AutomatedBuildings.com Column - New Cybersecurity Standards for the Internet of Things

As I write this, the Oasis Open Command and Control (OPENC2) specification is going through its final vote. OpenC2 is a communication standard for coordinating responses to cybersecurity attacks without regard to the technology of the device that is responding. In effect, OpenC2 defines Service Oriented Security. The target use of OpenC2 is in the Internet of Things (IoT)

Service Oriented Architectures receive requests to provide a service, rather than the detailed control instructions that typify communications with building systems. OpenADR is a good example, whereby a utility or other energy supplier can request that a building reduce energy usage during a particular window for a price. OpenADR is a profile of OASIS Energy Interoperation that defines the services for coordinating energy supply and consumption. A request for a commercial building to switch to its open hours operating posture might be another service. In OpenC2, the services requested are tied to cybersecurity.

OpenC2 defines a Message that may contain one or more Commands. Each Command is described using an Actuator Profile. Standard Actuator Profiles are defined in the Standard. Custom Actuator Profiles are submitted by users, or by device makers to describe what their system or device can do, and how it will reply. The initial messages are in structured JSON sent over HTTPS—there are already other formats being standardized. The system will be expected to share their Cybersecurity capabilities almost as device drivers are shared today, by exposing Actuator Profiles to those they trust.

The initial Standard Profiles look like firewall commands. The commands are brand agnostic—a stateless packet filter request is the same no matter what brand of firewall router it is sent to. But OpenC2 is intended for the Internet of Things. Already ATT, a committee member, is planning to send OpenC2 commands to hundreds of thousands of devices at one time. A building management system or even a small device can be the target of command as well. The aquarium thermometer that was famously hacked in a Casino a couple of years ago could potentially receive an OpenC2 request as well.

Already there is talk of OpenC2 profiles for Electric Power. Microgrids, storage systems, and generators could all respond to commands using the same Profile. These profiles don’t look like traditional cybersecurity requests but may include protecting systems from hacks on the power itself. (See http://www.newdaedalus.com/articles/2019/6/27/cybersecurity-of-powerresources.html). The network interfaces of these power devices could also respond to firewall requests as well, dropping packets from known dangerous sources.
Future work is adding new message types to OpenC2; they may be requests for polling, or to extend situation awareness from the distributed node back to the center. The one thing that is certain is that some of your biggest customers will require OpenC2 in their purchasing decisions. It is already time to begin watching this standard.

For now, the easiest way to participate is by submitting your own custom profiles to the OpenC2 Repositories. The Custom Actuator Profile library is at https://github.com/oasis-open/openc2-custom-aps. How can your building system participate in cybersecurity?

[an error occurred while processing this directive]
[Click Banner To Learn More]

Events	Want Ads
Our Sponsors	Resources