BACnet Secure Connect: An IT-Friendly Twist on an Established Standard

BACnet Secure Connect: An IT-Friendly Twist on an Established Standard

This piece was originally published in the March/April 2019 issue of electroindustry.

Scott Ziegenfus, Manager of Government and Industry Relations, Hubbell Lighting

Networked lighting systems in commercial and industrial applications are quickly becoming the industry’s new normal. These systems often integrate with a building management system and regularly use a building’s IT infrastructure in which sensitive corporate information flows. That naturally begets questions about security risks and IT compatibility.

Purpose-built protocols such as BACnet® and the introduction of the new BACnet Secure Connect (BACnet/SC) have been designed to improve security.

BACnet continues to be a network-based architecture based on the IT model. However, BACnet is a purpose- built protocol adapted to the unique communication needs of relatively lightweight controllers and other resource-limited devices that, when tweaked, doesn’t allow the use of some common IT protocols. This limitation pushes IT departments to adapt how they implement BACnet on an IT infrastructure, rather than fitting it into the current IT framework.

For example, while the BACnet Standard SSPC 135 features Clause 24, a very secure security solution when fully adopted, it is not a common IT cybersecurity Standard. As a result, officials have not widely adopted it.

Enter BACnet/SC. BACnet Secure Connect is a misnomer because it is not another BACnet security Standard. BACnet/SC implements the entire BACnet system architecture as an application. That means the common TCP/IP 5-layer model, also known as the “internet model” (Figure 1), does not touch the physical, datalink, network, or transport layer, leaving the building IT network to be installed and managed using any configuration set by IT.

Explaining BACnet/SC

BACnet/SC is a new datalink layer that leaves the BACnet network layer (NPDU) and BACnet application layer (APDU) intact in a new three-layer bundle. That entire BACnet stack becomes an application and is linked to HTTPS in the application layer with “web sockets” (Figure 2). The new Standard requires the use of common Transport Layer Security (TLS) version 1.2. This requirement grants the new BACnet label “secure connect.” Perhaps more importantly, it moves BACnet into a realm that should seem familiar to IT professionals and remedies any previous concerns about being “IT-friendly.”

While BACnet/SC is not yet available, the addenda from the SSPC 135 BACnet Committee has completed a second public review and should have a third sometime this spring, with a goal to publish in 2019.

The BMS community is abuzz with excitement for this new IT-friendly twist on an already solid and established Standard. Given the continued growth trend of connected lighting systems, the lighting industry should be just as excited.

Want to follow the progress? Visit and look for the “secure connect addendum.”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.