Page 32 - BACnet_Europe-Journal_43
P. 32

BACnet Insight


          Secure HTTPS Provides Enhanced Security


          in a Building Management System

          Sicheres HTTPS bietet erhöhte Sicherheit


          in einem Gebäudemanagementsystem






          Network Security is more critical than ever in today’s
          building management system (BMS) networks to ensure
          authentication, integrity, and confidentiality of data
          transferred over the Internet. This article describes
          how BACnet-complaint devices that incorporate
          HTTPS deliver encrypted communication and protect
          the integrity of client data. This article also describes
          the HTTPS authentication and encryption method
          which utilizes keys and digital certificates. It compares
          certificates generated by a Certificate Authority (CA) vs.
          self-signed certificates and provides a resource to create
          your own self-signed certificate.
          Netzwerksicherheit ist in den heutigen Gebäudemanage-
          mentsystemen (BMS) wichtiger denn je, um die Authen-
          tifizierung, Integrität und Vertraulichkeit der über das
          Internet übertragenen Daten zu gewährleisten. In die-
          sem Artikel wird beschrieben, wie BACnet-konforme
          Geräte mit HTTPS eine verschlüsselte Kommunikation
          ermöglichen und die Integrität der Kundendaten schüt-
          zen. Außerdem werden die HTTPS-Authentifizierungs-
          und Verschlüsselungsmethode beschrieben, die Schlüs-
          sel und digitale Zertifikate verwendet. Es werden von
          einer Zertifizierungsstelle (CA) generierte Zertifikate mit   BACnet-complaint devices that incorporate HTTPS provide encrypted webpage communication
          selbstsignierten Zertifikaten verglichen und eine Res-  and protect the integrity of client data.
                                            BACnet-konforme Geräte mit HTTPS bieten verschlüsselte Webseitenkommunikation und
          source zum Erstellen eigener selbstsignierter Zertifikate   schützen die Integrität der Kundendaten. © Contemporary Controls
          bereitgestellt.

          BACnet  remains  the  most  popular  protocol  utilized   encrypted using Transport Layer Security (TLS), formerly   Digital Certificates – Certificate Authority
          in HVACR control systems and there is a robust   Secure Sockets Layer (SSL). The protocol is still referred
          ecosystem of devices that comprise these systems,   to as HTTP over SSL, commonly shown as https:// in the   Certificates  are  typically  issued  and  managed  by
          including Gateways to integrate other protocols, such as   browser address bar.   a  trusted  third-party  company,  called  a  Certificate
          Modbus and EnOcean, to BACnet. As more and more                      Authority (CA). Getting an SSL certificate installed for a
          devices are utilized to meet the demands of today’s   Digital Certificates  website by a well-known CA that is trusted by all devices
          building management system (BMS) and smart building                  and browsers, such as DigiCert, Comodo, GoDaddy,
          infrastructures, network security is more critical than ever   SSL/TLS relies on the use of keys and digital certificates   Lets Encrypt, can provide access to the website
          to ensure authentication, integrity, and confidentiality of   for  data encryption,  device  authentication,  and data   seamlessly over the public Internet. The device can get
          data transferred over the Internet.   integrity.  Keys  occur  in  pairs  (public/private)  and  are   the certificate directly from the CA or send a Certificate
                                            used for encryption/decryption. A public key is used for   Signing Request (CSR) to the CA to get the corresponding
          BACnet-complaint devices that incorporate HTTPS   encryption, while the private key is used for decryption.   certificate. These trusted CAs only provide certificates
          (Secure HTTP) deliver encrypted communication and                    to websites or devices which have a public IP address.
          protect the integrity of client data. Resident HTTPS   Digital certificates are used for authentication and   They won’t provide certificates for devices on an internal
          webservers allow commissioning, status reporting, and   encryption, verifying ownership and authenticity to   network with private IP addresses.
          troubleshooting in a secure manner using any standard   ensure that only authorized devices communicate with
          web browser, thereby improving access control to the   each other. The public key is part of the certificate, while   Digital Certificates – Public Key Infrastructure
          devices.                          the private key is secret to the device.
                                                                               For an internal BMS network, getting a certificate from
          HTTPS (Secure HTTP) uses encryption for secure   Mechanisms exist to generate certificates and keys for a   a public CA is not necessary and can be expensive given
          communication over an IP network. HTTPS traffic is   device and to scale the architecture to multiple devices.  the considerable number of devices in a building. The


          32  BACnet Europe Journal 43 09/25
   27   28   29   30   31   32   33   34   35   36   37