KNX Secure Introduction
Extended KNX security with the first devices for KNX IP Secure and KNX Data Secure
Cyber security has become a controversial topic: some already see intruders as hackers while others skirt around the topic. Professionally installed KNX installations are fundamentally secure. It is also a fact that KNX applications in buildings are becoming more versatile and are therefore more sensitive to attacks. The need for security increases with the threat. The first KNX Secure devices have now come onto the market to provide increased KNX security.
The popularity of the smart home has awakened the interest of hackers. It’s small wonder as smart home technology is often brought quickly and cheaply to the market and data security often misses out. There is also frequently a lack of competence with regard to the careful and reliable implementation of the system. KNX is different: KNX is installed by specialists. Protective measures against unauthorised access to the building network belong to the regulations governing installations. They are also proficiently maintained in operating KNX systems. Hackers therefore have poor chances of success with KNX.
Risks and hazards
Warnings from IT security experts about attacks on building networks should however not be trivialised. The threat level changes depending on whether it is a smart home or smart building. Intelligent applications in buildings are becoming more versatile. KNX systems also integrate safety-related functions in line with synergy effects. Access management, gate control systems and alarm systems can be possible targets. If a crafty criminal finds a security breach, they can copy telegrams, open doors remotely or even deactivate the alarm system.
Hackers could view unprotected data from presence detectors, energy consumers and administration programs and make use of them for malicious intent. The manipulation of lighting control systems, heating control systems and other processes in building technology is also a risk. There is more to it than that: building networks offer increasingly greater targets with new applications using internet routers, WLAN, IP protocol, servers, tablets, smartphones and IoT components.
KNX is Secure
In principle, building automation with KNX is secure. A professionally implemented installation follows safety regulations. This is helped via a safety checklist provided by KNX. Physical media should for example be closed off against direct access both internally and externally. Couplers prevent unwanted telegram traffic via a line and set limits on direct access. The parameters are protected against unauthorised changes via a password which must be entered prior to accessing them.
If IP is used as a communication medium, the usual safety
mechanisms should be applied for IP networks. A VPN connection for example
prevents unauthorised reading during the configuration with ETS.
Highest standard of protection
To adapt to the current and future developments of building automation in the field of data security, KNX has increased the safety requirements for KNX technology and developed the safety architecture KNX Secure. The new KNX Secure devices are the consistent implementation of an early development of additional protective measures. KNX Secure was already created in 2015 as a safety concept and adopted in ETS5.5 in 2016. The specified protective mechanisms are based on international safety algorithms standardised according to ISO 18033-3 and use the recognised encryption in accordance with AES 128 CCM. This means the highest level of data protection through authentication and encryption of the data communication. The following methods are applied:
- Telegrams are authenticated so that recipients can recognise them as real or false.
- A possible additional encryption makes telegrams illegible to a third party.
- A sequential number prevents the unwanted repetition of telegrams.
Telegrams can thus be authenticated so that the content for example remains visible for visualisation software. They cannot however be manipulated or resent. Communication with the devices is also secured during the project design and commissioning with ETS. KNX Secure consists of two types of security:
- KNX IP Secure for the protection of KNX IP communication
- KNX Data Secure for the protection of the runtime communication of group telegrams for example
Both safety mechanisms can be combined together and used in parallel. With KNX Secure, KNX installations can have application-oriented or complete security.
KNX IP Secure is flexible
In addition to new installations, the market for building
automation will in future demand the safety-related upgrade of existing systems.
Customers rely on compliance with regulations and standards. KNX Secure meets
this requirement through standardisation in accordance with EN 50090-4-3. There are two possibilities to effectively prevent
attacks by hackers:
- With KNX IP Secure, the IP
communication of a KNX installation can be secured both simply and
cost-effectively. It is sufficient to replace the customary KNX IP routers for
the new KNX IP Secure routers. These routers extend the KNX IP protocol with
additional authentication and encryption. With this process, the IP
communication is secured on the telegram level.
- KNX Data Secure encrypts and
authenticates telegrams between terminal devices via all transmission paths. All
the components involved must be KNX Data Secure devices. In addition to the
complete protection of entire KNX areas and KNX lines, it is also possible to
safeguard individual KNX applications which are at particular risk. Both secure
and unsecure functions are possible in parallel – also within a KNX Data Secure
KNX Secure devices can generally be operated as both secure and unsecure. It is therefore possible to remain flexible for changes and extensions of an existing KNX installation, if for example not all the KNX devices are available as KNX Secure in the future or if old devices need to be replaced.
Key role of ETS
When implementing the extended KNX security, the ETS project design software plays a key role in the truest sense of the word. The tool for expert KNX installation has already been made fit for KNX Secure with version 5.5. Intelligent functions support project design and commissioning with KNX Secure devices. During the configuration, control mechanisms protect ETS against incorrect settings. ETS ensures that the project password and device certificate are activated in secure mode. In the dialog box, it automatically generates the assignment of security keys for KNX Secure devices and runtime keys of group address telegrams and stores the security keys in the project.
KNX Secure protects KNX installations beyond the usual safety standard of building automation. It is up to the planners, installers, system integrators and building users to use the appropriate safety measures and possible extensions with KNX Secure. The yardstick for the implementation are possible threats and risks as well as the consideration of additional costs in relation to benefit. Prerequisites are the professional project design and installation of the KNX system. All parties involved are required so that a KNX project with KNX Secure applications remains protected for the maximum period against attacks from hackers. When the project is handed over to the building users, service engineers and in-house technicians, it is necessary for the project support, the safekeeping of the security keys and the responsibility for them to be regulated.
KNX News Flyer
KNX Secure Checklist
KNX Secure Position Paper
KNX News Presentation
Available in 2 Languages