

Convergence of IT and OT

In today’s building automation projects, the boundaries between IT (information technology) and OT (operational technology) are often blurred and no longer clearly distinguishable. Attacks on these systems have increased exponentially in recent years, leading to continuously rising cybersecurity requirements. Inadequately protected OT systems often serve as gateways for cyberattacks, and building automation components can also be impacted by threats from the IT sector.

It is with all of this in mind that the IT and BA departments have to collaborate and work together closely to maximize their defense against attacks. It is also essential to define organizational processes and have appropriate data backups in place in case of a successful attack. Yet even with the best preparation, a successful attack can result in several months of downtime and significant financial damage.

A user- or role-based authentication and authorization system is currently in the initial stages as an addendum to the BACnet standard.

 

Secure communication systems

BACnet/SC faces challenges in gaining acceptance compared to established, equally secure communication systems such as OPC UA. Many consider the need to secure open BACnet as urgent; however, IT departments often advocate for the use of OPC UA or MQTT. Firewall rules for anomaly detection are already in place for these protocols, while they are often still lacking for the relatively new BACnet/SC.

It therefore remains to be seen which protocol or standard will prevail and gain the necessary acceptance from all stakeholders. On the other hand, BACnet/SC continues to use the established BACnet object model and the same services as with data link layer such as MS/TP or BACnet/IP, which means existing systems can be migrated with little effort. Regardless of the outcome, there is one thing that remains certain: In a networked world, building automation must be designed with security in mind.

 

Further information

SourceBeckhoff

EMR Analysis

More information on Beckhoff: See the full profile on EMR Executive Services

More information on Hans Beckhoff (Managing Owner, Beckhoff Automation, Beckhoff): See the full profile on EMR Executive Services

More information on Frank Schubert (Manager, Building Automation Marketing & Training Department, Beckhoff): See the full profile on EMR Executive Services

More information on TwinCAT Software by Beckhoff: https://www.beckhoff.com/en-en/products/automation/twincat/ + On the software side, the TwinCAT (The Windows Control and Automation Technology) automation suite forms the core of the control system. The TwinCAT software system turns almost any PC-based system into a real-time control with multiple PLC, NC, CNC and/or robotics runtime systems.

TwinCAT transforms almost any PC-based system into a real-time control complete with multiple PLC, NC, CNC, and/or robotics runtime systems. The possibility of modular extensions means functional changes and additions can be made at any time. If required, the openness of the control system allows not only the integration of third-party components, but also customized retrofit solutions for existing machines and systems. This ensures flexibility and investment protection for the customer.

 

More information on BACnet: http://www.bacnet.org/ + A Data Communication Protocol for Building Automation and Control Networks. Developed under the auspices of the American Society of Heating, Refrigerating and Air-Conditioning Engineers (ASHRAE), BACnet is an American national standard, a European standard, a national standard in more than 30 countries, and an ISO global standard. The protocol is supported and maintained by ASHRAE Standing Standard Project Committee 135 whose members have created and provided the content for this Website.

More information on BACnet Secure Connect by BACnet: https://bacnetinternational.org/bacnetsc/ + BACnet Secure Connect (BACnet/SC) is an addendum to the BACnet protocol released by the ASHRAE BACnet Committee. It is a secure, encrypted communication datalink layer that is specifically designed to meet the requirements, policies, and constraints of minimally managed to professionally managed IP infrastructures.

BACnet/SC is an important addition to the toolbox of product designers developing more secure building automation products and systems. It does not replace existing BACnet options but complements them. In the end, it is one piece of the larger industry effort to address the growing need for cybersecurity in building systems.

 

 

 

EMR Additional Notes:

  • Cybersecurity: 
    • Computer security, cybersecurity, or information technology security is the protection of computer systems and networks from information disclosure, theft of or damage to their hardware, software, or electronic data, as well as from the disruption or misdirection of the services they provide.
    • Ransomware strike: Ransomware attacks work by gaining access to your computer or device, and then locking and encrypting the data stored on it. How does this happen? It often happens when victims mistakenly download malware through email attachments or links from unknown sources, which happen to be hackers.
  • Data breach:
    • A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage, and data spill.
  • Cyber Attack:
    • Targeting an enterprise’s use of cyberspace for the purpose of disrupting, disabling, destroying, or maliciously controlling a computing environment/infrastructure; or destroying the integrity of the data or stealing controlled information.
  • Malware:
    • Malware, or malicious software, is any program or file that is intentionally harmful to a computer, network or server. Types of malware include computer viruses, worms, Trojan horses, ransomware and spyware.
  • Penetration Testing:
    • Penetration testing (or pen testing) is a security exercise where a cyber-security expert attempts to find and exploit vulnerabilities in a computer system. The purpose of this simulated attack is to identify any weak spots in a system’s defenses which attackers could take advantage of.
  • Phishing:
    • Phishing attacks are fraudulent emails, text messages, phone calls or web sites designed to trick users into downloading malware, sharing sensitive information or personal data (e.g., Social Security and credit card numbers, bank account numbers, login credentials), or taking other actions that expose themselves or their organizations to cybercrime. Successful phishing attacks often lead to identity theft, credit card fraud, ransomware attacks, data breaches, and huge financial losses for individuals and corporations.
  • Air Gapping:
    • An air gap is a security measure that involves isolating a computer or network and preventing it from establishing an external connection. An air-gapped computer is physically segregated and incapable of connecting wirelessly or physically with other computers or network devices.

 

  • Information Technology (IT) & Operational Technology (OT):
    • Information technology (IT) refers to anything related to computer technology, including hardware and software. Your email, for example, falls under the IT umbrella. This form of technology is less common in industrial settings, but often constitutes the technological backbone of most organizations and companies. These devices and programs have little autonomy and are updated frequently.
    • Operational technology (OT) refers to the hardware and software used to change, monitor, or control physical devices, processes, and events within a company or organization. This form of technology is most commonly used in industrial settings, and the devices this technology refers to typically have more autonomy than information technology devices or programs. Examples of OT include SCADA (Supervisory Control and Data Acquisition).
    • => The main difference between OT and IT devices is that OT devices control the physical world, while IT systems manage data.

 

  • TCP (Transmission Control Protocol): 
    • TCP is a standard that defines how to establish and maintain a network conversation by which applications can exchange data. TCP works with the Internet Protocol (IP), which defines how computers send packets of data to each other.
  • IP Communication:
    • The Internet Protocol (IP) is defined as the protocol for sending data from one computer to another across the Internet, with each computer having at least one IP address that identifies it from all other computers on the Internet.
    • There are two versions of IP that currently coexist in the global Internet: IP version 4 (IPv4) and IP version 6 (IPv6). The majority of current internets use IPv4. The most obvious difference is that IPv4 uses a 32-bit address while IPv6 uses a 128-bit address. This means that IPv6 offers 1,028 times more addresses than IPv4, which essentially solves the “running out of addresses” problem (at least for the foreseeable future).
    • MoIP, or mobile communications over internet protocol, is the mobilization of peer-to-peer communications including chat and talk using internet protocol via standard mobile communications applications including 3G, 4G, 5G, GPRS, Wi-Fi …
    • Voice over Internet Protocol (VoIP), is a technology that allows you to make voice calls using a broadband Internet connection instead of a regular (or analog) phone line.

 

  • EtherCAT:
    • The Ethernet Fieldbus: https://www.ethercat.org/default.htm + EtherCAT is the open real-time Ethernet network originally developed by Beckhoff. EtherCAT sets new standards for real-time performance and topology flexibility.
  • EtherCAT Technology Group:
    • The worlds largest Industrial Ethernet organization with 6900 member companies: https://www.ethercat.org/en/tech_group.html + The ETG is a global organization in which OEM, End Users and Technology Providers join forces to support and promote the further technology development. The EtherCAT Technology Group keeps EtherCAT technology open for all potential users.
  • Ethernet:
    • Ethernet is a family of wired computer networking technologies commonly used in local area networks, metropolitan area networks and wide area networks. It was commercially introduced in 1980 and first standardized in 1983 as IEEE 802.3.
  • Single Pair Ethernet (SPE):
    • Single Pair Ethernet cables are copper cables that only contain one twisted pair (single pair) that they use for data transmission, for example in industrial applications.
    • Describes the transmission of Ethernet over only one pair of twisted copper wires. In addition to data transmission via Ethernet, SPE also enables a simultaneous power supply of terminal devices via PoDL – Power over Data Line.
    • As its name suggests, Single Pair Ethernet (SPE) cabling uses only one pair of wires to transmit data, as opposed to the two pair that have long been standard in the majority of Ethernet cabling in use worldwide.
  • Single Pair Ethernet System Alliance:
    • https://singlepairethernet.com/en/
    • The Single Pair Ethernet System Alliance is a worldwide association of leading technology companies. We want to implement and further develop the pioneering Single Pair Ethernet technology. Together and holistically.
    • The Single Pair Ethernet System Alliance is an ever-growing, collaborative community. Technology companies from all over the world jointly drive the further development of SPE technology and its implementation in various applications.
    • Founding Members are: Weidmüller, Phoenix contact, Rosenberger, Datwyler, Draka and R&M
  • PoE (Power over Ethernet):
    • Power over Ethernet (PoE) is the process of sending electrical power and data over copper wire. The combination of data transmission along with power supplying hardware onto the same RJ45 Ethernet connector allows for the transmission of power over the network cabling.
    • As PoE technology has developed, the amount of power that can be sent over Ethernet cable has increased. IEEE-compliant PoE switches and injectors can output anywhere from 12 watts to over 70 watts of power per port.

 

  • Wi-Fi and Z-Wave: 
    • A Wi-Fi network is simply an internet connection that’s shared with multiple devices in a home or business via a wireless router. The router is connected directly to your internet modem and acts as a hub to broadcast the internet signal to all your Wi-Fi enabled devices.
    • Wi-Fi, which most of us are familiar with, operates on either 2.4 GHz or 5 GHz frequencies, providing wireless internet to any connected devices. Z-Wave operates on a much lower frequency — between 800 and 900 MHz — and is primarily for home automation.
    • Wi-Fi 2nd Gen: The Standard IEEE 802.11a is referred as WiFi 2. This WiFi Standard is successor to IEEE 802.11b (i.e. WiFi 1). This is the first wifi standard in which multi carrier modulation scheme i.e. OFDM has been introduced to support high data rates unlike single carrier used in wifi-1. The 2.4 GHz frequency of the wifi router offers the wifi user a wide coverage area and is better at penetrating solid objects with a usable speed of 50 -70 Mbps (subject to real world scenarios).
    • If you want better range, use 2.4 GHz. If you need higher performance or speed, use the 5GHz band. The 5GHz band, which is the newer of the two, has the potential to cut through network clutter and interference to maximize network performance.
    • Z-Wave operates on a completely different wireless frequency that will not conflict with your Wi-Fi network signal. Z-Wave is a mesh technology that strengthens the network with several connected devices. Z-wave is popular as smart-property technology, powering locks, lights, sensors, thermostats, etc.
    • Z-wave uses much less power than WiFi. That means that it’s possible to use battery-powered Z-wave devices without worrying about having to change the batteries frequently. Z-wave is also more secure since it’s more of a closed system and can offer some additional layers of protection.

 

  • 4G & 5G: 5G is the 5th generation mobile network. It is a new global wireless standard after 1G, 2G, 3G, and 4G networks.
    • 5G enables a new kind of network that is designed to connect virtually everyone and everything together including machines, objects, and devices.
      • First generation – 1G
        1980s: 1G delivered analog voice.
      • Second generation – 2G
        Early 1990s: 2G introduced digital voice (e.g. CDMA- Code Division Multiple Access).
      • Third generation – 3G
        Early 2000s: 3G brought mobile data (e.g. CDMA2000).
      • Fourth generation – 4G LTE
        2010s: 4G LTE ushered in the era of mobile broadband.
    • 5G has started hitting the market end of 2018 and will continue to expand worldwide.
    • Beyond speed improvement, the technology is expected to unleash a massive 5G IoT (Internet of Things) ecosystem where networks can serve comm
    • 5G speed tops out at 10 gigabits per second (Gbps).
      • 5G is 10 to x100 faster than what you can get with 4G.
    • The main evolution compared with today’s 4G and 4.5G (aka LTE advanced, LTE-A, LTE+ or 4G+) is that, beyond data speed improvements, new IoT and critical communication use cases will require a new level of improved performance.
      • For example, low latency provides real-time interactivity for services using the cloud: this is key to the success of self-driving cars, for example.
      • 5G vs 4G also means at least x100 devices connected. 5G must be able to support 1 million devices for 0.386 square miles or 1 km2.
      • Also, low power consumption is what will allow connected objects to operate for months or years without the need for human assistance.
      • Unlike current IoT services that make performance trade-offs to get the best from current wireless technologies (3G, 4G, Wi-Fi, Bluetooth, Zigbee, etc.), 5G networks will be designed to bring the level of performance needed for massive IoT.

 

  • OPC UA:
    • OPC Unified Architecture (OPC UA) is a machine-to-machine communication protocol used for industrial automation and developed by the OPC Foundation.
    • OPC UA stands for “open platform communications unified architecture.” Basically, this means that OPC UA should serve as a constantly evolving universal language for machines in a manufacturing environment. It enables data exchange between supplier and OS neutral products, and provides secure and reliable data communication between production levels and high-level IT systems.

 

  • MQTT:
    • MQTT is an OASIS standard messaging protocol for the Internet of Things (IoT). It is designed as an extremely lightweight publish/subscribe messaging transport that is ideal for connecting remote devices with a small code footprint and minimal network bandwidth. MQTT today is used in a wide variety of industries, such as automotive, manufacturing, telecommunications, oil and gas, etc.