BACnet Insight

          How to Protect Building Automation –


          Today and Tomorrow


          Wie sich Gebäudeautomation schützen

          lässt – heute und in Zukunft







                                                                               Cybersecurity threats are increasing.
                                                                               Cybersicherheitsbedrohungen nehmen zu.























          Building automation increasingly faces unprecedented security challenges – especially in critical infrastructure.   of respective manufacturers. In addition,  BACnet/SC
          Fortunately, the BACnet Secure Connect standard (BACnet/SC) addresses both current and future cybersecurity   requires a single Certificate Authority (CA) in order to sign
          needs. Dr. Alina Matyukhina, CSO and Global Head of Cybersecurity at Siemens Smart Infrastructure Buildings,   and validate certificates across all devices. All of these
          explains how.                                                        features significantly increase security while maintaining
          Gebäudeautomation ist mehr denn je mit völlig neuen Sicherheitsherausforderungen konfrontiert – vor allem in kriti-  compatibility with existing BACnet systems.
          schen Infrastrukturen. Der BACnet-Secure-Connect-Standard (BACnet/SC) erfüllt sowohl aktuelle als auch zukünftige
          Anforderungen an die Cybersicherheit. Dr. Alina Matyukhina, CSO und Global Head Cybersecurity bei Siemens Smart   Compliant and certified solution for cyberthreats
          Infrastructure Buildings, erklärt wie.
                                                                               Another important asset, BACnet/SC, aligns with the new
          With the increasing digitalization of building systems,   maintains the solution’s open, flexible nature while adding   Network and Information Security 2 (NIS-2) EU standard
          cybersecurity  has  become  a  pressing  issue  for  facility   crucial security features.   that came into effect in October 2024, aimed at critical
          management as operational technology (OT) systems face               sectors such as healthcare, energy, transportation,
          a growing number of incidents. According to projections,   As an additional data link layer,  BACnet/SC can   banking, and digital infrastructure. The directive requires
          cyberattacks on businesses, consumers, governments,   be seamlessly integrated through  BACnet routers,   organizations to implement encrypted communications,
          and devices will occur every two seconds by 2031.   allowing  existing  systems  to  be  upgraded  without  any   device  authentication,  cybersecurity  policies,  and  other
                                            extensive infrastructure changes. The protocol supports   cybersecurity measures. BACnet/SC allows organizations
          This threat is compounded by the rapid growth of Internet   communication with earlier versions of BACnet, ensuring   to set up a building automation system that meets the
          of  Things (IoT) devices in smart buildings, which are   backward  compatibility  as  well  as  providing  enhanced   NIS-2 requirements.
          expected to reach more than three billion by 2028. Robust   security features for newer installations.
          security  measures  are  required, especially for  critical          To proof that the necessary cybersecurity measures
          infrastructure, such as hospitals, airports or laboratories.   The protocol uses  WebSocket Secure (WSS) with  TLS   are in place, Siemens products have received IEC
          However,  traditional  building  automation  protocols  were   1.3 to allow for encrypted, bug and tamper-proof   62443 certification through verification by TÜV Süd. The
          not designed to address today’s cybersecurity challenges.  communication  of devices. It also  implements a hub-  independent label not only covers the products but also
                                            and-node  architecture  to ensure  high  availability  in   the entire development process.
          Adding critical security features to the standard   critical environments. Certificates for authentication
          protocol                          provide multiple protection layers:  The first one is an   BACnet/SC application in critical infrastructure
                                            individual so-called Operational Certificate (OC), which
          BACnet, which is used in more than 70 percent of the   is unique to the device and used for authentication   An excellent example of the capabilities of BACnet/SC in
          world’s  building  automation  systems, has  adapted  to   processes as well as for encryption and decryption of   critical infrastructure is the Oberwart Hospital in Austria.
          these challenges with its Secure Connect (SC) upgrade.   traffic. The second, so-called Root Certificate, is project-  Healthcare  facilities  naturally  require  exceptionally  high
          Launched in late 2019, the  BACnet/SC enhancement   based and identical across all project devices, regardless   standards.  Patient  safety  and  operational  continuity


          16  BACnet Europe Journal 42 03/25