Body

 

 

Customer Needs

Isolate BACnet from unauthorized systems

Fast and non-disruptive deployment

Segment remote access for contractors

Simple and fast network provisioning

Span communication across any network

Constraints

Flat L2 Network owned by IT

Unable to modify underlying network

Small staff supporting 640 buildings

Avoid building downtime

Onboard dozens of new buildings

Finish before fall semester

Results

Team isolated and segmented 50 buildings in first week

Eliminated all BACnet broadcast storms

Simple to add, move, and revoke network communication instantly

Contractor remote access isolated to specific systems only

Completed on time and under budget

 

 

Excellence and Innovation

Listed among the top 100 universities in the world and cited as one of the “Top 50 Best Universities” in America, Penn State University (PSU) is a large and highly competitive research institution. Their commitment to excellence and innovation is not only held by students and faculty, but all personnel at Penn State.

With over 640 buildings spread across dozens of state-wide campuses, the Facilities Automation team was tasked with reducing the security risk and downtime for their Building Automation Control networks (BACnet). The small team of four network administrators and four installation technicians had to define and deploy a solution before the start of fall semester.

 

Overcome Network Chaos

PSU was dealing with a significant attack surface across their shared Layer 2 and Layer 3 network. Every building had several hundreds or thousands of open data ports that gave direct access to the campus network, with many rogue access switches and wireless access points that vendors would install without permission. To make things more difficult, the network transport upon which BACnet traffic rode was a spider web of managed and unmanaged Ethernet, Wi-Fi and cellular networks they didn't control.

 

Eliminate Broadcast Storms

Downtime caused by broadcast storms was too frequent and the impacts were wide-ranging; from elevator downtime to temperature control failure that caused the loss of valuable lab research for example. As systems were brought online by staff or contractors, nearly 3,000 gateway routers would broadcast these messages, which would flood the network.

 

 

“Everyone who has deployed BACnet has experienced its disruptive broadcast storms that impacts performance and can create outages in other parts of the network."

Tom Walker, Facilities Automation Network
Penn State University


Alternatives Considered

PSU considered firewalls, VPNs, and NAC for each building, however, the time, cost, and personnel estimates to deploy and manage were prohibitive. They estimated that it would take 2500 FTE days just to deploy these technologies across 640 sites, while requiring 8 additional staff to manage them after deployment. PSU quickly came to the conclusion that no combination of these technologies could meet their requirements for network simplicity, isolation, and rapid provisioning.


Simple, Non-Disruptive Deployment

PSU chose Tempered Networks after an initial pilot where they installed a physical HIPswitch in two separate buildings, a virtual HIPswitch in the data center in front of the BACnet control servers, and a HIPrelay for identity defined routing. With no training, it took the team 20 minutes to deploy their pilot without having to modify the underlying network or involve IT.


Make BACnet Invisible and WAN Communication Simple

Specific building controls, like Lighting Systems, were grouped into their own encrypted overlay network to allow only authenticated network communication between the building controls and their specific servers in the data center. No unauthenticated system anywhere on the campus network could find, discover, or access their building controls. All BACnet communications were encrypted and ran completely isolated and unimpeded. Their environment was effectively made invisible to all other machines and users.

PSU now had the recipe for rapid deployment and the creation of peer-to-peer WAN overlay segments for simple, fast, and secure end-to-end connectivity without barriers.

 

 

“Only authorized BACnet systems can establish communication with each other via ID network segments in our overlay network. Even though we share the same campus network with 80,000 students, faculty and staff and tens of thousands of other machines, BACnet is segmented, unreachable and invisible to all other systems and users."

Tom Walker, Facilities Automation Networking
Penn State University


Rapid Deployment While Eliminating Broadcast Storms

Within the first week of their production deployment, the small team had installed HIPswitches at 50 buildings, eliminating the network attack surface and enabling network communication between only authorized endpoints. Because of ID network access and segmentation, those systems’ broadcast messages are isolated and forwarded only to their trusted and specific control servers, which eliminated broadcast storms.


A Simpler and More Secure Network at a Fraction of the Cost

The small team was able to complete their project on time and under budget, while exceeding their requirements to easily connect and segment their BACnet systems. They estimated that Tempered Networks was a quarter of the cost of firewalls, VPNs, or NAC, and deployed ten times faster while required no additional headcount. They now secured BACnet in a way that was impossible to do with alternatives.

 

 

 

 

 

Experience the same simplicity, security, and cost-savings