BACnet does not emphasize on secure communication?

Question

When I look into BACnet communication protocol, I found so little about secure communication, almost non-existence. BACnet is so commonly used in building automation controls. However, without mandatory authentication or encryption, wouldn't it be easy to hack by just walking into a building and tap on the building network? Am I missing something?

Answer 1

To be fair, it's not necessarily that easy to rock-up to a building, and plug-in to the building controls network; that's the unsaid part - that a lot of BACnet real-world security relies upon physical security/access (- where explicitly/actively so or implicitly).

But to be fair, BACnet did introduce a section # 24 that covered "Network Security" (which was present in the 2012 rendition) but was later "DELETED", and even with it present at the time, companies (/a fair amount of the community) didn't seem to show much active/delivered interest.

But even with the advent of BACnet/SC, BACnet/SC is a lot to take-on (in terms of complexity & time / overall investment) for a technical personal, never a mind a less technical Building Manager and/or Supervisors; there needs to be more support from the Committee.

Answer 2

Your assumptions are correct - for the older standard. The BACnet ASHRAE SSPC 135 committee has addressed the security issue with the new BACnet/SC datalink. It has not been officially released yet, but you can get a sneek peek: http://www.bacnet.org/Bibliography/B-SC-Whitepaper-v10_Final_20180710.pdf