Picture Scott Ziegenfus CEM, CLEP, CDSM, GGP, GPCP, LEED AP Manager, Government and Industry Relations Hubbell Lighting, Inc.
It is easy to understand you are under corporate IT management when the Building owner/developer talks about the vision of putting all the environmental and building systems on the same IT Backbone so all Environmental Systems can share the data. Needs IT coordination and Buy-in Design phase Construction phase Startup ACCESS TELEPHONE HVAC ELEVATOR Documentation IT specifications Network Diagrams SECURITY LIFE SAFETY Ethernet Backbone LIGHTING WATER INTERNET
Corporate IT Department / Institutional IT Department / Property Management IT Department / etc. What I have seen The bigger the networked lighting project the more involved IT becomes. IT does not get praised for keeping the network running. Great job, we all were able to logon today Never happens IT gets in trouble for it not running so anything that is unfamiliar or can t control is BAD
Home Wi-Fi wireless router is not corporate IT. How Corporate IT thinks about this device The term Wi-Fi router kind-of a misnomer, actually its : 1. Wireless access point (WAP) 2. Layer 2 bridge between IEEE 802.3(Ethernet) and IEEE 802.11(Wi-Fi) 3. Layer 2 unmanaged switch 4. Layer 3 router between your ISP and Home LAN 5. DHCP server Corporate IT handles each part individually South Park Studios
OSI Model Networking is made-up of 7 operating layers which work together and at the same time Hardware and software are separate Mix and match Layers The OSI model is the basis for every IT department 7 Application 6 Presentation 5 Session 4 Transport 3 Network 2 Data 1 Physical = = Software and Software Addresses Connections and Hardware Addresses = = HTTP FTP Telnet TCP/UDP IP Wi-Fi Ethernet 7 < Layers > 1 Like a dinner menu where you can select Appetizer from column A Entree from column B Desert from column C 5
Layers 1 to 4 network communications Medium sending the message Packaging of the message Identifying the message 4 Transport 3 Network 2 Data 1 Physical Ports IP Address MAC Address = TCP/UDP IP Wi-Fi Ethernet = Ports Router switch Cables Layers 5 to 7 application layers Message format Message structure 7 Application 6 Presentation 5 Session = FTP Telnet HTTP JUST FOR FUN The True Story Of Network layering https://www.cs.purdue.edu/homes/dec/essay.network.layers.html 6
Triggers that CAN put A system under corporate IT management when you did not think it was Ø The obvious is when using the existing corporate IT equipment like network switches, routers, servers, fiber or copper runs BUT using ANY part of the existing IT infrastructure may put you under IT like: Using the fiber between buildings Don t think you will be digging your own trench Needing Remote Access Unless y our are setting up your own cellular hotspot Don t assume you can bring in a separate line with your own ISP WiFi for app Don t assume you can put in your own wireless as a competing network Interconnecting different building systems Connecting to the BMS or ProAV network already on the corporate intranet puts you on the corporate intranet. Cloud access over the internet SEE REMOTE ACCESS, IT S THE SAME THING
Do not assume network lighting is not under the corporate IT policies? Example: You were told by the manufacturer to use a server with two Network Interface Cards (NICs) to isolate the Lighting network from the corporate intranet. The only thing corporate IT needs to worry about is the server. What equipment will be on the Corporate network? What are the 2 NICs for? NO THEY DON T! YOU We only need a windows server with 2 NICs. They separate the lighting network from your network. That would basically bridge the networks! Lets start at the beginning and tell me all about your lighting network!!! IT They Don t???? Oh? HUMM?????
Do not assume network lighting that is not IP is not under the corporate IT policies? Example: You were told it since it is Zigbee or Bluetooth wireless or something else that is not IP so it is not under IT policy. I hear you are using wireless at 2.4 GHz? Yes but it is and not Wi-Fi. What type of wireless protocol is it? Is it connected to our intranet? Now I am more worried then ever!!!! IT YOU Its follows IEEE 802.15.4 and is AES 128 encrypted. Yes, but through a gateway so you don't have to worry about it. JUST FOR FUN A Stick Figure Guide to the Advanced Encryption Standard (AES) http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html
Who are you talking to in the IT department? Never the same org chart, Not all IT departments are created equal. Do you need to talk to multiple people? Is it the right people? Security? IT departments are like snow flakes everyone is different Server needs Cloud and remote access Buying the equipmen Physical Network
Do you need to use the corporate Ethernet or Wi- Fi? Who provides standard network Hardware/cables? Meet with IT management if possible for any special policies should be put in spec security/equipment? The design group might have a charrette and invite IT ARCHITECH ELECTRICAL ENGINEER LIGHTING DESIGNER
What Environmental Systems will be operating on the shared network, Lighting, BMS, A/V, etc? Placed in Division 23 or 26 or 27 or 25 or all? Is Internet access required? System Dependent on the Network or distributed intelligence? ARCHITECH ELECTRICAL ENGINEER LIGHTING DESIGNER
Does the network have to be in place prior to system commission? Is the IT authority on site yet? Is the System network infrastructure staying separate until the end? Any Network pre-testing requirement?
Does system startup need secure room access? Installers should meet with IT groups Pre installations Services/Applications/Network Services/ Security? Active Directory? Admin access for installation of software?
Startup meet with IT groups during installations Services/Applications/Network Services/ Security? Remote access for maintenance procedure? Sever setup, cloud or local?
A Network Diagram Is not a reflected ceiling plan, or one-line Only showing Items relevant to the Corporate network If it has an IP address Should show at least: What devices in the lighting system are on the network Physical wired or wireless structure (Ethernet, Cable type, etc.) Hardware types and placement (switch, router, ) Network addressing schema (IPv4, IPv6, Class A, etc ) Server types and placement (webserver, data, cloud, edge..) Basic methodology (unicast, multicast, broadcast) Protocols used (Ethernet, UDP, PIM, IGMP, CoAP, etc.) UI connectivity and placement Any additional notes
IT Specification or Guide Not installation instructions or product specs You are not telling IT what you need but seeing if your requirements is allowed by the corporate IT guidelines. Only referencing Items on the network and how requirements of the connection. They don t care that you have an open or close loop daylight sensor. Johnson Controls LIT-1201578
IT Specification or Guide to hand to IT Basic network information such as: Network Architecture overview (multicast, VLAN, etc. ) Hardware and wiring configuration (physical and datalink layer) Address Configuration (network layer) Ports (Transport layer) PC and/or server requirements Protocols used (HTTPS, PIM, Ethernet, etc.) Server Architecture (N-Tier, Remote, OS, etc ) Access Requirements
Security by Obscurity is gone for our industry. Products with a microcontroller are not thought to be immune anymore! Department of Homeland Security puts out weekly found vulnerabilities on software and operating systems https://www.us-cert.gov. Products from our industry including PLCs have made the cut!
All Layers are vulnerable Tell me about your security? And? That tells me about layer 1 and 2 but what about the other layers or your application. Like are the passwords, just txt, Hashed, Salted? IT YOU We use AES 128! And What? Applications? HUMM???? https://www.us-cert.gov/securitypublications/ddos-quick-guide
Ports are the Gateway between Applications and transport of Data. Basic mechanism firewalls rely on for allowing or denying network traffic. Telnet HTTPS HTTP Make sure ports are on your documentation Port 23 Port 443 Port 80 For your web server what port do you need open? We don t allow HTTP only HTTPS on our network requiring TLS at least Version 1.1 security OK! IT YOU 443 and 80. 443 it is! TCP/UDP IP Wi-Fi Ethernet
More about IT security procedures then protocols and specifics Meaning difficult to add to specifications https://www.nist.gov/cyberframework NIST 800 Computer Security Publications computer/cyber/information, security guidelines, recommendations and reference materials http://csrc.nist.gov/publications/pubssps.html NIST 1800 NIST Cybersecurity Practice Guides practical, user-friendly guides for SP 800s http://csrc.nist.gov/publications/pubssps.html Defacto IT security policy for many sensitive installations Example C137.2 proposed Cybersecurity Requirements for Lighting Systems for Parking Facilities references NIST Cybersecurity extensively
You might be required to have Items like: Venerability Assessment A non intrusive search for weaknesses/exposures in order to apply a patch or fix to prevent a compromise GSA requires a venerability test for devices connecting /using their network Penetration Testing (pen testing) An authorized simulated attack on a hardware connected to a network and reporting results Hardening Document Document on removing all non-essential programs and utilities and closing all non-essential ports from the device
UL Cybersecurity Assistance Program (CAP) Using UL 2900 standards Initial standard just published summer of 2017 2900-1 General standard (out) 2900-2-1 Industrial (coming) 3900-2-2 Healthcare (coming) 2900-2-3life Safety (coming) Has the potential for easier specification
1. The earlier you talk to the IT department the better 2. Don t assume since you talked to one IT admin you talked to the correct person in IT. 3. Don t dictate, collaborate. 4. The IT department does not care about items not on their network. 5. Don t assume because you have been told the system or a part of your system is separate from the network IT will agree with you. 6. If they understand system architecture they can fill the security gaps, 7. Keep the IT department informed along the way.