On December 31, 2024, ASHRAE officially published ANSI/ASHRAE 135-2024, the latest revision of the BACnet standard. Coleman Brumley, Chair of SSPC 135, announced the release, which rolls up 17 addenda to the previous 2020 edition into a single updated document. For anyone managing a building automation system or planning a controls upgrade, this is worth understanding. The changes are not cosmetic. They address cybersecurity, interoperability, and data modeling in ways that will affect how BAS systems are specified, installed, and maintained going forward.
BACnet by the Numbers
BACnet is now specified in more than 60 percent of building automation projects globally, according to industry analysis from Memoori Research. More than 25 million BACnet devices have been deployed worldwide. The BACnet Building Management System market was projected to reach $17.01 billion in 2025, with a compound annual growth rate of 3.3 percent. These are not niche numbers. BACnet is the dominant open protocol in commercial building automation, and changes to the standard ripple through the entire industry.
The standard itself is substantial: ANSI/ASHRAE 135-2024 is approximately 1,400 pages defining every aspect of how BACnet devices communicate. It is published by the American Society of Heating, Refrigerating and Air-Conditioning Engineers and recognized as an ISO standard (EN ISO 16484-5), a European standard, and a national standard in numerous countries.
What Changed in 135-2024
The 17 addenda in this revision cover a range of updates. The most significant for building owners and integrators fall into three categories.
BACnet/SC certificate management. BACnet Secure Connect (BACnet/SC) was first introduced in the 2020 edition as a new data link layer designed to address the longstanding cybersecurity gap in traditional BACnet/IP. The 2024 edition significantly expands the BACnet/SC specification with new capabilities for certificate management, including a Certificate Authority Requirements Interchange File Format. This matters because BACnet/SC uses TLS 1.3 encryption and WebSocket connections, which require proper certificate infrastructure. The 2024 edition provides standardized methods for configuring and managing those certificates, which was a practical barrier to BACnet/SC adoption in the field.
Device proxying and authorization. New provisions for device proxying allow one BACnet device to act on behalf of another, which has implications for cloud-connected systems and edge computing architectures. Updated authentication and authorization capabilities strengthen the framework for controlling which devices and users can access which data and commands on a BACnet network.
Color object concepts and MS/TP modernization. New Color Object types support advanced lighting control applications where BACnet manages tunable white and color-changing LED fixtures. The standard also modernizes the language defining BACnet MS/TP, the two-wire serial protocol still widely used for field-level device communication.
BACnet/SC: Why Cybersecurity Matters Now
Traditional BACnet/IP transmits data without encryption. On a properly segmented building network, this was considered acceptable for decades. That calculation has changed as BAS systems connect to enterprise IT networks, cloud platforms, and remote access services.
BACnet/SC addresses this by running BACnet communication over encrypted WebSocket connections using TLS 1.3. The topology is hub-and-spoke: a centralized hub (with an optional failover hub) connects to multiple BACnet/SC nodes. Nodes can also establish direct peer connections within the same network.
The practical challenge with BACnet/SC has been implementation complexity. BACnet/SC requires credential configuration and relies on third-party libraries for WebSocket, TLS, and cipher suite support. The 2024 standard's expanded certificate management provisions are a direct response to this challenge, giving manufacturers and integrators standardized tools for handling the certificate lifecycle.
For building owners, the takeaway is this: BACnet/SC is no longer a future concept. It is a defined, published standard with growing manufacturer support. If you are planning a controls upgrade or new installation, ask your integrator about BACnet/SC readiness. The transition will not happen overnight, but the direction is clear.
ASHRAE 223P: The Next Piece of the Puzzle
While 135-2024 addresses how devices communicate, a parallel ASHRAE effort called Standard 223P addresses what the data means. ASHRAE has been working alongside Project Haystack and The Brick Initiative since 2018 to develop a unified semantic tagging standard for building data.
The goal of 223P is to create machine-readable semantic models that allow software applications to automatically understand the meaning and context of building data. Instead of a human manually mapping point names to functions (this analog input is the supply air temperature for AHU-1), a 223P-compliant system would include that semantic context as metadata.
The practical applications include automated fault detection and diagnostics, digital twin modeling, automated commissioning verification, and better analytics. The U.S. Department of Energy has funded research at NIST, NREL, and LBNL to support the standard's development, with a project term running through September 2025.
223P is not yet finalized, but it is worth tracking. When it reaches publication, it will change how BAS data is structured and shared, particularly for buildings that want to use advanced analytics or participate in grid-interactive building programs.
What This Means for Your Next Controls Project
If you are specifying a new BAS installation or planning a major upgrade, the 135-2024 publication has several practical implications.
Specify BACnet/SC capability. Even if your current network does not require encrypted communication, specifying controllers and supervisory platforms that support BACnet/SC protects your investment. Retrofitting cybersecurity onto a system that does not support it is significantly more expensive than building it in from the start.
Ask about BTL certification. The BACnet Testing Laboratories (BTL) certification program verifies that devices conform to the standard. However, even BTL-certified devices may not support all optional services and objects. Ask specifically which BACnet services your devices support, particularly if you are integrating equipment from multiple manufacturers.
Plan for semantic data. If you are building a new system, consider adopting a tagging convention now, even before 223P is finalized. Project Haystack tagging is widely supported in Niagara N4 and other platforms. Investing in consistent, meaningful point naming and tagging today will make it significantly easier to take advantage of 223P-compliant tools when they arrive.
Verify interoperability before installation. BACnet is an open standard, but interoperability is not automatic. The standard supports multiple protocol variants (BACnet/IP, BACnet MS/TP, BACnet/SC), and devices on different variants require routers to communicate. Device instance conflicts, point mapping discrepancies, and missing sequences of operations are common integration problems that a pre-installation coordination meeting between the controls contractor and equipment manufacturers can prevent entirely.
The BACnet standard continues to evolve to meet the demands of modern building operations: cybersecurity, data interoperability, and integration with IT infrastructure. ANSI/ASHRAE 135-2024 is a meaningful step in that evolution, and building owners who understand what it contains will make better decisions when it is time to invest in their controls infrastructure.