IT Friendliness

Increasingly, the IT systems and the BAS systems are sharing all or part of the network transport fabric. This brings up various issues related to coexistence:

  • BAS devices must not interfere with the IT system; for example:
    • Don’t introduce a rogue DHCP server
    • Avoid broadcast storms
    • Conform to local policies for network address and name space management
  • IT management needs to be made aware of BAS network. Increasingly, a tightly-managed corporate network will:

    • Block access to equipment they don’t recognize/approve
    • Block traffic they don’t understand (i.e. strange protocols)
  • Tightly managed networks will want BAS devices to report status & be controlled by their network management tools
  • Don't introduce security vulnerabilities on either the BAS or the IT network. E.g.:

    • MIT doesn’t want (unauthorized) students experimenting with the building controls
    • The Pentagon doesn’t want anyone seeing their occupancy sensor data

There are really two paths that one can take to achieving the required co-existence with IT networks:

  • Educate IT personnel about BAS and extend their management tools to understand BAS protocols.
    • It seems unlikely that a significant fraction of corporate IT administrators are going to take time out for BACnet training
    • Even if the IT administrators were to understand BACnet as it exists today, it is not clear that they would be much happier about accepting BAS devices on their networks
  • Have BAS protocols and products do things that are more similar/familiar to IT personnel and that work with their management tools
    • This seems to be a better direction for the future.

What BACnet products that use IT-friendly protocols might look like:

  • Use standard IT protocols at layers 1-6
    • E.g. ARP, IPv4/IPv6, ICMP, UDP, TCP, DHCP, TLS/SSL
  • Support standard IT management protocols

    • I.e. SNMP (create MIBs for the transport-related functions of BAS products)
  • Compatibility with IT security infrastructure

    • Network Access Control
    • Encrypted traffic (e.g. use TLS)
    • Authentication (e.g. Kerberos/Active Directory/LDAP)

-- JimButler - 2010-05-07

Mike Newman: Cornell is moving to segregated VLANs and using temporary VPN servers to isolate commissioned BACnet devices from those being installed and not yet commissioned. This was because some BACnet equipment was interfering with other (properly configured!) BACnet devices. Cornell's procedure for checking out new BACnet devices prior to connecting them to the campus backbone is detailed here.

At MIT, packets from the building control systems are transported across the university network, but only within VPNs between segments (otherwise, it is expected students would hack the building control equipment!).

Further discussion at 11 May 2010 Germantown meeting:

Would small networks (typical "7-11" -- or maybe mom & pop store) need to be "secure". Dave asserts that this is too much for the mom & pop store. CBF counter argument -- a few years ago your typical WiFI network wasn't secure, but now nearly everyone accepts that these networks must all be secure. The design of BACnet IT should make security easy enough that the HVAC/networking contractor at the mom & pop store could (should) enable security by default.

Topic revision: r5 - 2010-05-12 - 21:03:30 - JimButler
 
This site is powered by the TWiki collaboration platformCopyright & by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding TWiki? Send feedback