Building Automation: BAS Use of Ethernet / IP Infrastructure, Part 2
Last month, we discussed some of the challenges in using a converged network as the main transport for BAS. In that discussion, we mentioned both the advantages as well some of the challenges in sharing the network infrastructure. This month, we would like to focus on the special challenge of data security. This is a topic that often does not get much attention, but is one that has a high risk if not properly addressed on any shared network installation.
Data SecurityInformation and control of building systems needs to be restricted only to qualified users. If an unauthorized user is able to gain access to these systems, he could potentially not only view information but could even change system parameters, resulting in possible issues that range from minor discomfort to equipment damage or worse. Traditionally, protection of these systems has been done through user security, requiring a valid user name and password in order to be able to access the system through the system’s PC or Web-based interface tool.
Shared Network RisksWhen we place systems on a common network, however, there is now a new risk: the potential for system breach at the network level. All data that travels on an IP network must conform to a common set of formats called a data packet. Tools called sniffers are readily available to allow for the viewing of the contents of these packets. The data packets used for BAS applications are often repeated and also utilize open standard contents such as BACnet®. It is a fairly easy task for an unauthorized user (i.e., a hacker) to look for these packets and attempt to implement control by either using a tool or simply by forming their own “spoofed” data packet.
VLANThere are several readily available ways to prevent this from happening. The most common solution is to have the network administrator implement a function called a “virtual local area network” or VLAN. The VLAN restricts access to the network only to those network ports or addresses that are authorized. Many systems protect this even further by only allowing designated devices (PC, controller, etc.) to be connected to a particular network port. VLAN’s provide a necessary level of protection for any BAS that is used on a converged network, however they need to be properly configured and managed.
EncryptionThe other alternative for protecting systems on a shared or converged network is to use the same type of technology that is used on the Internet to send secure information such as financial transactions. This is called encryption and involves special encoding of the contents of data packets in a manner that can only be decoded by the two devices sharing the information. Work is going on to add encryption and authentication as a future addition to the BACnet standard.
In the meantime, the use of a converged network remains a good solution, but you need to be sure that the information is properly secured with the use of a VLAN. ES