Home / Blog / BMS: Intelligent buildings – are they secure?

BMS: Intelligent buildings – are they secure?

Posted on 01/26/2016, by INCIBE

Since they first appeared in the late 70’s, Building Management Systems (BMS) have developed enormously, just like all control systems.

A modern BMS essentially integrates a series of subsystems, which generally share a common infrastructure, such as a database, an alarm centre or specific subsystems such as lighting or cooling. The figure below conceptually describes a complex BMS’s topology, with independent systems dedicated to lighting, air conditioning and access control sharing an integration infrastructure. Thus it can see the presence of the corresponding protocols that operate in different management areas such lighting (DALI), air conditioning (BACnet), etc.

Topología de un sistema BMS

- BMS system topology (Source: Instruction leaflet for the Installation of BMS Control; Ministry of Economy and Competitiveness and CNIO) -

When considering a BMS system’s design, knowledge of the functionalities to be covered in the application environment is essential. In this context, BMS systems designed for commercial buildings (industrial side) must not be confused with ones designed for family homes (home automation side). Similar systems can be found in both areas, but the differences between them can turn a successful case into a complete failure.

In the past, PLCs without many inputs/outputs were placed in smaller systems, such as private buildings and homes, to offer support in air conditioning, lighting and other controlled areas. Nowadays, this idea has evolved, and independent elements based on control sensors are implemented, sending messages via Ethernet to be displayed on a tablet or similar device i.e. a subset of the IoT (Internet of Things) paradigm.

The core technology of BMS control systems is similar to the systems found in more traditional PLC equipment, like technologies in the electrical sector. What really differentiates this environment from others is that its control systems adapt to the protocols used, so that devices can communicate among one another and with the servers.

Protocols used to building management

A BMS contains a multitude of protocols, some specific to this field of application and others more generalized. Among the specialized communication protocols, we could look at DALI, used to manage lighting, or BACNet, used to manage air conditioning systems. KNX, LonWorks y ModBUS are, in turn, all examples of more generalized protocols. Perhaps owing to its simplicity, ModBUS is used by a great number of BMS manufacturers, and has actually become one of the most common models.

Many of these protocols are very old, and security was not one of the design priorities when they were created. These days, all protocols used must include interoperable security measures, such as encryption or authentication.

In recent years, a large family of new generation wireless protocols has joined those listed above. These include ZigBee, Wifi, EnOcean, etc., and they are now all struggling for dominance in this environment. Wireless protocols allow for greater levels of security, which reduces the risk of external attacks, but they lack the reliability of their wired counterparts (in terms of availability, latency, etc.).

Typical BMS protocols security


LThe BACnet protocol security architecture is optional when deploy BACnet. BACnet’s security provides parity across entities, source data association, authentication, confidentiality and integrity.

Security is based on the use of key pairs. There are six types of key pairs: those which allow access to the general network, those which authenticate users, those which are specific to the application, those used for installation, those used for distribution, and master keys.

In addition, BACnet provides an extensive specification for:

  • Providing security for sent messages: It adds a security heading to the BACnet APDU message.
  • Implementing network security policies: There are two types of networks, trusted ones (which are secured either physically or through encryption) and untrusted ones. On this basis, BACnet has four network security policy types:
    • Trusted- plain text: this requires physical security for the network but not for the protocol itself.
    • Trusted-signed: physical protection is not required, security is guaranteed by the signed allow by the protocol.
    • Trusted-encrypted: no physical protection, secured using encryption.
    • Not trusted- plain text: without any security.
  • Providing a security threshold from the BACnet device: guarantees security levels in line with the BACnet policy, regardless of whether it is located in secure or insecure networks.
  • Providing user authentication: with username and password.


DALI protocol (Digital Addressing Lightning Interface) is used extensively in BMS to manage lighting. It is a very simple protocol. The following chart shows the protocol data frame. Note that only makes use of two fields that identify the destination (address) and the instruction (data).

Datagrama DALI

- Dali datagram -

DALI does not have any security measure, transmitting unencrypted data using a communications bus. This is an example of a characteristic of a BMS protocol, this security measure is necessary to consider in its deployment, ensuring the incorporation of additional mechanisms to counter the risk involved access to this information.


KNX’s EIBsec extension provides security mechanisms at application level for KNXnet frames. Security Layer is used in TCP and UDP protocols. For a device to communicate securely with this protocol, it must:

distribución de claves unicast

- Distribución del set de claves de forma unicast -

  • Create certificates: using certification authority with ETS (Engineering Tool Software), signing the public keys of devices communicating with KNX.
  • Distribute key pairs: KNX devices can authenticate one another in both a unicast and a multicast manner.
  • - Establish secure communication using symmetric-key cryptography (also for multicast cases, owing to flexibility).


Lonworks is a protocol produced by air conditioning manufacturers to control the systems they create.

This protocol is designed to be used with very limited capacity devices (CPU with 8 bits using 200 bits for data processing), and it is therefore important to choose appropriate cipher algorithms for this type of devices with limited resources. The time needed to process asymmetric algorithms can reach up to 83 seconds to decipher RSA, for example. It is therefore essential to use symmetric algorithms, such as 3DES or AES with 128 bits, which have a lower computational cost and are therefore quicker; these have both strengths and weaknesses.

The services defined in the protocol are available for both unicast and multicast communication.


EnOCEAN is a private protocol used extensively in BMS for energy collection applications. The equipment (sensors and devices) is designed to transmit control and status information using radio.

In 2012, the first security mechanisms were introduced in the EnOCEAN API. The protocol uses encryption for authentication at MAC level. It allows a dynamic function to change the key with a meter (vulnerable if the meter or differential is weak).

Autenticación por firmado a nivel MAC

- Signed authentication at MAC level -

Other security aspects

In systems used in intelligent buildings, in addition to carefully choose and configure a suitable control protocol, should be considered normal security measures such as user control, use of firewalls, VPN remote access, etc. As network topology is concerned, it may opt for a segmented network as shown in the following figure:

esquema de red de un BMS

-Secured BMS network diagram-

Security mechanisms that can provide specific control protocols, sometimes are invalidated by the not observation of other generic measures in computerized systems.

In this sense, the reality is that, many existing BMS systems do not apply global security recommendations yet and it is common, for example, to find exposed connections open and accessible from the Internet.


Therefore we must not forget that, in addition to implementing security at protocol level is important to apply the generic system protection measures: password policies, network segmentation, hardening, and control the information provided by the system. With this, the industry-wide effort surrounding the implementation and development of BMS does conclude in a secure approximation of all available technology.