Avelon Systems Certified by TÜV SÜD for BACnet
BACnet Secure Connect (SC) provides encryption for the BACnet protocol, a leading standard in building automation. BACnet ensures openness, interoperability, and independence within buildings. A technology that has long been standard in online banking has now been adopted in building automation: encryption using TLS.
Why a new transportation model?
BACnet (Building Automation and Control Networks) has been the dominant open standard for building automation since 1995—standardized under ANSI/ASHRAE 135 and ISO 16484-5. The classic transport variants BACnet/IP and BACnet MS/TP were designed at a time when security was not yet a primary design goal: Communication takes place unencrypted, without authentication, often over flat Layer 2 broadcast segments. Routing between networks is ensured by BACnet Broadcast Management Devices (BBMD). This is often no trivial task.
In modern IT/OT converged networks, this is a structural problem. Attacks on building management systems are no longer the exception—they are well-documented, on the rise, and in some cases easy to carry out when devices are exposed on the network. The shift from isolated automation networks to integration into enterprise infrastructures significantly increases this attack surface.
The recommended minimum revision for BACnet/SC is 24. Starting with this revision, vendor-independent certificate exchange is defined.
BACnet Addendum 125-2020cc, page 40
We recommend specifying at least BACnet Revision 24 in tenders.
How BACnet/SC Works
BACnet/SC replaces UDP-based transport with WebSocket connections over TLS 1.3. The result is an encrypted, authenticated, connection-oriented network that supports standard IT firewall concepts and can be routed across network boundaries.
What changes is the communication. Instead of peer-to-peer communication, a client-server communication architecture is used, in which clients are referred to as “nodes” and servers as “hubs,” with encryption taking place between the node and the hub.
The hub is the central hub for all communication between nodes and is therefore also a single point of failure. To prevent the failure of the central node from becoming a problem, ASHRAE has introduced a redundant node, the “secondary hub.” The secondary hub is activated when the primary hub fails.
Certificates and Onboarding
Installing two valid certificates (Issuing Certificate and Operational Certificate) enables communication between the node and the hubs. With Avelon, you can easily create a new controller via the graphical front end, download the certificates, and install them on the controller (usually via the web). This establishes encrypted communication.
Cyclical Certificate Exchange
One of the most significant changes introduced in Revision 24 is the open, vendor-neutral certificate exchange. In proprietary systems with lower revisions, certificate exchange is tied to the manufacturer—this creates vendor lock-in and makes multi-vendor deployments unnecessarily complex.
Avelon Systems rotates certificates on a cyclical basis well before their expiration dates, ensuring that a temporarily deactivated control cabinet does not cause delays or incur costs.
Summary
🔒 BACnet Secure Connect (BACnet/SC) – encrypted, TLS-based communication for maximum cybersecurity in networked systems
🔑 Vendor-neutral certificate exchange – open interoperability across system boundaries, without reliance on proprietary solutions, starting with Revision 24
