Page 25 - 240909_BACnet_Europe-Journal

Page 25 - 240909_BACnet_Europe-Journal_41

P. 25

BACnet Insight

Dankenswerterweise erklärt Christian Hohnstädt auf sei- encryption of the communication so that only the end- Unfortunately, issuing certificates only once is not
ner Website selbst viele der oben genannten Arbeitsschritte points involved understand it. enough. To increase security, for example, it is recom-
in einem Video-Tutorial. Dabei geht er auch auf XCA-Kom- mended that their validity be given a sensible expiry date,
fortmerkmale ein, etwa die Anlage von Vorlagen, um eine To fulfil this task, there is a trio of related files on each par- i.e. no more than one year in the future. The procedure
reihenweise Ausstellung ähnlicher Zertifikate zu erleich- ticipant in the BACnet/SC network. The root certificate of a must then be repeated before the year expires.
tern. Weitere Anleitungen zur Nutzung von XCA, speziell für so-called Certification Authority (CA), the public operational
BACnet/SC, finden sich im Web [2]. certificate of the device or software and the corresponding Conclusion
secret private key. As the name suggests, this should never
Leider ist es mit der einmaligen Ausstellung von Zertifikaten leave the device and be given to a third party. It is easy to recognize that setting up a functioning
nicht getan. Zur Erhöhung der Sicherheit wird zum Beispiel BACnet/SC environment involves a considerable amount
empfohlen, deren Gültigkeit mit einem sinnvollen Ablaufda- Handworks of extra work and the certificate issues described here are
tum zu versehen, also höchstens ein Jahr in der Zukunft. only part of it. It is not without reason that ‘security has
Vor Ablauf des Jahres ist die Prozedur dann zu wiederholen. The generation and handling of TLS certificates is not its price’! However, there are signs that generally binding
trivial and requires additional effort when implementing mechanisms for certificate management could be stand-
Zusammenfassung BACnet/SC projects. Many larger manufacturers of control ardized in future BACnet protocol revisions, which would
technology systems that simultaneously offer hardware and further simplify the task even in mixed environments. In any
Man erkennt schnell, dass die Einrichtung einer funktionie- software for management tasks, for example, have recog- case, BACnet Secure Connect has closed a serious gap and
renden BACnet/SC-Umgebung einen deutlichen Mehrauf- nized the challenge. Here, the software takes over the part ensured the future viability of the protocol. 
wand mit sich bringt und die hier geschilderten Zertifikats- of creating certificates and distributing them to the devices Footnotes
fragen sind nur ein Teil davon. Es heißt nicht ohne Grund used. However, the mechanisms behind this are usually [1] www.hohnstaedt.de/xca/
„Sicherheit hat ihren Preis.“ Doch es zeichnet sich ab, dass proprietary, or to put it another way: every manufacturer [2] www.mbs-support.de/bacnet/sc-zertifikate-erstellen
in zukünftigen BACnet-Protokoll-Revisionen allgemein ver- is doing his own thing. Simplicity is therefore sometimes
bindliche Mechanismen für das Zertifikats-Management bought by being tied to a single vendor.
standardisiert werden könnten, welche die Aufgabe auch in
gemischten Umgebungen weiter vereinfachen. Mit BACnet The question arises as to how to provide BACnet/SC hubs
Secure Connect wurde in jedem Fall eine gravierende and nodes from different manufacturers with valid certifi- BACtwin-Fachtagung in Mainz
Lücke geschlossen und die Zukunftsfähigkeit des Protokolls cates. Fortunately, there is a helpful and freely available Bauherren, Planer und Betreiber treffen sich am
sichergestellt.  open-source software tool that can help you with this 24.09.2024 zum Erfahrungsaustausch zur Digi-
Fußnoten task, XCA by Christian Hohnstädt [1]. It is used in many talisierung des technischen Gebäudemanage-
[1] www.hohnstaedt.de/xca/ BACnet/SC projects as follows: ments durch Einsatz der BACtwin. Diese im April
2024 als AMEV-Empfehlung Nr. 174 veröffent-
[2] www.mbs-support.de/bacnet/sc-zertifikate-erstellen 1. one-time creation of a self-signed root certificate lichte Standardisierung als digitales Datenmodell
that identifies the so-called Certification Authority für BACnet-basierte GA-Systeme verspricht u. a.
(CA), echte Herstellerneutralität und Maschinenlesbarkeit
The aim of this article is to explain the additional tasks 2. generation of signature requests on all participat- von BACnet-Projekten. Die ersten Betreiber gro-
ßer Immobilien-Portfolios schreiben den BACtwin
involved in handling security in heterogeneous environ- ing endpoints (hubs and nodes), so-called Certifi- bereits vor, u. a. für den Bundesbau. Die Veranstal-
ments with devices and software from different manufac- cate Signing Requests (CSR), tung wird organsiert von der ICONAG-Leittechnik in
Kooperation mit dem AMEV AK BACtwin und wei-
turers. 3. downloading the CSR and importing it into XCA, teren Industriepartnern. Informationen und Anmel-
4. signing of the CSR with the root certificate from 1. dung unter https://lp.iconag.com/bactwin2024
Hub and spoke resulting in the device certificates, called Opera-
tional Certificates in BACnet/SC, BACtwin Symposium in Mainz
Communication in BACnet/SC is based on the hub and 5. export the CA certificate from 1. and the device Building owners, planners and operators meet
spoke concept, which means that a device or software act- certificates from 4. and upload them in pairs to the on 24.09.2024 to exchange experiences on the
ing as a hub (server) is at the center. Other BACnet/SC par- respective participants. digitalization of technical building management
using BACtwin. This standardization published
ticipants connect to it as so-called nodes (clients). In many
in April 2024 as AMEV Recommendation No.
diagrams, such connections are shown like the spokes of a Thankfully, Christian Hohnstädt himself explains many of 174 as a digital data model for BACnet-based
wheel, with the nodes at the ends and the hub in the center. the above steps in a video tutorial on his website. He BA systems promises, among other things, true
In contrast to BACnet/IP, communication is then based on also goes into XCA convenience features, such as the manufacturer neutrality and machine readability
permanent WebSocket Secure connections (TCP) with the creation of templates to make it easier to issue similar of BACnet projects. The first operators of large real
estate portfolios are already prescribing BACtwin,
hub and no longer on loose messages (UDP) between the certificates in series. Further instructions on using XCA including for federal construction. The event is
nodes themselves. The term ‘WebSocket Secure’ deserves specifically for BACnet/SC can be found on the web [2]. organized by ICONAG-Leittechnik in cooperation
special attention here. What does this mean and how is with the AMEV AK BACtwin and other industry
partners. Information and registration at https://
security achieved?
lp.iconag.com/bactwin2024
WSS (WebSocket Secure) is a protocol for secure bidirec-
tional connections and currently uses the TLS 1.3 encryp-
tion standard, which is also used for communication via
https on the web. The security is achieved with certificates, Hans-Jürgen Philippi
i.e. digital passports, which are used for two tasks: SoftwareentwicklerICONAG-Leittechnik GmbH
unique identification of the communication partners, hans.philippi@iconag.comwww.iconag.com

BACnet Europe Journal 41 09/24 25

20 21 22 23 24 25 26 27 28 29 30