BACnet Insight


          Secure HTTPS Provides Enhanced Security


          in a Building Management System





          Network Security is more critical than ever in today’s
          building management system (BMS) networks to ensure
          authentication, integrity, and confidentiality of data
          transferred over the Internet. This article describes
          how BACnet-complaint devices that incorporate
          HTTPS deliver encrypted communication and protect
          the integrity of client data. This article also describes
          the HTTPS authentication and encryption method
          which utilizes keys and digital certificates. It compares
          certificates generated by a Certificate Authority (CA) vs.
          self-signed certificates and provides a resource to create
          your own self-signed certificate.

          BACnet  remains  the  most  popular  protocol  utilized
          in HVACR control systems and there is a robust
          ecosystem of devices that comprise these systems,
          including Gateways to integrate other protocols, such as
          Modbus and EnOcean, to BACnet. As more and more
          devices are utilized to meet the demands of today’s
          building management system (BMS) and smart building
          infrastructures, network security is more critical than ever
          to ensure authentication, integrity, and confidentiality of
          data transferred over the Internet.   BACnet-complaint devices that incorporate HTTPS provide encrypted webpage communication
                                            and protect the integrity of client data.
          BACnet-complaint devices that incorporate HTTPS
          (Secure HTTP) deliver encrypted communication and
          protect the integrity of client data. Resident HTTPS   Mechanisms exist to generate certificates and keys for a   The term PKI (Public Key Infrastructure) is used to define
          webservers allow commissioning, status reporting, and   device and to scale the architecture to multiple devices.  this setup. The building automation product vendors may
          troubleshooting in a secure manner using any standard                also have specific software tools to implement the PKI,
          web browser, thereby improving access control to the   Digital Certificates – Certificate Authority   but the certificates and keys for all devices at a site,
          devices.                                                             irrespective of their brand, must be generated from the
                                            Certificates  are  typically  issued  and  managed  by   same tool to ensure interoperability. The certificates on
          HTTPS (Secure HTTP) uses encryption for secure   a  trusted  third-party  company,  called  a  Certificate   devices also expire and need to be renewed.
          communication over an IP network. HTTPS traffic is   Authority (CA). Getting an SSL certificate installed for a
          encrypted using Transport Layer Security (TLS), formerly   website by a well-known CA that is trusted by all devices   Devices used on internal networks can also employ a
          Secure Sockets Layer (SSL). The protocol is still referred   and browsers, such as DigiCert, Comodo, GoDaddy,   self-signed digital certificate to make a web browser trust
          to as HTTP over SSL, commonly shown as https:// in the   Lets Encrypt, can provide access to the website   your internal devices. A self-signed certificate is a type of
          browser address bar.              seamlessly over the public Internet. The device can get   SSL/TLS credential you sign yourself rather than having it
                                            the certificate directly from the CA or send a Certificate   signed by a trusted third-party CA. If you don’t have an IT
          Digital Certificates              Signing Request (CSR) to the CA to get the corresponding   department, you can generate the self-signed certificate
                                            certificate. These trusted CAs only provide certificates   yourself. In addition, generating a self-signed certificate
          SSL/TLS relies on the use of keys and digital certificates   to websites or devices which have a public IP address.   for internal network devices eliminates the associated cost
          for  data encryption,  device  authentication,  and data   They won’t provide certificates for devices on an internal   of getting a certificate from a trusted third-party CA.
          integrity.  Keys  occur  in  pairs  (public/private)  and  are   network with private IP addresses.
          used for encryption/decryption. A public key is used for             Digital Certificates – Self-Signed
          encryption, while the private key is used for decryption.   Digital Certificates – Public Key Infrastructure
                                                                               Self-signed digital certificates are created by signing the
          Digital certificates are used for authentication and   For an internal BMS network, getting a certificate from   certificate with the owner’s private key. They are created,
          encryption, verifying ownership and authenticity to ensure   a public CA is not necessary and can be expensive   issued, and signed by the company or developer who is
          that only authorized devices communicate with each   given  the  considerable  number  of  devices  in  a   responsible for the website/software being signed. Unlike
          other. The public key is part of the certificate, while the   building. The IT department can implement their own   certificates issued by a trusted CA, no external party
          private key is secret to the device.   infrastructure to generate these keys and certificates.     verifies a self-signed certificate. Self-signed certificates



          20 20  BACnet Middle East Journal 14 11/25