How do you protect KNX projects against criminal access via the Internet.
For a long time, the issue of security in home and building automation was not taken seriously enough. Probably because the KNX technology was already very well protected against unauthorized access. This is when the system integrator works closely with the person responsible for the network. KNX devices are usually permanently installed in the wall and installed in electrical distributors in the technical room. It therefore takes criminal energy and suitable tools to get to the devices, i.e. the hardware. If the perpetrator wants to change something in the functionality or configuration, he must gain access to the building, manipulate KNX devices with tools and have the appropriate commissioning software.
A lot has been achieved with KNX-Secure in recent years and a significant step has been taken to prevent "digital intrusions”. This refers to so-called “cyber attacks”. Due to the rapidly spreading "cloud technology", more and more buildings are connected to the Internet. If you observe all current regulations for a KNX project installation and safe commissioning, you would be on the safe side. However, if you are careless and overlook the relevant security gaps, hacking or cyber attacks are possible. Unlike the “hardware manipulation” situation described above, the perpetrator or hacker does not have to be in the building to change the configuration of the KNX project. With the appropriate software tools and programs, he can spy on an unprotected building anonymously from anywhere in the world, purely with a connection via the Internet, and then possibly manipulate it. This cybercrime has increased significantly in recent years. Numerous servers of companies, schools, universities, hospitals and even energy supply companies were hacked. Then the data was encrypted with the goal of earning money (usually in the form of bitcoins) for the decryption.
How did the perpetrators act in the last few cases? More and more buildings became network-capable via open ports and Internet routers. Either to facilitate maintenance and service, or to give the customer external access for visualization. This method is no longer up-to-date because this port access is vulnerable to cyber attacks. Protected by anonymity, criminals were able to gain access and either unload the KNX devices and make them inoperable, overwrite them and even provide them with a password. This was extremely critical for the affected builders and operators and can possibly mean a high administrative and financial effort for the complete recommissioning of the system.
How do you protect KNX projects against criminal access via the Internet? There are various mechanisms that must be coordinated with each other. It should be noted that external attackers must be warded off as well as internal attackers, i.e. persons in the building. Of course, the open port must be closed first. It is best to close all ports on the Internet router because there are more modern means of ensuring external and secure access. In correspondingly insecure private projects, all ports entered in the Internet router can be deleted, either by the knowledgeable builder or by a network specialist. In commercial projects, the network administrator is responsible.
For remote maintenance and external visualization of the projects, you can either use a hardware firewall or an Internet router that contains firewall functionality. This firewall functionality then provides a VPN (Virtual Private Network) connection. There are also KNX products that offer a firewall function with an integrated VPN. With these VPN devices, the "handshake" takes place in a secure cloud application, which establishes a direct, encrypted tunnel connection after a successful "handshake".
Even more security is provided to the project engineer or operator who relies on KNX devices with KNX Secure functionality. The result of years of development is a comprehensive KNX Secure security architecture, which also uses internationally standardized security algorithms based on ISO 18033-3, such as AES 128 CCM encryption, to effectively prevent attacks on the digital infrastructure of buildings.
KNX Secure essentially consists of two mechanisms: KNX IP Secure protects the IP communication between the individual lines and areas within the KNX installations. For this purpose, KNX IP Secure extends the IP protocol in such a way that all transmitted telegrams and data are fully encrypted. At the same time, KNX Data Secure effectively protects the user data, including the data exchanged with the various end devices, against unauthorized access and manipulation through encryption and authentication. Both mechanisms can be combined and used in parallel to achieve maximum security.
In existing KNX projects it is easy to increase the security level: Replace the existing KNX IP routers with KNX Secure variants and activate the KNX Secure function. This encrypts all KNX telegrams on the IP network/Ethernet. You then use KNX IP Secure. "Reading along" is then still possible, but the content of the encrypted communication in bits and bytes can no longer be interpreted by third parties, e.g. hackers. This requires the Secure Key, which these strangers do not have.
If you want to further increase the security level of the KNX installation and also prevent unauthorized access to data communication at the sensor and actuator level, you can use KNX sensors and actuators with KNX Secure. More and more KNX manufacturers offer suitable products. If this security mechanism is activated on the basis of telegram transmission, it is called "KNX Data Secure".
Conclusion: In modern building automation systems, operational reliability is an extremely important point. Regardless of whether it is a private or commercial project, you should be aware of the risks of unwanted access to data traffic at an early stage and take appropriate measures. In order to minimise the risk of unauthorised access, there are already proven products and corresponding mechanisms that can be used depending on the security requirements and offer the necessary protection. VPN solutions in combination with KNX Secure devices offer optimal protection.