BACnet Secure Connect (BACnet/SC) adds TLS encryption and certificate-based authentication to BACnet communications. It runs over standard IT infrastructure (WebSockets over TCP) instead of UDP broadcasts, making it firewall-friendly and suitable for modern network architectures.
Traditional BACnet/IP has no built-in security:
| Feature | BACnet/IP | BACnet/SC |
|---|---|---|
| Encryption | None | TLS 1.3 |
| Authentication | None | X.509 certificates |
| Transport | UDP broadcast | WebSocket over TCP |
| Firewall-friendly | No (requires BBMD) | Yes (standard HTTPS ports) |
| IT approval | Difficult | Easier |
| Specification | ASHRAE 135 Annex J | ASHRAE 135 Addendum BJ |
┌─────────────┐
│ Primary Hub │
│ (TLS 1.3) │
└──────┬──────┘
│
┌────────────┼────────────┐
│ │ │
┌─────┴─────┐ ┌───┴───┐ ┌─────┴─────┐
│ Node A │ │Node B │ │ Node C │
│ (Controller)│ │(JACE) │ │(Controller)│
└───────────┘ └───────┘ └───────────┘
| Role | Function | Typical Device |
|---|---|---|
| Hub | Central message broker, accepts node connections | Supervisor, server |
| Failover Hub | Backup hub for redundancy | Second supervisor |
| Node | Connects to hub, sends/receives BACnet messages | Controller, JACE |
| Direct Connect | Node-to-node without hub (limited use) | Point-to-point |
BACnet/SC uses X.509 certificates for mutual TLS authentication:
Certificate Chain:
Root CA Certificate
└── Operational Certificate (per device)
├── Device UUID
├── BACnet Device Instance
└── Key Usage: TLS Client + Server
| Parameter | Requirement |
|---|---|
| Key type | ECC P-256 or P-384 |
| Signature | ECDSA with SHA-256 or SHA-384 |
| Validity | 1-5 years recommended |
| Subject | Device UUID and BACnet device instance |
| Key usage | Digital Signature, Key Agreement |
| Extended key usage | TLS Web Server + Client Authentication |
Decide on certificate authority strategy:
For a self-signed deployment:
Generate Root CA:
openssl ecparam -genkey -name prime256v1 -out ca-key.pem
openssl req -new -x509 -key ca-key.pem -out ca-cert.pem -days 3650
Generate Device Certificate:
openssl ecparam -genkey -name prime256v1 -out device-key.pem
openssl req -new -key device-key.pem -out device.csr
openssl x509 -req -in device.csr -CA ca-cert.pem -CAkey ca-key.pem -out device-cert.pem -days 365
On the designated hub device (e.g., Niagara Supervisor):
Hub Configuration:
Enabled: true
Listen Port: 443 (or custom)
Hub Certificate: device-cert.pem
Hub Private Key: device-key.pem
Trusted CA Certificates: ca-cert.pem
Max Connections: 100
Connection Timeout: 30 seconds
On each node device:
Node Configuration:
Enabled: true
Primary Hub URI: wss://supervisor.building.local:443/bacnet-sc
Failover Hub URI: wss://supervisor2.building.local:443/bacnet-sc
Node Certificate: device-cert.pem
Node Private Key: device-key.pem
Trusted CA Certificates: ca-cert.pem
Reconnect Interval: 10 seconds
For failover protection:
Primary Hub: supervisor1 (Active)
Failover Hub: supervisor2 (Standby)
Failover Behavior:
1. Node connects to Primary Hub
2. If Primary Hub unreachable → connect to Failover Hub
3. Periodically retry Primary Hub
4. When Primary Hub returns → reconnect to Primary
During migration, devices can support both protocols:
Dual-Stack Configuration:
BACnet/IP: Enabled (for legacy devices)
BACnet/SC: Enabled (for SC-capable devices)
Traffic Flow:
SC Node ←→ Hub ←→ SC Node (encrypted)
SC Node ←→ Router ←→ IP Device (mixed)
IP Device ←→ IP Device (unencrypted)
| Phase | Action | Timeline |
|---|---|---|
| 1 | Deploy hub infrastructure | Month 1 |
| 2 | Enable SC on new controllers | Ongoing |
| 3 | Upgrade existing controllers to SC | 6-12 months |
| 4 | Disable legacy BACnet/IP | When all devices support SC |
| Factor | Impact |
|---|---|
| TLS handshake | ~100ms initial connection |
| Encryption overhead | <5% CPU increase |
| WebSocket framing | Minimal bandwidth increase |
| Hub bandwidth | Scales with connected nodes |
| Issue | Cause | Resolution |
|---|---|---|
| Node cannot connect to hub | Certificate not trusted | Import CA certificate on both sides |
| TLS handshake failure | Expired certificate | Renew device certificate |
| Intermittent disconnects | Network instability | Check TCP keepalive settings |
| Slow discovery | Too many nodes on one hub | Consider multiple hubs |
| Mixed traffic issues | Routing misconfiguration | Verify dual-stack settings |
BACnet/SC is the future of secure building automation communications. Starting with new installations and gradually migrating existing infrastructure provides a practical path to encrypted, authenticated BAS networks.