1 Introduction
Previously, data transmitted in a KNX automation installation was open, allowing manipulation by anyone with access to the KNX medium. KNX Secure protocols enhance security by preventing unauthorized access to the KNX bus or devices, thus preventing attacks.
Secure KNX devices can communicate securely with ETS and other secure devices through built-in authentication and encryption systems.
Two types of KNX security can be implemented simultaneously:
- KNX Data Secure: Secures communication within a KNX installation.
- KNX IP Secure: For KNX installations with IP communication, secures communication via the IP network.
A secure KNX device has the capability to enable secure communication, though it's not always mandatory. Unsecured communication on secured devices is equivalent to communication between devices without KNX security.
The use of security depends on two key settings in the ETS project:
- Commissioning security: Determines if communication with ETS during commissioning is secure and enables runtime security activation.
- Runtime security: Determines if communication between devices during runtime is secure, specifying which group addresses are to be secure. Commissioning security must be activated to enable runtime security.
Activating security on KNX Secure devices is optional. When activated, it's set individually for group addresses, allowing some objects to be secured while others function normally. Devices with and without KNX Secure can coexist.
2 Configuration
From ETS version 5.7 onwards, KNX security and its functionalities are enabled for secure devices. This section guides the configuration of KNX secure in ETS projects.
2.1 KNX Data Secure
This implementation ensures secure communication between end devices. Secure KNX devices transmit encrypted telegrams to other secure KNX devices. Communication security can be chosen for each group address.
Diagram Description: Figure 1, "KNX data secure scheme," illustrates a KNX network topology. It shows a "Main Line" connecting "Area Couplers" and "Line Couplers." Devices are connected via "TP Line" and "TP Area." A "USB Interface" is also shown. A red line indicates "Data secure" paths, typically between devices or through couplers.
2.1.1 Secure Commissioning
When a device has secure commissioning enabled, communication between ETS and the device occurs in safe mode. Secure commissioning is required for runtime security, especially when objects are associated with a safe group address (see section 2.1.2). Note: The presence of a secure device in an ETS project implies the project itself is protected by a password.
ETS Parameterisation: Secure commissioning is set in the "Configuration" tab within the "Properties" window of the device.
Screenshot Description: Figure 2 shows the ETS "Properties" window for a device. Under the "Settings" tab, the "Secure Commissioning" option is visible with a dropdown menu. The "Activated" option is selected, and an "Add Device Certificate" button is present. The "Status" is shown as "Unknown."
Secure Commissioning [Activated / Deactivated]: This setting determines if ETS communicates with the device in safe mode, enabling or disabling KNX secure on the device. If "Activated" is chosen, a project password becomes mandatory.
Screenshot Description: Figure 3, "Project – Set Password," displays a dialog box prompting the user to set a project password for secure communication. It outlines password requirements (at least eight characters, one number, one uppercase, one lowercase, one special character) and fields for "New Password" and "Confirm Password."
Screenshot Description: Figure 4, "ETS - Device password," shows the ETS "Project with security" window. Under the "Details" tab, fields like "Name," "Project Number," "Contract Number," "Start Date," "End Date," "Status," "Comment," and "Password" are displayed. The "Password" field is shown with asterisks, and options to "Change Password" and "Set Key" are available.
Add Device Certificate: When secure commissioning is "Activated," ETS requires a unique certificate for the device in addition to the password. The certificate, a 36-character alphanumeric string (e.g., [XXXXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXX-XXXXXXXXXXXX-XXXXXX-XXXXXX]), is generated from the device's serial number and FDSK (Factory Default Setup Key). It is provided with the device and includes a QR code for easy scanning.
Screenshot Description: Figure 5, "Project – Add Device Certificate," shows a dialog box for adding a device certificate. It indicates that the device supports secure commissioning and allows scanning a QR code or entering the certificate manually. Fields for ABYREN, CWPA6W, IDZCID, T2FDBV, BNJNXE, 7RO3RQ, Serial Number, and Factory Key are displayed.
Screenshot Description: Figure 6, "ETS – Add device certificate," illustrates the ETS "Project with security" window, specifically the "Security" tab. It shows a section for "Device Certificates" with options to "Add" or "Delete" certificates, listing "Serial Number," "Factory Key (FDSK)," and "Device."
During the initial secure commissioning, ETS replaces the device's FDSK with a unique "Tool Key." If the project is lost, all tool keys are lost, preventing device reprogramming. To recover, the FDSK must be reset. The FDSK can be restored by unloading the application (if done from the original commissioning project) or via a manual factory reset (see section 3).
2.1.2 Secure Group Communication
Each object of a secure device can transmit information in encrypted form, ensuring security in communication or operation. For an object to have KNX security, its configuration must be tied to the group address it's associated with.
ETS Parameterisation: Communication security settings are configured in the "Configuration" sub-tab of the "Properties" window for the group address.
Screenshot Description: Figure 7, "KNX Data Secure – Group Address Security," shows the ETS "Properties" window for a group address. Under the "Settings" tab, the "Security" option is set to "Automatic." The "Data Type" is shown as "16.* character string."
Security [Automatic / On / Off]: In the "Automatic" setting, ETS determines if encryption is activated based on whether the two linked objects can communicate securely.
Notes:
- ? All objects linked to a secure group address must be secure objects.
- ? A single device can have both secure and non-secure group addresses.
Secure Objects are identifiable by a "blue shield" icon.
Table Description: Figure 8, "Secure Object," presents a table listing secure objects. Columns include "Number," "Name," "Object Function," "Description," "Group Address," "Length," "CRWTU," "Data Type," and "Priority." Example entries show object functions like "[Access] Open Door" and "[Access] Lock Serial Channel" associated with group addresses like 0/0/4.
2.2 KNX IP Secure
KNX IP security is designed for KNX installations utilizing IP communication. It ensures the secure exchange of KNX data between systems via secure KNX devices with IP connections. This security applies to bus interfaces and the IP medium, meaning secure telegrams are transmitted between secure KNX IP couplers, devices, and interfaces. For secure transmission on main or sub-lines, security must also be activated on the KNX bus (see section 2.1).
Diagram Description: Figure 9, "KNX IP Secure scheme," depicts a network with an "IP Interface" connected to a "Backbone IP." This backbone connects to "Area Couplers" within "TP Area" segments. "Line Couplers" connect these segments to "TP Line" segments where devices are located. A red line indicates "Data secure" paths, primarily within the IP backbone and between IP-enabled components.
2.2.1 Secure Commissioning
In addition to secure commissioning (covered in section 1.1.1), "Secure Tunneling" can also be activated for KNX IP Secure. This parameter is found in the "Settings" tab of the device properties window in ETS.
ETS Parameterisation: Commissioning and tunneling security settings are configured in the "Configuration" tab of the device's "Properties" window.
Screenshot Description: Figure 10, "KNX IP Secure - Secure Commissioning and Tunneling," shows the ETS "Properties" window for a device. Under the "Settings" tab, "Secure Commissioning" is set to "Activated," and "Add Device Certificate" is available. "Secure Tunneling" is also shown as "Activated."
Secure Tunneling [Enabled / Disabled]: This parameter is available only if secure commissioning is enabled. When "Enabled," data transmitted through tunnel connections is secure, meaning it's encrypted via the IP medium. Each tunnel address has its own password.
Screenshot Description: Figure 11, "Tunneling Address Password," displays the ETS "Properties" window for a tunnel. Under the "Settings" tab, a "Password" field is shown, with an example password "GxF"w!9w."
The IP tab of the product also includes the "Commissioning Password" and "Authentication Code," which are necessary for establishing any secure connection to the device.
Screenshot Description: Figure 12, "Commissioning Password and Authentication Code," shows the ETS "Properties" window, specifically the "IP" tab. It displays fields for "MAC Address," "Multicast Address," "Commissioning Password" (with example "005P#Zu$"), and "Authentication Code" (with example "8&-6c.gK").
Note: It is recommended that the authentication code for each device be individual, preferably using the default set in ETS.
The commissioning password will be requested when the IP Interface is selected in ETS to connect to it; the authentication code is optional.
Screenshot Description: Figure 13, "Request for Commissioning Password when selecting a secure IP Interface," shows a dialog box prompting for login data: "Commissioning Password" and "Authentication Code (optional)."
3 Factory Reset
To prevent a device from becoming unusable due to loss of the project or Tool Key, it can be returned to its factory state, restoring the FDSK, by following these steps:
- Put the device in safe mode: Power it up with the programming button pressed until the programming LED flashes.
- Release the programming button. The LED continues flashing.
- Press the programming button for 10 seconds. The LED lights red while pressed. The reset occurs when the LED momentarily turns off.
This process deletes the Tool Key, the BCU password, and resets the individual address to 15.15.255.
An unload of the application program also deletes the Tool Key and BCU password. However, in this case, the ETS project used for programming is required.
4 Observations
Some considerations for the use of KNX security:
- Individual address change: In a project with multiple secure devices sharing group addresses, changing the individual address of one device requires reprogramming the other devices that share group addresses with it.
- Programming a reset device: When attempting to program a factory reset device, ETS detects the use of the FDSK and asks for confirmation to generate a new Tool Key for reprogramming.
- Device programmed in another project: If you attempt to download a device (securely or not) that has already been securely programmed in a different project, the download will fail. You will need to recover the original project or perform a factory reset.
- BCU key: This password is lost either by manual factory reset or by unloading the application.
Contact Information
Join and send us your inquiries about Zennio devices:
Zennio Avance y Tecnología S.L.
C/ Río Jarama, 132. Nave P-8.11
45007 Toledo. Spain
Tel. +34 925 232 002
www.zennio.com
info@zennio.com
Index of /
Zennio | Technical Support
