The e-magazine for KNX home & building control

Security: configuring KNX Secure systems in ETS

Mark Warburton explains the basics of KNX Secure and gives a step-by-step explanation of how to configure KNX Secure systems in ETS.

There are a lot of things that make KNX stand out against other systems – the key one being the standardisation of the system which is represented by over 30 years of backwards compatibility. That the KNX Association has been able to maintain this deserves a lot of credit; particularly when you consider how much the system has evolved and expanded despite this key principle. Nowhere is this more relevant than in the implementation of KNX Secure. Now a mature part of the system, KNX Secure allows for both the communication between devices and IP communication with the system, to be encoded, locking the system down to authorised users only.

KNX offers an unmatched level of backwards compatibility along with the highest levels of system security.

With countless KNX Secure products now released, let’s take a look at how to configure these products in ETS. But first, here’s a quick catch up on what KNX Secure is.

KNX Secure basics

KNX Secure is an extension to the KNX standard which allows for IP communication or telegrams on the bus to be encoded using AES128 encryption. The need for this has arisen as consumers demand secure solutions. Although it has always been possible to create secure remote access to a KNX installation using standard IP approaches such as VPNs (Virtual Private Networks), there are still numerous KNX installations around the world that have been configured for open access from the Internet, either inadvertently or deliberately to make remote access easier. As this presents an inherent security risk to individual projects as well as the wider reputation of KNX as a robust system, both manufacturers and the KNX Association designed and implemented an embedded security layer to allow projects to be made secure from the ground up. KNX Secure has two aspects, namely IP Secure and Data Secure.

(Left) KNX IP Secure is for secure KNX transmission between buildings (highlighted in green), whilst (right) KNX Data Secure is for secure KNX transmission within the building (highlighted in green).

KNX IP Secure

KNX IP Secure encodes all KNX IP traffic in a security wrapper ensuring only authorised devices and applications can read the messages. This is true for multicast or tunnelling connections and can also apply to ETS commissioning connections so that all downloads to devices are protected.

KNX Data Secure

KNX Data Secure works at the individual object level, allowing the data in individual telegrams to be encoded across all communication media. This could be used to protect sensitive data or to restrict access to central-system-wide functions, leaving the rest of the KNX system communicating in the standard way.

In both cases, there are various security mechanisms that ensure telegrams can’t be manipulated or repeated, and the KNX Association has worked hard to ensure the configuration is as straightforward as possible whilst maintaining the highest level of protection.

To work with KNX Secure products, it is essential to be working with the latest version of ETS, either ETS 5.7.6 or, ideally, the newly-released ETS6.

Configuring KNX Secure

In this example, we will look at how to create a secure IP backbone line with the IP router also supporting tunnelling connections. We will also see how to create a Data Secure Group Address.

Before you can even add KNX Secure devices to ETS, you will need to add a project password on the main details tab. As ETS is effectively the administrator in a secure installation, it’s critical that access isn’t possible without permission.

ETS Project settings with Project Password.

Adding the FDSK

The next step is to add the Factory Default Shared Key (FDSK) from secure products into ETS. This is the default key that is printed on a device, and/or supplied on a separate card, and is used to initially authorise a device. After this first use, ETS uses device keys which are known only to the secure devices and ETS.

The FDSK can be added to ETS either on the main security tab or as you add individual secure devices. Either way, you can use a USB camera or handheld scanner to read the QR codes to save typing the 32-digit code.

Adding FDSK from device card to main project settings.

Adding products

If you have already added the keys, when you add the products from the Catalog, it will still prompt for the FDSK as this is only linked when addressing the device. However, it is possible to hide this prompt. You will notice that when searching for KNX Secure devices in the Catalog, they will be displayed with a padlock.

Enabling KNX IP Secure functions

Once the products are in the project you can enable secure functions on the main line or backbone line by selecting it in the topology view and then changing the setting on the detail tab. By setting it to automatic, ETS will use security when possible, i.e. when all of the devices support it.

Enabling KNX IP Secure on the Backbone line.

The remaining settings are made on the individual devices. You can choose to use secure commissioning on the main setting tab and then add a password on the IP tab.

IP setting for IP router including commissioning and authentication passwords.

You can also separately enable security on individual tunnelling connections, either for commissioning or for third-party systems to connect. In this case, you will need to add an authentication code on the main device IP tab (see image above) as well as a password for each tunnelling connection (see image below).

Password setting for individual tunnelling connections.

Being able to enable these individually is key, as it means the system can still operate with external systems that are yet to support KNX Secure. As this is outside of the scope of the KNX Association, it will take pressure from the market for third-party solution providers to update to the KNX Secure standard.

Enabling KNX Data Secure functions

KNX Data Secure is even easier to work with. In the settings tab of a Group Address, you can set security to Automatic. Then, as long as all objects are from secure devices, security will automatically be used on that specific Group Address.

Enabling KNX Data Secure in the settings tab will automatically apply it to that specific Group Address.

Diagnostics

Because ETS, and the project, hold the security details, any diagnostics have to be done from within the project environment in order to ensure that the keys can be used.

Conclusion

With all new KNX products supporting KNX Data Secure, and an extensive range of IP Secure devices available, it is now entirely possible for a KNX system to be made inaccessible by those with nefarious intent. When planned into a project, it is incredibly easy to implement and will quickly become second nature to those working regularly with KNX.

KNX Secure presents a great opportunity to show how KNX is leading the way for building automation solutions, even with the added complexity of being an open-protocol, standardised solution.

Mark Warburton is a Director of Ivory Egg (UK) Ltd, a supplier of leading KNX products and provider of KNX training courses.

www.ivoryegg.co.uk

Share on facebook
Share
Share on twitter
Tweet
Share on linkedin
Share

SPONSORS

LUXA 103 KNX presence detectors


LUXA 103 KNX presence detectors
LUXA 103 presence detectors with a round detection area for individual and open-plan offices, meeting and storage rooms, cellars ...