Simon Buddle explains why any building control system which can be physically or electronically tampered with must be made secure, and why KNX Secure is the answer.
KNX Secure is the most important system update that we will ever see. The global data network is fraught with danger, as it is open to any would-be hackers. Every router connected to the Internet is a front door into the data network within a building; be it a home, commercial premises, educational facility, or even military establishment. If you are connected, you are at risk. This is an inescapable truth.
KNX Secure complies with the European Standard EN50090-3-4. EN50090 is the standard for Home and Building Electronic Systems (HBES) communications issued by CENELEC. It covers any combination of electronic devices linked via a digital transmission network to provide automated, decentralised and distributed process control for domestic and commercial building applications; for example, the control of lighting, heating, food preparation, washing, energy management, water, fire alarms, blinds, security, etc.
Since the release of KNX Secure, we have seen many new products come to market that meet the standard, meaning that we can now deploy a fully-secure KNX system from end to end. It is worth taking a deeper look at KNX Secure so that we can better understand the different elements that make up a fully KNX Secure system.
KNX Secure Device, as the name suggests, is a KNX device that can encrypt or decrypt KNX telegrams. These are noted on the product and its box as ‘KNX Secure’. Additionally, and crucially, the ETS product file displays the blue secure shield.
The first batch of KNX Secure products were all IP routers. Now, however, we can buy dimmers, switch actuators, blind controllers, etc – in fact almost any type of actuator we might need for a typical installation. So, the physical hardware is secure, but what about the communications?
KNX Secure telegrams are broken into two types: KNX IP Secure and KNX Data Secure.
KNX IP Secure relates to any telegrams that are passed between devices over the data network. This clearly alludes to the possibility that messages might be snooped on by hackers. The communication is fully encrypted. During product setup in ETS, each secure device is loaded with a security key as well as a number of other security measures. Only devices with this key can transmit and receive KNX IP Secure telegrams.
KNX Data Secure relates to telegrams that are not sent out onto data networks, but which may pass within a KNX installation over any line type: TP, RF, or PL. KNX Data Secure is where the actuators themselves play a critical part in the whole system security.
KNX installation security
For an installation to be fully secure, all devices in it must be compatible. As I write this, it is easy to find lots of IP communications modules that are IP Secure and lots and lots of actuators that are also fully secure-enabled. However, there a very few keypads or user interface devices in the current ETS5 and ETS6 that are secure. I suspect that this problem may be a direct result of the global semi-conductor shortage that is preventing many manufacturers bringing new products to market. This is the final piece of the jigsaw needed to complete a fully secure system.
Securing cable routes
Whilst access to KNX via the local area network is the most obvious route into a system, this is now impossible with KNX IP Secure. However, the twisted-pair KNX bus is still a weak link if all of the devices are not secure. It is therefore a reasonable consideration to look at cable routing during the design and installation process to avoid cable running through public or communal areas where they might be prone to attack.
For a more detailed set of safety checks and design considerations, see KNX Association’s handy KNX Secure Checklist and KNX Secure Guide.
KNX is a world leader in terms of its open protocol and the quantity and diversity of products and solutions available. It has taken a huge leap forward with KNX Secure, preparing it for the next 20 years of smart home and building integration. No other protocol has the scale of products or the wealth of associated standards to back it in the marketplace.
Feeling safe at home should be a given. When our front door is closed, and we are holed up in our little fortress, we should feel completely safe and secure. It’s now time for all installers to create a fortress around our KNX installations too.
Simon Buddle CEng MIET, is a consultant for Future Ready Homes, a specialist in BMS and ELV services system design.