BACnet wide area network security threat assessment

OCLC Number: 54102080 Excerpt: ... 4.2 BACnet networks 4.2.1 Current network configurations Most building control systems ( BCS ) today are not connected to the internet - they are secure due to isolation. However, some networks may have " back doors " via modem connections to controllers, or perhaps Internet access, also likely via modem in many facilities, to the operator work station ( OWS ). Physical security remains the biggest concern. However, in many multi-building installations where a central control capability is de-sired, or where there is some outlying equipment to monitor, it is more and more com-mon to connect the separate BCS networks using existing cables and IP protocol. This connection may be entirely confined behind a corporate firewall, but more likely includes the public Internet. How are such network connections secured? If they are secured, it is most commonly done by using virtual private networking ( VPN ) technology from build-ing firewall to building firewall across the Internet. A router implementing this technol-ogy takes BCS traffic at one end-node, encrypts it ( using IPsec ), and sends it to a router at the far end that decrypts the traffic and delivers it to the destination BCS network. While BACnet provides a means for device communication over an IP network using BACnet / IP, there is still no available implementation of the BACnet standard's Clause 24 security features ( guidelines on implementing authentication and encryption ). 4.2.2 Future secure network configurations Work is proceeding on implementing security into the BACnet protocol ( see section 6.1 ). With secure services built into the BACnet protocol, new kinds of network configurations are likely. Figure 1 presents a conceptual secure configuration. There are secure devices ( SD ) and some of these are secure routers ( SR ). There is an untrusted network across which building control communication must flow - this could be the corporate LAN or some WAN or the I...