Page 32 - BACnet_Europe-Journal_43
P. 32
BACnet Insight
Secure HTTPS Provides Enhanced Security
in a Building Management System
Sicheres HTTPS bietet erhöhte Sicherheit
in einem Gebäudemanagementsystem
Network Security is more critical than ever in today’s
building management system (BMS) networks to ensure
authentication, integrity, and confidentiality of data
transferred over the Internet. This article describes
how BACnet-complaint devices that incorporate
HTTPS deliver encrypted communication and protect
the integrity of client data. This article also describes
the HTTPS authentication and encryption method
which utilizes keys and digital certificates. It compares
certificates generated by a Certificate Authority (CA) vs.
self-signed certificates and provides a resource to create
your own self-signed certificate.
Netzwerksicherheit ist in den heutigen Gebäudemanage-
mentsystemen (BMS) wichtiger denn je, um die Authen-
tifizierung, Integrität und Vertraulichkeit der über das
Internet übertragenen Daten zu gewährleisten. In die-
sem Artikel wird beschrieben, wie BACnet-konforme
Geräte mit HTTPS eine verschlüsselte Kommunikation
ermöglichen und die Integrität der Kundendaten schüt-
zen. Außerdem werden die HTTPS-Authentifizierungs-
und Verschlüsselungsmethode beschrieben, die Schlüs-
sel und digitale Zertifikate verwendet. Es werden von
einer Zertifizierungsstelle (CA) generierte Zertifikate mit BACnet-complaint devices that incorporate HTTPS provide encrypted webpage communication
selbstsignierten Zertifikaten verglichen und eine Res- and protect the integrity of client data.
BACnet-konforme Geräte mit HTTPS bieten verschlüsselte Webseitenkommunikation und
source zum Erstellen eigener selbstsignierter Zertifikate schützen die Integrität der Kundendaten. © Contemporary Controls
bereitgestellt.
BACnet remains the most popular protocol utilized encrypted using Transport Layer Security (TLS), formerly Digital Certificates – Certificate Authority
in HVACR control systems and there is a robust Secure Sockets Layer (SSL). The protocol is still referred
ecosystem of devices that comprise these systems, to as HTTP over SSL, commonly shown as https:// in the Certificates are typically issued and managed by
including Gateways to integrate other protocols, such as browser address bar. a trusted third-party company, called a Certificate
Modbus and EnOcean, to BACnet. As more and more Authority (CA). Getting an SSL certificate installed for a
devices are utilized to meet the demands of today’s Digital Certificates website by a well-known CA that is trusted by all devices
building management system (BMS) and smart building and browsers, such as DigiCert, Comodo, GoDaddy,
infrastructures, network security is more critical than ever SSL/TLS relies on the use of keys and digital certificates Lets Encrypt, can provide access to the website
to ensure authentication, integrity, and confidentiality of for data encryption, device authentication, and data seamlessly over the public Internet. The device can get
data transferred over the Internet. integrity. Keys occur in pairs (public/private) and are the certificate directly from the CA or send a Certificate
used for encryption/decryption. A public key is used for Signing Request (CSR) to the CA to get the corresponding
BACnet-complaint devices that incorporate HTTPS encryption, while the private key is used for decryption. certificate. These trusted CAs only provide certificates
(Secure HTTP) deliver encrypted communication and to websites or devices which have a public IP address.
protect the integrity of client data. Resident HTTPS Digital certificates are used for authentication and They won’t provide certificates for devices on an internal
webservers allow commissioning, status reporting, and encryption, verifying ownership and authenticity to network with private IP addresses.
troubleshooting in a secure manner using any standard ensure that only authorized devices communicate with
web browser, thereby improving access control to the each other. The public key is part of the certificate, while Digital Certificates – Public Key Infrastructure
devices. the private key is secret to the device.
For an internal BMS network, getting a certificate from
HTTPS (Secure HTTP) uses encryption for secure Mechanisms exist to generate certificates and keys for a a public CA is not necessary and can be expensive given
communication over an IP network. HTTPS traffic is device and to scale the architecture to multiple devices. the considerable number of devices in a building. The
32 BACnet Europe Journal 43 09/25