Traditional BACnet over the Internet

Even a network not connected to the Internet is vulnerable to a malicious attacker who has physical access to the facility.

Figure 18.   BACnet/IP message flow

Without BACnet/SC, a BACnet network requires a VPN (Virtual Private Network) to protect its traffic from hackers.

BACnet Secure Connect

Figure 19.   BACnet/SC single message flow

The BACnet/SC link layer is compatible with other link layer types and supports all BACnet application and network layer messages. BACnet/SC does not change message content. Messages sent over a BACnet/SC network are encrypted and travel in a secure channel using a hub. This contrasts with messages sent over BACnet MS/TP (Multidrop Serial Bus/Token Passing) or BACnet/IP using UDP (User Datagram Protocol), which are not encrypted and could be sniffed and tampered with.

Figure 20.   BACnet/SC broadcast messages

Messages that have multiple recipients are very common in building automation. With BACnet/SC, all devices join the network by connecting to the hub. The hub then broadcasts the ‘who-is’ and ‘who-has’ requests to all participants. This eliminates IP-level broadcast or multicast transmits through IP subnet boundaries. These broadcast messages do not require special firewall configuration. Since messages pass through without special configuration and a BACnet network maintains its communications pattern at the link level, the network uses whatever IP infrastructure is available. The IP infrastructure itself is not important. Only HTTPS needs to be open.

Backward message compatibility

BACnet/SC provides a different kind of wrapper around the same message (orange boxes) than other link layers such as BACnet/IP.

Figure 21.   BACnet message wrappers

BACnet/SC supports both traditional IP and secure connections (blue box).