BACnet Security and Operational Issues with Self-Signed Certificates

BACnet Self-Signed Certificates

Self-signed digital certificates have both advantages and disadvantages, and while they can be a quick solution for certain scenarios, they come with security challenges. Self-signed certificates introduce significant security and operational challenges in BACnet/SC deployments for building automation systems. Unlike certificates issued by trusted Certificate Authorities (CAs), self-signed certificates lack third-party validation, creating vulnerabilities in device authentication and encryption. Below are the critical issues specific to BACnet/SC ecosystems:

Lack of Third-Party Verification

One of the primary security challenges with self-signed digital certificates is the absence of third-party verification. Unlike digital certificates issued by a trusted Certificate Authority (CA), self-signed certificates are not validated by an external entity. This lack of external validation makes it easier for attackers to use fraudulent certificates.

No Root of Trust

Self-signed certificates have no trusted root of trust, making devices susceptible to impersonation attacks. Certificate chains establish a hierarchy of trust, where a root CA vouches for the authenticity of intermediate CAs, and intermediate CAs, in turn, vouch for end-entity certificates. Self-signed certificates break this chain of trust since there is no higher authority vouching for the authenticity of the certificate. This can lead to issues with trust and validation in a network environment. For example, an attacker could spoof a legitimate HVAC controller or sensor.

Increased Risk of Man-in-the-Middle Attacks

Without third-party validation, there is an increased risk of man-in-the-middle (MitM) attacks. An attacker could intercept BACnet/SC communication (e.g., between building controllers and IoT devices), present a fraudulent self-signed certificate, and potentially compromise the confidentiality and integrity of the communication or injecting malicious commands.

Challenges with Certificate Management

Certificate Generation

  • Manual Complexity: Creating self-signed certificates for each device requires tools like Keystore Explorer increasing human error risk.
  • Inconsistent Standards: Self-signed certificates often lack critical extensions, potentially causing compatibility issues between devices from different manufacturers.

Certificate Distribution

  • Logistical Challenge: Distributing self-signed digital certificates can be a logistical challenge, especially in large-scale deployments. In contrast to certificates from a trusted CA, self-signed certificates may require manual distribution (e.g. USB memory sticks) or configuration on each device, increasing the likelihood of misconfigurations and errors.
  • Scalability Issues: Distributing certificates manually to hundreds of devices is labor-intensive. One project reported 3-4 days of labor for 300 devices, leading to insecure 10-year certificates as a workaround.
  • No Centralized Provisioning: Unlike CA-managed certificates, self-signed certificates cannot be pushed automatically. Each must be installed individually, delaying deployments.

Certificate Renewal

  • System Downtime Risk: BACnet/SC devices stop communicating when certificates expire. Self-signed certificates require manual renewal, creating operational gaps. For example:
    • Operators must track expiration dates across thousands of devices.
    • Renewal involves regenerating and redistributing certificates device-by-device.
  • CA Replacement Complexity: Migrating to a new CA (e.g., after compromise) requires:
    • Installing the new CA on every device.
    • Reissuing/replacing operational certificates for all devices.
    • Removing the old CA—only after all devices are updated[4].
      This process risks missteps that can disrupt building operations.

 

Limited Revocation Mechanisms

Revoking a self-signed digital certificate is more challenging than revoking certificates issued by trusted CAs. In the absence of a standardized and widely adopted certificate revocation mechanism, dealing with compromised or outdated self-signed certificates can be less efficient.

Potential for Certificate Spoofing

Self-signed certificates are more susceptible to certificate spoofing attacks. If an attacker can replace a legitimate self-signed certificate with a malicious one, they may gain unauthorized access or conduct other malicious activities.

Difficulty in Auditing and Compliance

Organizations that need to adhere to specific security standards and compliance regulations may face challenges when using self-signed certificates. Many standards require the use of certificates from trusted CAs to ensure a higher level of security.

While self-signed certificates may be suitable for certain use cases, such as testing environments or small-scale deployments, they are generally not recommended for production systems, especially those where strong security and trust are paramount. In production environments, obtaining digital certificates from a reputable CA is the preferred approach to establish a secure and trusted communication infrastructure.

Automated BACnet Certificate Management with DOME

Recognizing the above challenges and security risks, Veridify has developed the DOME platform with capabilities to automate certificate management for DOME-enabled and BACnet/SC devices. The DOME platform enables overlay security for existing BACnet devices – there is no need to replace existing building controls or change the network.  The benefits of DOME security management of building controls include:

  • A system-driven approach that improves the speed of implementation and eliminates the opportunity for errors.
  • Device registration with a simple “point-and-click” process using the DOME Mobile App™
  • No IT/Cyber expertise is needed and installation of secure devices can be completed by existing building automation technicians.
  • Certificates can be renewed automatically by DOME which eliminates the upfront and on-going labor expense of certificate management.

Conclusion

Self-signed certificates in BACnet/SC networks compromise security through weak authentication and expose operations to costly manual processes. For building automation systems, where device integrity is critical, leveraging trusted CAs or automated certificate management is essential to maintain both security and operational continuity.


Blog Post Summary – All of our recent posts listed on one page