What is KNX Data Secure?
By: Gabriel Li/Technical Service Center
gabriel@meanwell.com
By advancing smart control technology, many incredible technologies only shown in movies in the past have now been realized, such as opening a door via mobile phone or turning on the light with voice control. Nowadays these intelligent control applications in buildings are becoming more versatile in daily life. However, unsecured or vulnerable systems can be attacked by an unauthorized third party, and leads to data breaches and invasion of privacy. User’s personal and property safety is therefore at risk. To fulfil the demand of transmitting data in a secure way, KNX Secure has been developed to respond to current and future challenges regarding cyber security in building automation.
3 key features of KNX Secure:
■Data Integrity
Preventing attackers from gaining control by injecting manipulated frames. In KNX this is ensured by appending an authentication code to every message: this appended code verifies that the message has not been modified and that it effectively originates from the trusted communication partner.
■Freshness
Preventing attackers from recording frames and playing them back at a later time without manipulating the content. In KNX Data Secure this is ensured with a sequence number and in KNX IP Secure with a sequence identifier.
■Confidentiality
Encrypting network traffic to ensure that an attacker has the lowest possible insight into the data actually transmitted. When allowing encrypting KNX network traffic, the KNX devices ensure at least encryption according to the AES-128 CCM algorithms together with the asymmetrical keys.
KNX Secure includes KNX IP Secure(IP media) and KNX Data Secure(TP/RF media). KNX IP Secure shall be used for KNX installation (typically its backbone line) exposed to an external IP network, like the internet. And KNX Data Secure shall be used for KNX installation not exposed to an external IP network.
This article focuses on KNX Data Secure. Every KNX Data Secure product is shipped with a unique FDSK (Factory Device Setup Key) as shown in Figure 1. After the FDSK of the KNX secure device has been added to an ETS project, ETS automatically sets its Tool Key in the project, i.e., ETS user cannot define/modify the Tool Key manually, and the Tool Key is never visible for ETS user. The device from then onwards only accepts the Tool Key for further configuration with ETS. The FDSK is no longer used during subsequent communication unless the device is reset to the factory state, after which all the secure data in the device will be erased.
Figure 1. FDSK location of PWM-200-24KN
KNX Data Secure device can only be used in alliance with other devices with Data Secure when data secure is activated. However, when secure communication is not needed, KNX Data Secure devices can also be used in alliance with non-secure KNX devices. There are two ways for a secure device to work with a non-secure device. The first way is to deactivate the secure commissioning of the secure device (Figure 2). In this case, the behaviour of the secure device is the same as a non-secure device. The second way is to set individual Group addresses to “Off” or “Automatic” (Figure 3), then it can be linked to group objects of devices with activated or deactivated secure commissioning. All functional objects in a KNX Data Secure device can be set to different security levels according to different requirements. For example: for a control object from a touch panel, it can be set as secure transmission, and for a report object from an actuator it can be set as non-secure transmission.
Figure 2. Activated/Deactivated secure commissioning
Figure 3. Security setting of Group Address
Take Figure 4 for example, setting buttons of KNX Data Secure switch to non-secure mode (Plain) while linked with non-secure KNX device, and leaving the rest of the buttons in Data Secure mode to communicate with secure devices. If an application involves personal or property safety, such as the one for doors or windows, then Data Secure communication is suggested. If an application is not related to personal or property safety, for example, the one for TV or coffee machine, then users may choose whether secure communication is necessary. Please note: Once an object is set to non-secure mode, further communication will be no longer under the protection of Data Secure.
Figure 4. KNX system configuration
MEAN WELL will announce more new KNX Data Secure products, and will upgrade existing products with Data Secure. Recently we have launched PWM-200KN with Data Secure. Furthermore, KAA-8R-S and KAA-4R4V-S, which are the secured version of KAA-8R and KAA-4R4V, will come soon. We believe that they will give users a better experience with a completely secure environment while maintaining high quality and good reliability.
If you have any questions related to KNX products, welcome to contact MEAN WELL sales. Please feel free to check MEAN WELL Online Exhibition Hall and Building Power Solution to get technical videos, articles, FAQs and more supports from us.
Technical Service Hall
https://expo.meanwell.com/exhibition_12.html
KNX Building Power Solution
https://building.meanwell.com/
Reference links:
KNX official website
https://www.knx.org/
Mean Well Online Exhibition Hall
https://expo.meanwell.com/
Building Power Solution
https://building.meanwell.com/