BACnet/SC Aims to Improve Cybersecurity
The new technology addresses cybersecurity questions about the decade-old BACnet protocol.
Growing cyber-risks facing building automations systems are behind the development of BACnet/SC (Secure Connect), a new technology that will address current cybersecurity concerns about the protocol.
BACnet introduced a security method in 2010, but that solution was not embraced by the industry because it didn’t rely on standard IT measures, according to Carl Neilson, technical advisor for BACnet International. By contrast, BACnet SC relies on approaches that are widely used. One of them — secure sockets layer, or SSL — is “the same basic security measure that you use when you connect with your bank,” Neilson says.
What’s more, Neilson says, BACnet/SC “should be lightweight enough to be used by any devices out there.” And it will enable the BAS to connect through IT firewalls without the need for special configuration by the IT department.
BACnet was originally developed at a time when the BAS was largely independent of the internet. As that began to change, BACnet installations relied on IT departments to implement good security practices to keep the BAS safe, according to Andy McMillan, president of BACnet International. But today it is harder to accept the idea that the BAS itself doesn’t have to provide a higher level of security. Those changing business requirements for cybersecurity helped drive the development of BACnet/SC.
What about existing BACnet systems?
The current version of BACnet is designed with the expectation that the IT infrastructure in which the BAS is deployed follows good cybersecurity practices. “If you’ve done that properly, the BACnet network should be secure,” Neilson says.
BACnet SC will go out for a third public review this Spring. If that review goes well, BACnet/SC might be published as early as this Fall. A variety of BACnet companies have already done test implementations of BACnet/SC. “We learned a lot from those tests,” Neilson says.
Facility managers shouldn’t wait for BACnet/SC to take steps to improve cybersecurity. “BACnet/SC adds technical security within the BAS itself, but it’s just part of a larger cybersecurity system that has to be in place,” McMillan says. “All the technical security in the world won’t help if people use ‘password’ as the system password.” Studies show that mistakes or omissions by people, not vulnerabilities in technology, are responsible for about 60 to 80 percent of all breaches, McMillan says. “Facility managers should be working to reduce human error along with implementing technical improvements. They should embrace IT cybersecurity recommendations instead of pushing back on them.” It’s certainly a hassle when a computer system requires the user to change passwords every 90 days. But painful experience has made such steps best practice for cybersecurity.