🏢

BACnet SC the case against

Jun 25, 2024

View transcript

Episode 238 - Smart Buildings Academy Podcast with Phil Zito

Introduction

  • Host: Phil Zito
  • Episode Topic: Critique of BACnet Secure Connect (SC)
  • Disclaimer: Opinions are Phil's own; open to counter opinions

Background and Credentials

  • **Phil Zito's Background: **
    • Ran integration program at Johnson Controls
    • Built BACnet stacks and APIs
    • Worked with different building, specialty, and business systems
    • Master's degree in cybersecurity and information systems
    • Network design and multiple certifications (Cisco, CISSP)
    • Experience in testing control systems
  • Purpose of Background: Establish credibility and expertise

Critique of BACnet SC

  • Technological Foundation: Not inherently bad
  • Argument: Not necessary and complicates more than it simplifies
  • Issues Identified:
    • Potential barriers with IT
    • Significant project and material costs
    • Moving away from open data-focused models

What is BACnet SC?

  • Solutions Addressed: Bacnet BBMD routing, clear text, and device authentication issues
  • Technologies Used:
    • WebSockets: Bidirectional communication, handles streaming data flow
    • TLS 1.3: Transport Layer Security for encryption and device certification
    • Hub-Spoke Methodology: Devices communicate through SC hubs
  • Broadcast Handling: Still uses broadcasting but managed through hubs

Common Misconceptions

  • Misconception: BACnet SC sounds like a perfect solution to inherent BACnet issues
  • Reality: Solutions for BBMD issues, clear text, and security requirements already exist

Cybersecurity Controls

  • Types of Controls: Administrative, physical, and technical
  • Application to BAS: Technical and physical aspects mostly
  • Risk and Cost Analysis: Controls should match the level of acceptable risk
    • Low-risk environments (e.g., K-12, commercial real estate) do not require high-cost controls
    • Importance of proper cost-risk balance

Addressing Cybersecurity Concerns

  • Technical Risks: BACnet being clear text is a variable risk
  • Physical Security: Physical access failures should not be patched through protocol changes
    • Importance of physical measures (the “security onion” concept)
  • Flow Regulation Issues: Can be solved through proper BBMD and BDT design, not requiring new protocol

Viable Alternatives

  • VPNs: Secure tunnels for encrypted communication
  • VLANs: Logical isolation of traffic
  • Other Technologies: Firewalls, intrusion detection/prevention
  • Importance of Layered Approach: Alternatives often meet regulatory needs without added costs

Cost Considerations

  • Implementation Costs: Upgrading to BACnet SC firmware and creating certificates for each device
  • Legacy Devices: Updates may not be feasible, leading to additional costs
  • Workforce Competence: Industry’s lack of IT expertise
    • Potential for increased configuration, communication, and troubleshooting issues

The Case Against BACnet SC

  • Protocol to Solve Poor Design: Problematic approach
  • False Sense of Security: Multiple protocols increase vulnerability risk
  • Implementation Challenges: Firmware updates, certificate mismatches, firewall issues

Radical Idea: Moving Away from BACnet

  • Open APIs and Data Models: Companies exploring solutions beyond BACnet
  • Flexibility and Conformity: Need for adaptable, IT-aligned solutions
  • Potential for Industry Modernization: Importance of unified data models and transport methods

Final Thoughts

  • Encouragement for Dialogue: Open to feedback and counter-opinions
  • Non-Confrontational Stance: Acknowledgment of the value in SC but critique focused on broader market applicability
  • Looking Forward: Future discussions with industry leaders on open data solutions and standards

Conclusion

  • Invitation for Comments: Join the discussion at podcast.smartbuildingsacademy.com/238
  • Gratitude: Thanks for listening

Full transcript