I have a customer who is looking into open BACnet routing of all their BACnet/MSTP and BACnet/IP information across a large portfolio of sites. Are there significant security risks associated with this? Do you know of any ways this could be exploited?
Any traffic that’s not secure will be at risk. VPN or Bacnet/SC should solve those issues
BACnet/IP is sent clear text. BACnet S/C uses TLS 1.3 encryption.
Some related news stories below. I personally know a high-rise that got their BMS ransomed in 2019. I would be very careful if your customer is a biopharma, tech, manufacturing, or healthcare customer.
Shodan is able to do a search for BACnet devices on the internet. There’s a ton of exposed sites out there.
Unfortunately, any exposed vulnerabilities will like end up causing you trouble. People suck.
As others have mentioned, using a VLAN, VPN, or BACnet SC will be your best bet.
Secure from what? What is the misuse case you’re trying to avoid?
What kind of exploits are you worried about? Someone gaining access to a BACnet device and using it to get into a business network or someone gaining control of your mechanical equipment and wreaking havoc and potentially destroying the equipment/property?
The former is possible but the latter is highly likely.
This is inherently insecure. That being said it is one thing to leave the car unlocked and another to have someone pop in and steal something.
Will your site and IP address show up on SHODAN marked as having Bacent wagging out on the internet? Yes. Could someone map your stuff and then command whatever they want? Yes. Could that result in property damage? Yes.
Will it happen?.. eh. Probably not. There is not monetary incentive to blow up your RTUs by running the compressor with no fan.
It is bad practice and exposes your site. Use the VPN option mentioned here. If the site is this large, then they will have an IT staff. Have them do it for you.
BacnetSC is not fully baked. Not yet. M
Let’s put it this way, if you use BACnet to connect sites, 1 rogue vendor employee can discover every BACnet device in every connected site near instantly. Once discovered that rogue tech could shut down chilled water pumps and condenser water pumps on a chilled water system while the chiller is running. That in and of itself would not ruin the chiller but it would make a hell of a lot of noise and not like it. Depending on what is dependent on that chilled water business operations could be affected and your building operators will have a bad day.
BACnet SC is your new friend
I do network security/it and for some strange reason also building engineer and programmed some delta automation stuff. I’d strongly suggest having a proper vpn setup and then ride bacnet sc over that link. Exposing a network endpoint directly to the internet is not a great idea even if the coms are encrypted. Protect the things you never want exploited by using industry standard network devices to setup vpn links between the sites. It would take one unpatched bacnet device to give someone an entry into your entire network. Years ago I put a freshly installed Linux box online to install security updates. The system was hacked in 5 minutes.
BACnet is an open protocol meant for interoperability. Therefore, it was meant to be unsecure. Only BACnetSC uses encrypted data transport. IMO, BACnet SC is counter to the original purpose of BACnet.
However, even on multi site systems the entire network should reside on an isolated, secured vLAN exactly the same way that a company’s computers are able to be on the same company network regardless which building they are at in the world. Therefore, the BAS or vendor vLAN should be no less secure for an owner than their own secure business network is. So, the impetus for security is typically on the owner’s IT department rather than the BAS vendor.
While it may be, I’ve never heard anyone call the network a VPN. It’s always referred to as vLAN and VPN is how you securely connect to it remotely. At least, that’s how the terms are used in my area.
If the customer is using firewalls at source and destination, then the firewall IPSec will wrap the BACnet traffic in encryption when moving from the site to site or to an enterprise server or cloud server.
The packet is encrypted before leaving the site and then decrypted at the destination firewall before progressing.
BACnet/SC does the exact same thing but on port 443, it wraps the BACnet traffic.
BACnet does not contain credentials or PII at all and OT data is useless without context for the most part. Why hack an OT BACnet network? if you have that skill, your going after real targets.
There is no risk at all if their IT department knows what they are doing, you are trying to scare them over nothing.
Not remotely unless they’re able to hack through the firewall. The vLAN firewall should protect the network from outside attacks. Besides, BACnet is not the method through which companies get hacked. They hack operator credentials to access secure networks.
Cloud only connects to the BACnet SC routers. The routers then serve the cloud an encrypted data stream with the BACnet data.
A VPN or Whitelisted IP is the typical remote connection mechanism while the interconnections can be facilitated via VLAN which incorporates firewalls or BBMD connections which can also be behind a firewall with the appropriate ports opened for incoming traffic. Using Tridium JACE(s) would add the ability to encrypt the Niagara connections or depending on the controls brand a REST connection could be used.
Just about all manufacturers have bacnet sc options. This would be the simplest approach.
Is there a BACnet/MSTP router that has VPN or BACnet/SC that you’re aware of?
Great reading. Thank you for sharing.
Any misuse. I don’t believe in their solution, and I want them to not do it. Every worst case scenario is great.
I am in the “against” camp, and I want as many scenarios to scare them out of doing it as possible.