Is BACnet/SC the Key to Securing OT Networks?

A photograph of a blue pad lock on top of an open laptop
The success of BACnet/SC will depend on how widely it is adopted and how well it integrates with other security technologies. That said, with the right implementation strategies, and a focus on maintaining flexibility and interoperability, BACnet/SC has the potential to play a central role in securing OT networks against future threats.

With the increasing integration of cloud-based systems, IoT devices, and external network connections, operational technology (OT) networks have become more vulnerable to cyber threats. For many organizations using building automation systems (BAS), focusing on operational efficiency and connectivity has historically outpaced the emphasis on security. 

Older OT systems, like MS/TP, often lack basic encryption and authentication features, making them attractive targets for cybercriminals. These networks are typically difficult to patch and upgrade due to the critical nature of the infrastructure they support, exposing them to potential threats.

Many OT networks still aren’t covered by the robust cybersecurity perimeters established for IT networks. 

As a result, securing these systems is a complex task requiring solutions specifically tailored to OT environments. One emerging solution to these security challenges is BACnet Secure Connect (BACnet/SC), an evolution of the widely used BACnet protocol, that promises secure communications in OT networks without compromising the interoperability and openness that have made BACnet a popular choice.

But is it a viable solution to securing OT networks, or does it just present yet another set of challenges?

What is BACnet/SC?

BACnet/SC (Secure Connect) is the latest iteration of the BACnet protocol, which has been the go-to standard for building automation since the 1980s. While the standard BACnet/IP protocol has served well in connecting devices from different vendors, it was not built with cybersecurity in mind.

BACnet/SC was developed to address this gap. In our article Your Introduction to BACnet Secure Connect, two of the architects behind BACnet/SC, David Fisher, and Bernhard Isler, explain that the key difference lies in its focus on secure communications. Using Transport Layer Security (TLS) — the same encryption protocol used for secure browsing on the internet—BACnet/SC encrypts data transmitted between devices, ensuring that sensitive information cannot be intercepted or tampered with by unauthorized actors.

In addition to encryption, BACnet/SC incorporates stronger authentication mechanisms, making it harder for attackers to gain access to the network. Importantly, these security enhancements come without sacrificing the ease of integration and interoperability that BACnet is known for.

Want an expert deep dive on BACnet/SC? Watch our interview with David and Bernhard below.

BACnet/SC is A Big Step Up for Security

  • Introduces encryption. As mentioned, BACnet/SC’s greatest advantage over the standard BACnet protocol is its ability to provide secure communications. By leveraging TLS, it ensures everything on your OT network is encrypted, making it nearly impossible for cybercriminals to breach, for example with a man-in-the-middle attack.
  • Adds user authentication. BACnet/SC also introduces authentication measures that can verify the identities of devices attempting to join the network, adding an extra layer of zero trust protection against unauthorized access. 
  • Achieves scalability. BACnet/SC can be implemented in both small and large OT networks, providing flexibility for organizations looking to secure a variety of environments, from single-building systems to sprawling multi-campus facilities.
  • Provides legacy device support. While BACnet/SC is designed with modern security standards in mind, it also maintains backward compatibility with older BACnet devices. This allows organizations to gradually migrate to BACnet/SC while continuing to support legacy systems, ensuring that security is improved without disrupting operations.
  • It’s more IT-friendly. BACnet/SC introduces some much-needed features that make integration into IP systems easier, like a “BACnet/SC hub” feature that can eliminate BBMDs and the need to broadcast BACnet messages, introduce failover redundancy and support for dynamic addressing, and make everything generally more firewall compatible.

Siemens has created this extensive feature comparison for a detailed look at the differences between the two protocols. 

A detailed list looking at the differences between BACnet and BACnet/SC. 

BACnet/SC Cons

  • Increased Complexity. Encryption, certificate management, and other security features make it more complex to configure, and Managing Public Key Infrastructure (PKI), secure tunnels, and certificate distribution can increase administrative overhead for OT network managers who are not accustomed to dealing with cybersecurity protocols.
  • Potential for Higher Costs. Deploying and managing BACnet/SC—procuring certificates, upgrading hardware, and staff training—could lead to higher operational costs. Organizations with extensive legacy infrastructures may face significant costs in fully transitioning to BACnet/SC.
  • Performance Overhead. Security features, such as encryption and tunneling, can introduce latency, which could affect the performance of real-time OT systems.
  • Integration for legacy equipment. Integrating older equipment into a BACnet/SC network may lead to compatibility issues, particularly if those devices don’t support secure communications. BACnet/SC is not an upgrade path for MS/TP devices. 
  • Unfamiliarity and Adoption Lag. As BACnet/SC is still relatively new, widespread industry adoption may take time. This lag could result in a limited pool of experienced integrators, potential bugs in early implementations, and uneven support from vendors.

Is BACnet/SC a Comprehensive Security Solution?

As promising as BACnet/SC is, it’s not a silver bullet. While it addresses critical vulnerabilities, like encryption and authentication, securing an OT network requires a more holistic, multi-layered approach.

Just like their IT counterparts, OT networks require additional layers of security such as segmentation, firewalls, intrusion detection systems, and continuous monitoring to provide comprehensive protection. These layered defenses help organizations mitigate risks and respond quickly to potential threats. As IT/OT convergence continues to bring the two networks under one umbrella, Any weak point in the security of one network provides a breach point into the whole network. 

It’s a significant step in the right direction, but BACnet/SC should be seen as a key tool in the OT security toolbox, not a standalone solution. For organizations using BACnet protocols, adopting BACnet/SC is a logical step toward improving network security without sacrificing the open, interoperable nature that BACnet is known for.

Looking ahead, the success of BACnet/SC will depend on how widely it is adopted and how well it integrates with other security technologies. That said, with the right implementation strategies, and a focus on maintaining flexibility and interoperability, BACnet/SC has the potential to play a central role in securing OT networks against future threats.

Just Another Form of Vendor Lock-in?

While BACnet/SC offers clear security benefits, there are concerns that it could lead to vendor lock-in. Historically, BACnet has been praised for its open protocol design, which allows devices from different manufacturers to communicate seamlessly within the same network. However, with BACnet/SC, some industry experts have raised concerns that certain implementations could lead to vendor-specific features or dependencies. For example, some vendors might create proprietary enhancements or custom configurations for BACnet/SC that only work within their ecosystem, potentially limiting a customer’s ability to mix and match devices from different manufacturers.

The risk of vendor lock-in depends largely on how individual manufacturers implement the protocol. Some vendors, such as Delta Controls and Siemens, embrace open-source solutions that maintain the protocol’s spirit of interoperability, but others may choose proprietary approaches that restrict flexibility. The key, going forward, will be to carefully vet vendors and Systems Integrators that work with certain hardware brands. Choosing those that remain committed to open standards and interoperability will be the best option to help maintain flexibility across devices and vendors, preventing long-term lock-in.


BACnet/SC offers a promising solution to enhance OT network security by addressing long-standing vulnerabilities like encryption and authentication. However, it’s not a complete solution on its own. Organizations should adopt a layered security approach, combining BACnet/SC with other protective measures to ensure comprehensive OT network security. 

While concerns about vendor lock-in remain valid, organizations can avoid this by selecting vendors committed to open standards and interoperability. In the end, BACnet/SC represents a critical step forward in OT security, but it should be part of a broader, multi-faceted defense strategy.

An image of a laptop with OptigoVM Diagnostic results displayed, showing BACnet MSTP troubleshooting issues

How many issues will you solve today?

Share This Post

Don't want to wait?

Sign up now to get posts delivered right to your inbox the moment they go live.

An overhead photograph of a solar farm in an urban setting, possibly a parking lot.

How OT Networks Drive Decarbonization and Energy Efficiency

Energy efficiency is at the heart of many organizations’ policies to address their overall carbon footprints. For facilities operators, campus managers, and their vendors, the drive to decarbonize falls under their purview. Let’s look at what exactly decarbonization is, what impacts this policy has on OT networks, and some of the ways facilities and systems integrators have begun to tackle the problem.

Read More »
A photograph of a blue pad lock on top of an open laptop

Is BACnet/SC the Key to Securing OT Networks?

The success of BACnet/SC will depend on how widely it is adopted and how well it integrates with other security technologies. That said, with the right implementation strategies, and a focus on maintaining flexibility and interoperability, BACnet/SC has the potential to play a central role in securing OT networks against future threats.

Read More »

How OptigoVN Helps Hardware Sales

Selling hardware to your customers is a net positive for everyone. So how do you encourage customers to break into their budgets for upgrades and replacements? Leveraging OptigoVN is a great way to bring data-based proof to your customers when it comes time to make recommendations.

Read More »