BACnet/SC Decryption feature - Metasys - LIT-12013959 - 13.0

BACnet/SC Workflow Technical Bulletin

Document type
Technical Bulletin
Document number
Revision date
Product status
You can use the BACnet/SC Decryption feature to capture encrypted messages on the BACnet/SC network through the Wireshark tool. You can configure a Server so that it creates a file of sessions keys that you can use to decrypt the messages between the device the feature is running on and other devices that it has TLS sessions with. The feature is intended to be used for diagnostic purposes only and, when enabled, the encrypted messages can be decrypted and are no longer secure.
Note: This feature is available for Metasys Servers only.

Enabling the decryption

To enable the capture of the TLS session keys between the Server and other devices that communicate BACnet/SC, complete the followings steps.
  1. In SCT, upload the archive and then set the Enable BACnet/SC Decryption Feature attribute of the Server device object to True.
  2. Download the archive with the changes to the device object.
  3. Set the Debug Mode attribute of the SC Network Port object to True. The session keys are captured in this location: C:\ProgramData\Johnson Controls\MetasysIII\bacnetsc-keys.txt
  • The system creates an audit when you set the Debug Mode to True.
  • The status attribute of the SC Network Port object changes to In Test when you set the Debug Mode to True.
  • To capture the keys when the hub connection is being established, enable the Debug Mode before you switch the communication mode to Secure Connect Only Mode or Dual SC and IP Mode. If the communication mode was switched before you enabled the Debug Mode, you can use the Restart Port command value in the Command property of the SC Network Port to trigger the WebSocket Sever task to restart. The WebSocket connections are then re-established and the keys are captured.
  • For security purposes, a timer automatically sets back the Debug Mode attribute to False after 30 minutes. You can track the time in the Debug Time Remaining attribute of the SC Network Port object. After 30 minutes, the software stops any logging of future key sessions and automatically sets the Command attribute of the SC Network Port object to Restart Port. The BACnet/SC datalink then restarts and all WebSocket connections are terminated and then re-established. This renders the session keys captured in the file worthless for decrypting future communication.
  • To cancel the decryption before the 30 minutes expire, set the Debug Mode attribute of the SC Network Port object to False.

Importing the decryption

To import the bacnetsc-keys.txt file into the Wireshark tool, complete the following steps:
  1. Open Wireshark and click Edit > Preferences.
  2. In the left pane, expand Protocols and select TLS.
  3. In the (Pre)-Master-Secret log filename field, enter C:\ProgramData\Johnson Controls\MetasysIII\bacnetsc-keys.txt and click OK.
  4. If successful, the Decrypted TLS tab opens in Wireshark.
  5. The decrypted packets display on the Decrypted TLS tab in Wireshark.