KNX Secure in the ETS - Simple planning and configuration
ETS monitors parameters, generates security keys and safeguards projects
Whether it is an office building, industrial facility or
a smart home – the Engineering Tool Software ETS is always a guarantee of an
expert KNX installation implemented using compatible products from different
manufacturers. Planners, installers and system integrators all over the world rely
on this tool for professional automation of building technology. In light of an
increase in cyber criminality and a growing need for data security, you can
always count on ETS. With continual further development, the software is now
also fit for the new security architecture KNX Secure. As a result, ETS users
can in future also ensure that their customers have maximum protection against
hackers. The current ETS version 5.6 fully supports KNX Secure. Its
main tasks include the project design, parameterisation and commissioning of
the devices as well as the project security. Intelligent functions make the
configuration of KNX Secure devices easy. Once an ETS project has been opened
and the topology has been configured, the corresponding KNX Secure devices can
be imported as usual. They are easy to recognise by a blue “protective shield”.
Monitoring of the status
ETS makes parameters available to carry out device security settings for KNX IP Secure: “on”, “off” or “automatic”. ETS processes the group address security for KNX Data Secure in the same way. An automatic procedure ensures that devices or group addresses which are related to each other always have the same status. If a conventional IP router was inserted for example in a KNX IP Secure medium, it would be rejected by ETS. It behaves in the same way with group addresses for KNX Data Secure. ETS indicates if secured and unsecured data points should be linked to a group address and suggests solutions for this scenario. A mixed operation is possible if secure and unsecure functions are kept separate. For example, with multi-gang actuators, the group addresses of the channel functions can be set as “secure” and “unsecure” but then the device itself is “secure”.
Certification of devices
When the device security and group address security is
activated, a password must of course be set for the project. This protects the
program against unauthorised access. It must also be possible to authenticate each device in the telegram
ETS thus requires an individual device certificate for each KNX Secure device as well as KNX IP Secure and KNX Data Secure. This consists of a device-specific factory key and a serial number. The factory key is located either on the device or is available for example as a code. It can be entered during the project design or at the latest at the commissioning stage if ETS requests it automatically. The factory key is not sent via the bus but entered externally in ETS or scanned for security reasons. After the initial registration, the ETS automatically generates a new device key which is valid immediately. The original factory key is archived. It can only be activated by resetting the device. A safety principle is thus applied which corresponds to the handling of a home router or the written registration of online banking access.
Management of the security keys
The management of the security key is an integral part of
the ETS functionality. During the parameterisation of the project, ETS
generates as many runtime keys as required for the group communication that is
being protected. The runtime key is stored and can be exported for other
applications, for example for visualisation. Finally, all the security keys are
stored in the ETS project. They are required for the commissioning phase.
They are the last resort if a project is lost as a KNX project cannot be reconstructed without a security key. This process therefore requires reliable archiving of the project software. The list of security keys should be printed out just in case and kept somewhere safe.