BACnet.

A building-automation and HVAC protocol standardized as ASHRAE 135 / ISO 16484-5 — widely deployed in HVAC, lighting, fire-alarm, and access-control systems in commercial buildings, historically with very weak authentication. It belongs to the OT / ICS / IoT category of cybersecurity.

A building-automation and HVAC protocol standardized as ASHRAE 135 / ISO 16484-5 — widely deployed in HVAC, lighting, fire-alarm, and access-control systems in commercial buildings, historically with very weak authentication.

BACnet (Building Automation and Control networks) is the dominant communications protocol in commercial building automation. It is standardized as ANSI/ASHRAE 135 and ISO 16484-5 and underlies HVAC, lighting, fire-alarm, energy-management, and access-control systems in office buildings, hospitals, schools, data centers, and large industrial campuses. BACnet defines a layered protocol with multiple data-link options (BACnet/IP over UDP/47808, BACnet MS/TP over RS-485, BACnet/SC over TLS, plus older Ethernet, ARCNET, and LonTalk variants) and an object-oriented model of services and objects (Analog Input/Output, Binary Input/Output, Schedule, Trend Log, etc.). Legacy BACnet/IP has essentially no authentication: any host on the BACnet network can issue Write Property requests, broadcast Who-Is and I-Am, or inject device-control messages. The newer BACnet Secure Connect (BACnet/SC, 2020) runs BACnet over TLS-secured WebSockets and is the recommended path forward. Real-world incidents (including a 2017 ransomware attack on a Finnish heating control system and the 2024 Lviv FrostyGoop case, conceptually similar) routinely abuse weak BACnet posture. Defensive practices include strict VLAN isolation of building-automation networks from IT and OT-NDR coverage tuned for BACnet anomalies.

Defences for BACnet typically combine technical controls and operational practices, as detailed in the full definition above.

Common alternative names include: ASHRAE 135, Building Automation Network.