Changing the cyber battleground in smart buildings

The BACnet communication protocol was a game changer when it was introduced in 1995. It allowed all BACnet-enabled building automation systems and devices to communicate with each other, across vendors and across domains.

It opened the door to greater energy efficiency and other long-awaited advances in building automation and became a globally accepted ISO-standard that, meanwhile, is used in two out of three commercial buildings worldwide.

At the time, physical or virtual segmentation and segregation from the IT network was adequate to provide security for building management systems. That began to change with the introduction of the Internet of Things (IoT) into building technologies. With a staggering increase in building automation systems connected via IoT, BACnet started facing security risks. The “Secure Connect“ addendum to BACnet comes just in time to safeguard buildings in the age of cybersecurity.

BACnet was revolutionary in many regards, with the work on the standard dating back to 1987. It started as an end user driven initiative of a university for an interoperable campus solution, but its visionary founders breathed a spirit of openness, object orientation, clever layered system architecture and freedom of innovation that put the spark to a fire in the industries that was unprecedented.

In 1995, it became an ASHRAE/ANSI standard and in 2003 an international ISO-standard. Meanwhile, more than one thousand companies have produced BACnet solutions – and more than 25 million BACnet devices have been installed worldwide. Over 80 addenda continuously enhanced the capabilities of this success story over the years – and still, after more than three decades of this journey, even the newest devices are still interoperable with their ancestors of yesteryear.

The challenge of merging IT and OT

In the early days, when building automation systems were not connected to IT systems, security was not a significant concern. BACnet-enabled systems were separated physically and virtually from potential wrongdoers.

Thanks to IoT, building devices can now connect to the internet and building management systems are no longer isolated. In fact, internet-connected devices can be accessed and controlled from anywhere in the world. They can communicate with each other and with an organisation’s IT systems, making them part of the larger enterprise-wide network. This drives powerful functionality and is desired by CxO level management that are in need of energy performance data and a handful of other KPIs of their real estate; but this new connectivity also creates additional challenges.

In response, IT departments have grown increasingly concerned. With building devices communicating over the internet, many IT leaders fear that hackers will attack an organisation through its building automation systems. And the fear has been justified. In a 2014 attack against a major retail chain, the HVAC system was hacked and used to infiltrate the financial system, with the credit card information of over 40 million customers being stolen. Three years later, cyber criminals stole a database of high roller gamblers from a North American casino. They gained access through an internet-connected thermostat in an aquarium located in the lobby.

Today, building owners and operators share the concerns of their IT counterparts. During the first half of 2019, data breaches exposed over 4.1 billion records. As in the past, spam phishing was leveraged to gain access to building management systems, with hackers using HVAC systems as entry points into corporate IT networks and data centres.

The impact of IoT adoption and IT-OT convergence

As the demand for IoT functionality multiplied, interconnectivity and internet access became significant features of building devices and systems.

In fact, the widespread adoption of IoT across building enterprises was a game changer. It accelerated the convergence of IT, which manages the flow of digital information – or data – and Operational Technology (OT), which includes building systems such as HVAC, surveillance and access control. Together, IT and OT capture key operational data that end users such as building owners and managers employ to make their facilities more comfortable, safe, and secure.

Today, BACnet/IP devices can be easily added to any IP network. This is good for flexible, easy data exchange but can result in potential risks. For example, when BACnet/IP-enabled devices link to the same IT network as the enterprise, they may expose the entire enterprise system to data mining, tampering or unsanctioned reconfiguration. Because BACnet/IP lacked the built-in network security functionality that is needed today, it created three security issues:

• No device authentication – no native authentication or identity validation: Any BACnet device can join the network to send or receive messages without proving its identity
• No encrypted communication – no native encryption: BACnet messages are visible to anyone with access to the local network segment; no native authorisation: There is no control of BACnet device activity – any device connected to the local network can communicate with any other device; no native integrity protection: BACnet messages are not protected from interception, modification, or replay
• No use of IT best practices – this causes concerns among IT professionals

As the industry and connectivity changes, the risks associated with breaches rises, which drives the need for improved OT security. From a building automation perspective, security needs to be at the device and building network level, providing authentication and encryption. Building better security directly into the BACnet protocol stack is a logical solution that is both standardised and powerful. If hackers attack an organisation through its OT systems, a solid BACnet security solution might be the last line of defense.

The strength of BACnet Secure Connect

The solution to solving BACnet security issues is BACnet Secure Connect (BACnet/SC), a security addendum to the BACnet protocol that was finalised in November 2019. Incorporating the same technology used to secure online banking, BACnet/SC makes communications over a building automation network as secure as financial transactions.

Instead of inventing new standalone security measures, ASHRAE employed proven cybersecurity technologies from the IT world. BACnet/SC integrates easily with IT infrastructure because it is inherently IT friendly and doesn’t call for extra VPN equipment or software. But, what makes BACnet/SC most significant is its ability to provide security at the equipment level so that communication between devices both across the cloud and within facilities is protected using Transport Layer Security (TLS) and X.509 certificates; the same is used for online banking connections and other critical applications.

BACnet/SC adds encryption at the device and system levels, eliminating many of the concerns building owners, facility managers and IT professionals have had with BACnet. The built-in security found in BACnet/SC provides cost-effective security down to the device level with:

• Device authentication – individual device authentication is based on X.509 certification
• Encrypted communication – message encryption is based on TLS 1.3 security, the sophisticated standard used for online banking connections and other critical applications
• Use of IT best practices – such as WebSockets, a communications protocol that makes the World Wide Web function

As the BACnet/SC addendum only defines a new cybersecure datalink, it does not fundamentally change the BACnet application. Therefore, BACnet/SC is compatible with any previous and future versions of BACnet.

The alignment of BACnet/SC with existing IT standards and best practices gives organisations a more robust security solution for their building automation infrastructure. It will also allow organisations to unlock new cloud-based applications and futureproof their investments in building automation as new security innovations become available.

And, not to forget, it also allows a building owner to stepwise migrate their installed base of BACnet installations to a secure solution in a self-determined speed, sometimes even without replacing devices, as at least newer hardware is often capable to learn the new Secure Connect datalink by a firmware upgrade.

A futureproof security standard for building technology

To sum up, BACnet/SC has many benefits. It addresses the risks of sharing data over private and public networks while keeping BACnet systems open, flexible and affordable. It is compatible with any previous and future versions of BACnet while applying the security techniques used by financial institutions and the IT world. In other words, it keeps all the valuable features of BACnet/IP while providing security levels that meet the highest IT standards.

When it is implemented, today’s high cost to improve the security of BACnet networks will be eliminated, providing peace of mind for building owners, facility managers and IT stakeholders alike. And, due to its backward compatibility, it allows to both stepwise migration and extensions of existing BACnet/IP installations. The time to explore and adopt this emerging technology is now.

Siemens and BACnet/SC

For Siemens, the BACnet era began with the launch of the heating controller in 1995. Since then, the standard has continued to evolve – and Siemens products along with it. As new technology and regulations continue to drive demand for stronger security measures, Siemens expects BACnet/SC will become a “new normal” for all kinds of projects, from small facilities like kindergartens and high schools to large critical infrastructure sites. To help industries adjust to the new normal, Siemens is deeply involved in the development of BACnet/SC and is committed to helping solve its outstanding challenges.

Its employees have held various leadership roles in BACnet’s development, including being a principal author for BACnet Secure Connect for ASHRAE SSPC 135 IT-WG. Siemens’ commitment to BACnet/SC goes beyond development and into implementation. The BACnet/SC standard is being applied to all aspects of Siemens BACnet automation systems and tools. The market may expect that the move to BACnet/SC will start on the primary controllers and building management stations and will be followed in the second wave with the plentiful of room controllers and other spatially distributed devices in a building.

Siemens was one of the first companies that successfully completed official tests by BACnet Testing Laboratories (BTL) and to achieve the BTL certificate. Siemens invites investors, building owners, facility operators and IT managers to engage in discussions about building system security and how BACnet/SC can be applied in their operations.

By Dr. Alina Matyukhina, Head of Cybersecurity at Building Products, Siemens Smart Infrastructure

This article was originally published in the January 2023 edition of International Security Journal. To read your FREE digital edition, click here.