This document was developed by participants in a Cimetrics-led BAS industry consensus-building activity on interoperable cybersecurity and network management functionality for Building Automation Systems, focusing on those systems that use BACnet as their primary communication protocol. To accelerate the adoption of cybersecurity technology, Cimetrics convened a group of like-minded individuals and companies to engage in the Secured by Cimetrics Consensus-Building Process that began early in 2020 and concluded in early 2022. The charter was to develop guidelines and marketing collateral to help standardize BACnet cybersecurity implementations in products and systems through an open, consensus-based process. Two years of work from some of the top cybersecurity experts in the BAS industry resulted in creating several documents, including this one.
While the original version of the BACnet standard (ANSI/ASHRAE Standard 135) was being drafted in the late 1980s and early 1990s, cybersecurity of building automation systems was not considered to be a significant issue. But over the 25+ years since the first commercial use of BACnet in buildings, cybersecurity of IT systems has become a major concern, and this is impacting the building automation industry. Building automation products are increasingly being connected to TCP/IP networks, but as a result, those products are being exposed to new cyber threats. IT network administrators and information security personnel have certain expectations about the functionality of devices that are connected to networks that they manage, and that includes operational technology (OT) devices such as the networked controllers used in building automation systems.
This guide is primarily written for people who are creating products that are designed to communicate using the BACnet protocol on TCP/IP networks. The guide makes numerous recommendations that are intended to improve interoperable cybersecurity and compliance with relevant IT industry standards and practices.
Why is this guide needed? Although the BACnet standard and commercial product compliance testing have enabled BACnet-based interoperability between different vendors' products, cybersecurity is a topic whose scope is much broader than BACnet, and advances in cybersecurity are primarily coming from the IT community. Furthermore, ASHRAE's standards development process is intentionally deliberate, whereas information technology is continuing to evolve at a rapid pace. This guide is intended to provide information about some good practices that, when implemented, are intended to make products more secure and easier to manage.
Although this guide is primarily about product and system functionality, it should be emphasized that system cybersecurity is achieved through the successful application of an effective, ongoing process by the organization that is managing the system. The NIST Cybersecurity Framework can help organizations develop an appropriate process to manage their cybersecurity risk. Well-designed products and systems make it easier for the people in the managing organization to do their job well, but applying a risk mitigation process is ultimately the responsibility of the managing organization and its service providers.
Take a look at the sample
Please complete the form to gain access to the guide.