Page 24 - 241111_BJ_Journal_middleeast_13
P. 24
Technology
Secure Remote Access to BACnet Systems
The Internet makes it possible for sys- sages through the IP router to its partner BBMD practice to change this port to a non-standard
tems integrators to easily manage build- devices. The receiving BBMD device retrans- port if communicating over the Internet. The IP
ings from the comfort of their home or mits it as a broadcast message to its local net- routers/firewalls also provide additional features
office. Initial commissioning, remote diag- work. You can configure each BBMD with the IP that should be utilized. A list of IP addresses that
nostics and troubleshooting of the building addresses of all other BBMDs or have all BBMDs can communicate through the firewall can be
provide additional savings over the build- send their broadcast messages to one cen- specified on the Internet facing firewall. Some
ing’s lifetime. tral BBMD, however, all client devices must uti- BACnet routers also provide this Allowlist fea-
lize the central BBMD. These entries go into the ture. BACnet/IP communication occurs over
Remote access can be achieved using various BBMD’s Broadcast Distribution Table (BDT). It is UDP and is unencrypted. Using VPNs can pro-
methods – some are more secure than oth- possible to have more than one BBMD device on vide additional security by encrypting the traf-
ers. Fortunately, the Building Automation indus- a single subnet and care must be taken while fic over the Internet and restricting communica-
try is dominated by the BACnet protocol, and configuring BDT entries. A duplicate entry in tion to only authorized VPN endpoints. There is
its IP version, BACnet/IP, lends itself well to all BBMD devices will result in broadcast loops. no need to use non-standard BACnet UDP Ports
Simplify BACnet/BMS Integration
Typical Typical setup connecting 2 Buildings using Port Forwarding and BBMDs. © Contemporary Controls
the enhancements and techniques deployed in Many BACnet/IP devices or applications also with VPNs. Setting up firewall rules or VPNs • BACnet routers link IP networks to
the Information Technology (IT) world. Common support a feature called Foreign Device Regis- requires help from the IT department while the BACnet MS/TP
techniques for remote access involve the use of tration (FDR). FDR allows the BACnet/IP device BMS professional can configure the non-stan-
Port Forwarding through a firewall, setting up or application to send its messages to a BBMD dard BACnet UDP port on their own. • Gateways adapt Modbus and EnOcean
BBMDs, and the use of VPNs. But the security which then forwards broadcast messages to all Supervisors Routers devices to BACnet
provided and their ease of setup for BACnet sys- other BBMDs and all other FDR devices. If a sub- Security with BACnet/SC Datalink
tems varies. IP routing with Firewalls and VPNs net has only FDR supported devices, then it does • Supervisors provide BACnet/IP client
adds to the security of BMS systems. The IP Pro- not need a local BBMD. These devices can reg- The open nature of BACnet/IP and broadcast Displays Gateways functionality and control in one package
tocol and TLS form the basis for the new BACnet ister with a BBMD on another subnet. BBMD and traffic created some pushback from IT depart- BASautomation ®
Secure Connect allowing secure communication. FDR allow BACnet devices and application PCs ments. BACnet Secure Connect (BACnet/SC) • Communicating Thermostats feature
to communicate across subnets, i.e., the Inter- was released to address these concerns by BACnet functionality over MS/TP or Wi-Fi
Remote Access with BACnet/IP net. This setup is used to connect buildings or incorporating the widely used IT security prac-
to gather data at a central location from multi- tices. BACnet/SC used connection-oriented Communicating Controllers • BACnet/IP controllers do the work
BACnet/IP uses broadcast messages to ini- ple buildings. TCP instead of UDP and TLS 1.3 for security Thermostats
tially discover other devices. BACnet communi- with encrypted communications. Each device
cation across subnets needs additional config- Adding Security to BACnet/IP must be authorized to be on the network and
uration since IP Routers do not route broadcast Communications assigned a certificate and key. The broadcast
messages. BACnet resolves this issue by uti- discovery protocol and BBMD have been elimi-
lizing a BACnet/IP Broadcast Management There are tools that can detect BACnet com- nated. BACnet/SC uses a hub and node model.
Device (BBMD). The BBMD sends received munication over the Internet by checking for the Devices/nodes primarily communicate via the
BACnet broadcast messages as directed mes- standard BACnet UDP Port 47808. It is good BACnet/SC hub with standard provisions for
Providing Solutions to Your Automation Needs
24 24 BACnet Middle East Journal 13 11/24 Learn more at www.ccontrols.com/basautomation Visit our EMEA store at www.ccontrols.eu
