logo The Panoptix Building Efficiency Solution: Ensuring a Secure Delivery of Building Efficiency Understanding the Multiple Levels of Security Built Into the Panoptix Solution Published: October 2011 Abstract: The Panoptix building efficiency solution leverages the latest technologies to integrate building management systems and building operating systems with security in mind. With guidance from industry-leading security experts, the design and development teams implemented the latest security techniques in developing the Panoptix software and infrastructure to meet the highest security standards. Users can be confident they are receiving a comprehensive view of building performance through a secure delivery mechanism.
2 Executive Summary Johnson Controls understands that Panoptix building efficiency solution customers have invested significant time and resources to secure and optimize their own infrastructures. Therefore, the Panoptix solution by Johnson Controls was designed to be secure at every level. This way, when Panoptix customers implement the Panoptix solution, they can be assured that their infrastructure will remain secure and their building data will stay confidential. The platform has been designed to eliminate intruder and virus access points, in addition to other types of attacks. Further, the implementation has been optimized and can be tuned to ensure it has no impact on existing systems. To enforce these security mandates, numerous levels of quality assurance have been incorporated into the Panoptix platform, infrastructure and applications. The Panoptix solution was built with security in mind from initial design, to software development, to each level of implementation. The design and development teams were trained in the latest security techniques by industry security experts. To ensure that these techniques were successfully implemented, the product has gone through multiple layers of rigorous testing. As an additional precaution, the Panoptix software and infrastructure were externally audited to certify they met the highest security standards. By eliminating security or performance concerns, the Panoptix solution can be evaluated on its own merits. The Panoptix solution empowers its customers by providing information to make better business decisions that deliver results including: Energy consumption reduction Operating cost reduction Tenant comfort and productivity improvement Anywhere building control (future functionality) Maintenance cost reduction Asset management and tracking improvement Equipment running at consistent peak efficiency Single, network or worldwide building management Introduction The purpose of network security is to protect the network and its component parts from unauthorized access and misuse. Networks are vulnerable because of their inherent characteristic of facilitating remote access, especially when that access is over the Internet. For example, if a hacker desired access to a computer that is not on a network, physical access to the computer itself would be required. However, because networks enable remote access, physical access is no longer required.
3 Journalists today frequently report accounts involving major corporations whose networks and data have been compromised by security attacks. Therefore, it is vital for any network administrator, regardless of the size and type of network, to implement stringent security policies to prevent potential losses resulting from unauthorized access and misuse. At Johnson Controls, we take network security very seriously. We understand that opening up communication channels between your facilities and Panoptix data centers creates the potential for risks that require mitigation. Although capturing streaming building data might not offer the immediate benefit to hackers of capturing other data like Social Security or credit card numbers, there is a creditability issue if unauthorized personnel are able to access any information. From the perspective of a company s reputation, a secure network is critical. Johnson Controls leverages its considerable resources and vast experience to mitigate all Panoptix platform security risks. Panoptix Security Panoptix security was implemented in all development stages and is embedded in all infrastructure layers to ensure that the network, building automation system (BAS), data transmission and storage are all secure. The implementation techniques are described in the following sections. Developing Secure Software The Panoptix solution software includes the platform software in addition to each of the Panoptix applications. To ensure secure software development, two additional steps were added to the process. In the conceptual stage, the architects and lead developer followed industry best practices to ensure that these new security standards were met, and the code also was subjected to an independent third-party vulnerability assessment during the quality assurance process. Threat Modeling Security To develop a solid security foundation, the Panoptix architects and developers applied a threat modeling process; this process included: Utilizing a Threat Analysis and Modeling Tool from Microsoft. Incorporating threat modeling as a security activity in the phases of the Panoptix software development lifecycle. Vulnerability Assessment Microsoft was hired to perform a security assessment of the Panoptix software code including both the Panoptix platform and applications. The assessment entailed auditing several million lines of code to identify security vulnerabilities and issues. The experts from the Microsoft InfoSec-ACE team: Conducted a line-by-line code review of critical application components to find insecure coding practices, insecure system configurations, insecure cryptography use and insecure platform feature use.
4 Utilized tools co-developed at Microsoft InfoSec and Microsoft research, such as the Code Analysis Tool for.net, to optimize the search for vulnerabilities such as SQL Injection, unnecessary information disclosure and Cross Site Scripting. Analyzed and interpreted the code review process results and provided comprehensive mitigation information. The expert feedback was successfully implemented. In addition, the findings were explored to develop further training and security strategies. These strategies have been implemented into the Panoptix application development. Collecting Building Data Securely Before customers can connect to the Panoptix solution, an adaptor is installed at each site to consolidate and normalize the data coming from each piece of building equipment. It is our intent to mitigate security risks during and after installation with no security impact to the existing network or BASs. Installation The installation of the adaptor is quick and easy at each site requiring a minimal footprint. The adaptor is a small server-class PC located in a secure office or server room and is connected to the network or, if desired, connected as a virtual machine installed on a customer s existing server. Once plugged into the network, the adaptor is configured to collect data from the existing equipment. There is typically no need for additional site access by the installer. The goal is to securely and simply transfer the data out of the building into the Panoptix data center. Site Security Implementing adequate security measures for network access is the first step to successfully protect customer data and their network. The Panoptix site security strategy also includes additional security protection against physical access and remote access, including: Physical Access Security: The adaptor is as secure as the office or server room that it is located in. However, even if the adaptor PC was stolen, the only impact on the customer is the inconvenience of replacing the adaptor. The adaptor provides limited customer information, with a default 48-hour data cache held in the event of connectivity loss or data corruption. Furthermore, the cache is pre-normalized data, meaning that the information has little context to the casual observer. Remote Access Security: To mitigate the risk of remote access, the adaptor has been created to be read-only with one-way outbound communication. There are no command and control capabilities at this time that could provide unauthorized access. To provide future customizations, configuration changes, diagnostics or access to cache data within the adaptor, the Panoptix team would access the adaptor through a Windows secure remote connection. This would require an administrator to physically access the box to grant limited remote access to the Panoptix team on a per-device basis.
5 Existing System Impact The Panoptix product was developed to minimize any impact on a client s network or BAS. It was developed with an understanding of the importance of the customers networks, their data and the primary functions of their BASs. Therefore, its network and BAS interaction is efficient, secure, reliable and tunable to meet the various demands and conditions that are unique to each customer site. Some key considerations include: Network impact: Although the amount of the data transferred is dependent on the size and complexity of each site, the data collection interval is defaulted to only occur every 30 minutes. The impact on the internal network and external bandwidth is minimal as long as the network is not running under an extreme load. If necessary, this 30-minute collection interval can be tuned to the needs of the client in order to further minimize the impact. BAS impact: The Panoptix system installation should not affect the BAS performance in any way. However, if the software version of the BAS is not supported or the BAS devices are already stressed to capacity, an upgrade might be necessary. Virus Considerations Although virus protection within the network is the customer s responsibility, each adaptor box or virtual machine image will be thoroughly screened for existing viruses before it is installed at the site. The boxes can be further locked down to limit access to BASs within the network in order to eliminate unforeseen possibilities. Connecting to the Panoptix Data Center Securely Once the adaptors are installed at each site, a connection is made to the Panoptix data center. Once the connection is established between the Panoptix data center and each site, the system can be configured to receive data. The client s account is customized with the Panoptix application modules of choice, and access is granted through the use of a secure browser connection. Encrypted Data Transport The adaptor is connected to the Panoptix data center through an encrypted data transport using Secure Sockets Layer (SSL) security certificates. SSL encrypts the segments of network connections above the Transport Layer, using asymmetric cryptography for privacy and a keyed message authentication code for message reliability. This is the same encrypted data transport method used for secure online banking. Firewall Considerations Johnson Controls recommends that the adaptor is placed within the firewall for maximum protection. However, for more complex firewall environments, Johnson Controls recommends that the adaptor be placed at an outside edge or DMZ. This ensures that outside access is limited to a single port and that the adaptor has limited access to the internal network.
6 Open Ports The Panoptix adaptor implementation only requires standard outbound Web browser-based ports to be open. It uses Port 80 (HTTP) for its initial communication to the Panoptix data center and the secure port 443 (HTTPS/SSL) for all other communications including the data transfer to the Panoptix data center. As standard protocol ports, these two ports are typically already open for other HTTP and HTTPS/SSL implementations. Therefore, for standard Panoptix adaptor operations, no additional external ports are required. Since the Panoptix adaptor only uses outbound communication over these standard ports, external threats to the network are minimized. Proxy Server Connection Authentication The Panoptix development team has tested the adaptor to ensure that it works well with all major proxy server implementations. To simplify the setup process, the team developed instructions for the installer to configure the adaptor to enable it to communicate to the Panoptix data center through typical corporate proxy servers. Connectivity Loss Considerations In the event of connectivity loss, outage notifications are delivered to the clients. The default cache size for each site is 48 hours, so no data will be lost as long as the connectivity is restored within that time frame or other provisions are made. Accessing the Panoptix System Securely Customers access their information through a secure Hypertext Transfer Protocol Secure (HTTPS) browser connection. They are required to authenticate to the Panoptix system by providing their user identification and password. Once authenticated as a valid customer, users gain access to the Panoptix platform and are granted authorization rights based on their user group. Secured Browser Connection The client connects to the Panoptix product through a secure browser using the standard HTTPS protocol and a password. HTTPS is a combination of the Hypertext Transfer Protocol (HTTP) with Secure Sockets Layer (SSL) or Transport Layer Security (TLS) protocol to provide encrypted communication and secure identification of a network Web server. HTTPS connections are often used for Web payment transactions and for sensitive transactions in corporate information systems. For simplicity, the password protection requirements are set to meet standard levels of protection. However, the requirements can be customized to meet the needs of more secure environments.
7 Granular User Permissions Once connected, users can access their assigned functionality based on their associated user group. For example, administrators have access to complete functionality and the ability to modify the configuration. A base user might be limited to read-only access and a limited application subset that they are given permission to see. The user groups can be built as desired by the customer to provide the required granularity. However, each user has the ability to create their own dashboard to customize how the data is presented to them. Federated Security Model To simplify identity management, the Panoptix solution will provide a federated security model in future versions to remove Johnson Controls from the authentication process. This will enable companies that support identity management systems to eliminate another layer of risk and simplify access management. Through the federated model, the customer s existing identity management system, such as Active Directory, would handle access management through its authentication processes. This will provide access to pre-existing user groups and their associated security levels. The customer authentication process will provide the Panoptix product with the appropriate security token. This enables user access with the correct associated privileges. Performance Johnson Controls has built the Panoptix solution to provide a quick and responsive user experience. The adaptor has default upload timing in 30-minute intervals to provide useful and timely data. This data interval can be tuned for customers to optimize their needs for timely data while addressing their concerns for internal network impact. Maintaining Data Center Security To ensure maximum security, Johnson Controls is partnering with an established hosting company with a proven track record and a state-of-the-art facility. Within this facility, Johnson Controls has a private network with its own hardware that makes up the Panoptix data centers. The partner manages the hardware per a service agreement with Johnson Controls. In order to maintain maximum security, Johnson Controls conducts an ongoing third-party security assessment to track its security effectiveness. Ongoing Panoptix Data Center Security Assessment To ensure that our data center hosting partner s security meets the highest standards, a wellknown security analysis firm performed a third-party SAS-70, Level 2 assessment. While a Level 1 assessment confirms that the proper security controls are in place, the Level 2 assessment consistently monitors the data center to ensure that the policies are enforced. The SAS-70 assessment was defined on the SAS-70 website as: Statement on Auditing Standards (SAS) No. 70, Service Organizations, is a widely recognized auditing standard developed by the American Institute of Certified Public Accountants (AICPA). A service auditor s examination performed in accordance with SAS No. 70 (also commonly referred to as a SAS 70 Audit ) is widely recognized, because it represents that a service organization has been through
8 an in-depth audit of their control objectives and control activities, which often include controls over information technology and related processes. In today s global economy, service organizations or service providers must demonstrate that they have adequate controls and safeguards when they host or process data belonging to their customers. In addition, the requirements of Section 404 of the Sarbanes-Oxley Act of 2002 make SAS 70 audit reports even more important to the process of reporting on the effectiveness of internal control over financial reporting. To summarize the auditor s findings, the hosting partner s controls were designed to provide reasonable assurance that the security objectives would be achieved. The auditor will continue to monitor to ensure ongoing enforcement. Multi-tenant Environment The Panoptix data center equipment is segregated from Johnson Controls hosting partner s other customers. While the Panoptix system collects data from all customers, each customer only has access to his or her own data. Standard data security mechanisms are used to isolate the data of one customer from another. Software as a Service As a hosted service, the Panoptix system reduces the economic and infrastructure impact to the customer. This type of service is often referred to as a cloud solution. The Panoptix system is similar to a cloud service because it is: Hosted remotely: It is located outside of a customer s data center. Managed independently: Server instances are managed behind the scenes without requiring customer involvement. Changed transparently: Upgrades and changes are made transparently and require no work from the customer. However, to maximize security, the Panoptix solution is: Non-dynamic: Servers are not spun up dynamically to manage the load providing controlled separation between tenants. Private hardware: Johnson Controls owns the hardware at the data center in order to isolate customers from the host. Securing Customer Data With the Panoptix infrastructure secure, securing customer data is dependent on the Panoptix internal policy and the customer service level agreement. The three most important considerations for customer data security are: Internal access to customer data at Johnson Controls. External third-party access to customer data. Johnson Controls customer data usage policies.
9 Panoptix Staff Access As a matter of policy, unless otherwise defined in a service-level agreement, access to Panoptix customer data is limited to a few system administrators. This access is required by the administrators to manage the system. Third-party Access As an open platform, Johnson Controls will encourage third parties to create software that uses the data collected by the Panoptix platform. This will open up the data to the third party. However, no third party will ever be given access to customer data without that customer s permission. Johnson Controls Customer Data Usage Policies Given the level of detail that the Panoptix product provides on individual customer equipment status, performance statistics and equipment needs, the potential for misuse is addressed in the following ways: Sharing customer data: It is Johnson Controls policy to never share customer data with partners. No third party will be given access to customer data without customer permission. Selling customer data: It is Johnson Controls policy to never sell customer data. No third party will be given access to customer data without customer permission. Conclusion The Panoptix solution unlocks possibilities for building efficiency management by providing customers with access to the big picture through multiple site data consolidation and normalization. By applying analytics to this normalized information, predictive events for the whole portfolio can be prioritized into reports. These reports help customers simplify budget planning, optimize equipment maintenance and prioritize efficiency projects for optimal return on investment. Expert and community guidance ensures that customers get the maximum value out of their smart building investment. With the resources that Johnson Controls has invested into securing the Panoptix solution, customers can be assured that the Panoptix platform remains a secure environment for their data. Additional Information To get started today, or for more information, contact Johnson Controls at (414) 524-1200 or panoptix@jci.com. Alternatively, please visit us online at: www.johnsoncontrols.com/panoptix Active Directory, Microsoft and Windows are registered trademarks of Microsoft Corporation.