KNX Secure Header

KNX Secure in the ETS - Simple planning and configuration

ETS monitors parameters, generates security keys and safeguards projects

Whether it is an office building, industrial facility or a smart home – the Engineering Tool Software ETS is always a guarantee of an expert KNX installation implemented using compatible products from different manufacturers. Planners, installers and system integrators all over the world rely on this tool for professional automation of building technology. In light of an increase in cyber criminality and a growing need for data security, you can always count on ETS. With continual further development, the software is now also fit for the new security architecture KNX Secure. As a result, ETS users can in future also ensure that their customers have maximum protection against hackers.   The current ETS version 5.6 fully supports KNX Secure. Its main tasks include the project design, parameterisation and commissioning of the devices as well as the project security. Intelligent functions make the configuration of KNX Secure devices easy. Once an ETS project has been opened and the topology has been configured, the corresponding KNX Secure devices can be imported as usual. They are easy to recognise by a blue “protective shield”.  

Selection in the Secure cataloguezoom
Topology with KNX Secure deviceszoom
 

Monitoring of the status

KNX Secure device – Secure commissioning activated / deactivatedzoom

ETS makes parameters available to carry out device security settings for KNX IP Secure: “on”, “off” or “automatic”. ETS processes the group address security for KNX Data Secure in the same way. An automatic procedure ensures that devices or group addresses which are related to each other always have the same status. If a conventional IP router was inserted for example in a KNX IP Secure medium, it would be rejected by ETS. It behaves in the same way with group addresses for KNX Data Secure. ETS indicates if secured and unsecured data points should be linked to a group address and suggests solutions for this scenario. A mixed operation is possible if secure and unsecure functions are kept separate. For example, with multi-gang actuators, the group addresses of the channel functions can be set as “secure” and “unsecure” but then the device itself is “secure”.

 

Certification of devices

When the device security and group address security is activated, a password must of course be set for the project. This protects the program against unauthorised access. It must also be possible to authenticate each device in the telegram traffic.

When KNX security is activated, ETS requests the factory key.zoom
 

ETS thus requires an individual device certificate for each KNX Secure device as well as KNX IP Secure and KNX Data Secure. This consists of a device-specific factory key and a serial number. The factory key is located either on the device or is available for example as a code. It can be entered during the project design or at the latest at the commissioning stage if ETS requests it automatically. The factory key is not sent via the bus but entered externally in ETS or scanned for security reasons. After the initial registration, the ETS automatically generates a new device key which is valid immediately. The original factory key is archived. It can only be activated by resetting the device. A safety principle is thus applied which corresponds to the handling of a home router or the written registration of online banking access.

Management of the security keys

For secure archiving, ETS makes documents available with all the device keys.zoom

The management of the security key is an integral part of the ETS functionality. During the parameterisation of the project, ETS generates as many runtime keys as required for the group communication that is being protected. The runtime key is stored and can be exported for other applications, for example for visualisation. Finally, all the security keys are stored in the ETS project. They are required for the commissioning phase.

 

They are the last resort if a project is lost as a KNX project cannot be reconstructed without a security key. This process therefore requires reliable archiving of the project software. The list of security keys should be printed out just in case and kept somewhere safe.