H. Michael Newman, the father
of BACnet, points out that broadcasting
is a standard in many
different protocols (Figure 9)
and that extreme traffic known
as a “broadcast storm” almost
always happens “because of
erroneous device configuration.”
If implemented and configured
correctly, it would not cause network
issues, because traffic would not
be broadcast unnecessarily.
There are three different kinds
of broadcast messages: local, remote,
and global. As the names suggest,
local messages are broadcast to all
devices on a LAN; remote messages
are sent to the devices on a separate
network; a global broadcast is sent to
all the devices on all the system’s
BACnet networks. By using the
correct broadcasts at the correct
times, the system should not be
clogged or overloaded at all. If only
it were so easy.
Besides the global Who-Is
messages that are set to broadcast
Field level Automation level Management level
too frequently and/or COV alerts
that notify about the smallest
changes, simple mix-ups, such
as duplicate device IDs, can devastate
a network. A duplicate device ID, for
example, results in multiple devices
responding to a request for just one
device. Because only one device can
be recognized with that ID, the
other one will appear to be offline.
Global Who-Is messages make
devices across a network respond
with I-Ams to identify themselves,
causing huge spikes in traffic and
potential broadcast storms. The
larger the network, the greater
the danger.
In response to these problematic
issues, the ASHRAE SSPC-135 IT
Working Group (IT-WG) is updating
the protocol to be more secure in
this new world of absolute connectivity.
uses IT best practices to keep information
the network infrastructure.
According to the whitepaper
Operation and monitoring/Evaluation/Management
Control
(primary)
Room automation
(secondary)
Sensors
and actuators
46 I ICT TODAY
BACnet
KNX
KNX PL- Link
The new BACnet/SC update
LonWorks
secure without endangering
Web
BACnet Secure Connect: A Secure
Infrastructure for Building Automation
co-written by David Fisher, Bernhard
Isler, and Michael Osborne, the
update will:
• Employ widely accepted IP and
M-bus Modbus DALI EnOcean
FIGURE 9: While there are many protocols that can be used on a building network, BACnet's
growing dominance means that it is a focus for cybersecurity efforts. Image source: Siemens.
security standards from the IT
community with changes that
include removing the need for
static IP addresses and broadcast
messaging, eliminating BACnet/
IP Broadcast Management
Devices (BBMDs) and their
configuration, and adding
compatibility with IT
firewall devices.
• Use a “hub-and-spoke topology”
allowing one device to manage
the traffic between several node
devices with a failover
mechanism should the hub
device go offline.
• Support shared IP networks
with no virtual private network
(VPN) setup required.
• Provide backward compatibility
with existing BACnet deployments,
so that all BACnet
systems, no matter how
old, can benefit from
these security updates.
These measures will
help to improve network
security and compatibility
with IT security
standards without
requiring additional
input or network
restructuring from the
IT department. Moreover,
they will provide
the means to create
secure communications
connections between BAS