BACnet - building automation protocol and its security
BACnet (Building Automation and Control Networks) - protocol architecture, BACnet/IP vs BACnet/SC, security vulnerabilities and BMS network segmentation principles. OT Protocol Encyclopedia.
Jozef Sulwinski 
BACnet (Building Automation and Control Networks) is an open communication protocol defined in the ASHRAE 135 standard and ISO 16484-5, used for controlling and monitoring building automation systems - HVAC, lighting, access control, fire protection systems, and energy management. Developed in 1995, it became the de facto standard in smart buildings, corporate campuses, hospitals, and data centers worldwide.
For decades, building automation operated in isolation from IT networks. Today, BMS (Building Management Systems) connect to the cloud, feed data to analytics platforms, and integrate with energy management systems. This convergence makes BACnet protocol security a real operational challenge.
Architecture and protocol variants
BACnet defines an object model - each device (DDC controller, sensor, actuator) exposes objects (Analog Input, Binary Output, Schedule) with properties that can be read and written. The protocol supports several transport layers:
| Parameter | BACnet/IP | BACnet/SC | BACnet MS/TP |
|---|---|---|---|
| Transport layer | UDP/IP | TLS 1.3 over WebSocket | RS-485 (master-slave) |
| Port | UDP 47808 (0xBAC0) | TCP 443 (configurable) | None - physical layer |
| Authentication | No native | X.509 certificates | None |
| Encryption | None | AES-256-GCM (TLS 1.3) | None |
| Typical range | Campus / WAN | WAN / cloud | Local segment (up to 1200 m) |
| Standard since | 1995 (Addendum A) | 2020 (Addendum bj) | 1995 |
BACnet/SC (Secure Connect), introduced as Addendum bj in 2020, is the response to the lack of security in classic BACnet/IP. Instead of broadcast UDP, BACnet/SC uses point-to-point connections via WebSocket with mandatory TLS 1.3 and X.509 certificate authentication. This is a fundamental change - from an open protocol to one with a cryptographic core.
BACnet/IP frame structure
Each BACnet/IP packet consists of a BVLC (BACnet Virtual Link Control) header and an NPDU/APDU data unit:
BVLC Function - message type at the transport level:
| BVLC Function | Value | Description |
|---|---|---|
| Original-Unicast-NPDU | 0x0A | Point-to-point - standard communication |
| Original-Broadcast-NPDU | 0x0B | Broadcast - discovery (Who-Is) |
| Forwarded-NPDU | 0x04 | Forwarded by BBMD (BACnet Broadcast Management Device) |
| Register-Foreign-Device | 0x05 | Remote device registration |
| Distribute-Broadcast | 0x09 | Broadcast distribution by BBMD |
APDU Service Choice - application services (most important from a security perspective):
| Service | Type | Risk | Description |
|---|---|---|---|
| Who-Is / I-Am | Unconfirmed | Low (reconnaissance) | Discovery - mapping the BMS network |
| ReadProperty | Confirmed | Low | Reading object values (temperature, status) |
| ReadPropertyMultiple | Confirmed | Low | Bulk reading of multiple properties |
| WriteProperty | Confirmed | High | Changing setpoint values, schedules |
| WritePropertyMultiple | Confirmed | High | Bulk changing of multiple values |
| SubscribeCOV | Confirmed | Low | Subscribing to value changes (Change of Value) |
| ReinitializeDevice | Confirmed | Critical | Device restart - potential DoS |
| DeviceCommunicationControl | Confirmed | Critical | Disabling device communication |
| CreateObject / DeleteObject | Confirmed | High | Creating/deleting objects in configuration |
WARNING
The WriteProperty, ReinitializeDevice, and DeviceCommunicationControl services in BACnet/IP require no authentication. An attack consists of sending a single UDP packet to port 47808. A firewall with DPI should block these services from unauthorized sources and allow them only from the BMS operator workstation.
Practical applications
A typical BACnet installation includes:
- DDC controllers (Direct Digital Control) - managing HVAC, lighting, blinds
- BMS operator workstations - visualization and control from a GUI
- Integration gateways - BACnet/IP to Modbus, KNX, LonWorks
- Supervisory systems - integration with IoT platforms, EMS, CAFM
In hospitals, BACnet controls operating room HVAC with precise pressure and temperature control. In data centers, it manages server room cooling, where HVAC failure can lead to IT infrastructure shutdown within minutes.
TIP
If your BACnet/IP installation is accessible from the corporate network or - worse - from the internet, treat this as a critical vulnerability. Shodan scanners regularly identify thousands of BACnet devices responding to Who-Is queries without any authorization.
Security assessment
BACnet/IP and MS/TP offer no native security mechanisms:
- No authentication - any host on the network can send WriteProperty commands to DDC controllers
- No encryption - all communication is transmitted in plaintext, including setpoint values and schedules
- Broadcast discovery - the Who-Is/I-Am service operates via broadcast, enabling mapping of the entire BMS infrastructure
- No integrity - packets can be modified in transit (man-in-the-middle)
An attacker who gains access to a network segment with BACnet/IP can change temperature setpoints in a server room, shut down ventilation in a building, or manipulate fire protection system schedules - without any authentication.
BACnet/SC eliminates most of these problems through TLS 1.3 and X.509 certificates. However, adoption is still low - it requires replacing or updating controller firmware, deploying PKI infrastructure, and reconfiguring the entire installation.
Segmentation and protection
Since most existing installations run on BACnet/IP without migration to BACnet/SC in the near future, network segmentation remains the primary protection mechanism.
Segmentation principles for BACnet:
- Isolate the BMS network from IT - a dedicated VLAN or physically separate network for building automation, with a firewall at the boundary
- Internal segmentation - separate subnets for HVAC, lighting, access control, and fire protection systems
- BACnet/IP traffic control - a firewall with BACnet protocol inspection (DPI) at zone boundaries, allowing only necessary services (ReadProperty, SubscribeCOV) and blocking WriteProperty from unauthorized sources
- Broadcast restriction - filtering Who-Is packets at segment boundaries to prevent infrastructure mapping from the IT network
- Remote access through a jump host - never a direct VPN to the BMS segment
Detailed guidelines for designing zones and conduits for OT and BMS networks are described in our article on OT network segmentation.
TIP
When planning migration to BACnet/SC, remember that the protocol supports a hybrid mode - a BACnet/SC hub can communicate with both SC devices and legacy BACnet/IP devices in the same segment. This allows gradual migration without replacing all infrastructure at once.
More about cybersecurity of building automation systems can be found in our article on smart building security.
Open source tools
| Tool | Language | Description | Link |
|---|---|---|---|
| BACpypes3 | Python | Complete BACnet/IP implementation in Python - scripting discovery and control | GitHub |
| bacnet-stack | C | C library with CLI tools: bacwi (Who-Is), bacrp (ReadProperty), bacwp (WriteProperty) | GitHub |
| YABE | C# | Graphical BACnet client - browsing objects, reading/writing properties | GitHub |
TIP
bacnet-stack provides ready-made CLI tools for testing segmentation: bacwi sends a broadcast Who-Is (does the firewall block discovery?), bacrp reads object properties, and bacwp attempts a write - allowing you to quickly verify whether DPI rules block WriteProperty from unauthorized sources.
Sources
- ASHRAE 135-2020 - BACnet Standard - official protocol specification
- BACnet/SC - Addendum bj - BACnet Secure Connect specification
- CISA ICS Advisory - BACnet vulnerabilities - security advisories for BACnet devices
- NIST SP 800-82 Rev. 3 - Guide to OT Security, including BMS network segmentation
- IEC 62443-3-3 - security requirements for industrial and building systems
Need help in this area?
Our experts will help you assess the risk and plan next steps.