16. Nov 2021
With the threat of hacking ever-present, KNX Association has developed KNX Secure - a robust security solution for wired-, wireless- and IP-based installations. In this exclusive interview with KNXtoday, KNX Association CFO import_contentamp; CTO, Joost Demarest, talks strategy and implementation.
KNXtoday: Why is security a priority for KNX Association?
JD: In the past, there was limited awareness of security in the KNX community. For a start, many KNX installations are based on twisted pair (TP) wire, so if physical access to the installation is restricted, e.g. devices are in locked distribution boards, then the risk of someone hacking an installation is low. And as KNX Association spelled out in the KNX Secure Checklist available from the KNX website, many measures can be taken in KNX Classic installations to protect them against unwanted access and tampering. More recently, awareness of security has grown and KNX is now being used increasingly in wireless setups, so the KNX Secure extension has become essential.
KNXtoday: What typical scenarios do you see KNX Secure being applied to?
JD: KNX Association sees three areas in which we expect KNX Secure to be used. Firstly, in KNX installations that include radio frequency (RF) communication. Secondly, in buildings where it is difficult to prevent physical access to the installation (e.g. in public areas of public buildings). And last but not least, in protecting against unwanted access to an installation via IP.
KNXtoday: Developing a robust and workable solution such as this is clearly a landmark for KNX. What was required to get manufacturer Members on board?
JD: As KNX is an open protocol, it was imperative for KNX Association to thoroughly coordinate the solution amongst manufacturers and deliver the corresponding extension to ETS in a timely manner. Selecting an encryption algorithm is one thing; it is quite another to create a solution based on that algorithm that is also watertight and manageable by all involved. The specifications were completed in 2019, after which also the first certifications based on the uniform test specifications and with an update of the EITT test tool started. Already ETS5 supported KNX Data Secure (for TP and RF) and KNX IP Secure (for IP). Many KNX manufacturers have launched implementations of KNX Secure, KNX Data Secure became an international standard as EN 50090-3-4 and KNX IP Secure as EN ISO 22510!
KNXtoday: What has KNX Association been doing to get the KNX Secure message across?
JD: KNX has created the KNX Security Checklist, has written the KNX Secure Position Paper, and elaborated extensions to the KNX training documentation. The Help Center contain many tips and tricks on the use of KNX Secure and KNX Association has given numerous presentations at conferences and fairs, some of which can also be found online. With all of this, the community has all the tools (including the devices) it needs to use KNX Secure in practice.
KNXtoday: Another hot topic for KNX is the IoT. How will KNX Secure fit in with this?
JD: KNX Secure is clearly a security solution for KNX Classic installations, whereby KNX IoT is a completely IP-based communication extension to KNX Classic. For KNX IoT, of course security mechanisms will also be selected, but these will be largely based on mechanisms that are defined by the Internet Engineering Task Force for IP devices.
KNXtoday: How would you summarise the availability of KNX Secure until now?
JD: KNX Association regards KNX Secure as a milestone in building automation, as KNX was the first building automation system that came with a vendor-independent security concept for its field-level devices. This brings many opportunities for KNX and for KNX manufacturers. We are convinced that, thanks to the availability of KNX Secure, adoption of KNX by building owners will increase further still.
However, it is paramount that installers stay vigilant for any possible cyber attack against installations they equip with KNX. The use of the KNX Security Checklist stays extremely important, loopholes can be easily created (e.g. if connecting a KNX installation directly to internet without the use of a VPN connection): the KNX Security Checklist prevents such avoidable mistakes.