What is BACnet?

What exactly is BACnet?

Simply put, BACnet is a communication protocol that has become very popular in the Building Controls industry. It is a protocol that building control equipment use to communicate with each other in order to encode real world measurement values (ie temperature, pressure, humidity) and relay commands. It is a method of encoding and sharing information, which I suppose you could say about all communication protocols.

I’ve always enjoyed working with BACnet since I was first introduced to it in 2004-ish in my previous career as a controls technician. At that time I was coming from a world of proprietary technology and found it refreshing to be exposed to an open and license free communication standard. I also found BACnet very readable and understandable with some basic understanding of electronics and some standard tools. We’ll get more into that later.

What do I mean by the standard being open and public? Well the BACnet specification is openly published and anyone can buy a copy and read it for themselves. Its a very readable document, and with it anyone can write some software or build some hardware to use the BACnet protocol without having to pay licenses or royalties.

This is my copy of the BACnet standard I got in 2004 or so. Its well used, dogeared and missing a cover. Long story

BACnet is maintained by the American Society of Heating Refrigeration and Air-Conditioning Engineers, and I will leave it to ASHRAE to explain their history and development of the BACnet Protocol.

There are two main flavours of BACnet I focus on, and that is BACnet IP and BACnet MSTP.

BACnet IP, as its name implies, uses an IP network to communicate and UDP as the transport layer. Why UDP? Well, UDP (analogues to mailing a letter)  has very little overhead and can be implemented on pretty simple hardware. TCP (analogues to making a phone call) on the other hand has more overhead to maintain connections and could be taxing on older, smaller devices. Keep in mind we’re talking about small 8bit or 16bit microcontrollers implementing these stacks back in the day before 32bit micros became cheap and plentiful.

BACnet MSTP (master slave token passing) uses RS-485 and is limited to smaller network sized. This is still popular on smaller devices or in applications with smaller network runs. Its very easy to develop and troubleshoot.

The first time I got really under the hood with BACnet was in university when I built a piece of BACnet MSTP diagnostic equipment. This was a really interesting project involving hardware design and writing a preemptive multitasking kernel on a 32 bit microprocessor. This was Project Daedalus, and also involved writing my own (limited) BACnet MSTP stack. I’ll write up more about Daedalus at a later date.

Working on Daedalus really gave me an appreciation for what I could do with BACnet and how easy it was to develop. Since working on Daedalus, I’ve started a new project, Icarus, which is the direct decedent of Daedalus but for BACnet IP.  More on that later.

This work has also opened my eyes to the security ramifications of BACnet, and just how easy it is to exploit and possible cause significant damage. We all remember how Mr.Robot was able to bring down Steel Mountain using an Raspberry Pi and access to a thermostat.

I’ll discuss the feasibility of this attack in a later instalment. Spoiler alert, its pretty realistic.

So that’s my quick and dirty run down of BACnet. In upcoming posts, I’ll go into further detail on my own work exploring BACnet and various projects that I hope will shed more light on this protocol and its ubiquitous use in the industry. Enjoy.