Embed Size (px)
Citation preview
Lighting & IT Collaboration “when lighting is living on or connected to
the corporate intranet” May 10th, 2017 2:00PM – 3:00PM
Scott Ziegenfus, CEM, CLEP, CDSM, GGP, GPCP, LEED AP
Code:L17IT04
GOALS Learning how to ease IT concerns when networked lighting wants to use existing infrastructure, remote access, servers, real-estate and equipment under IT governance. 1. Provide a background and understanding of IT
responsibilities and the segmentation of those responsibilities within IT departments along with the varying levels of capabilities.
2. Introduce clear and general guidelines of when and what parts of network lighting could be under the administration, management and policies of the institutions IT department.
3. Present rules-of-thumb for scheduling IT engagement with different IT sectors (infrastructure, security, servers, etc) aligning to the network lighting specification and installation timeline.
4. Gain an understanding of the possible Cybersecurity repercussions of adding network lighting and point on how to make that conversation upfront and easier.
Agenda
• Difference between your home IT and corporate IT.
• Some very basic background you need to know and why is IT so confusing– THE OSI MODEL.
• When might you be under Corporate IT policy?
• When should you think about IT on a project?
• What documentation should you have?
• What about Cybersecurity?
Why IT Coordination?
It is easy to understand you are under corporate IT management when the Building owner/developer talks
about the vision of putting all the environmental and building systems on the same IT Backbone so all
Environmental Systems can share the data.
• Needs IT coordination and Buy-in – Design phase
– Construction phase
– Startup
• Documentation – IT specifications
– Network Diagrams
INTERNET
TELEPHONETELEPHONE
SECURITY
LIFE SAFETY
ACCESS
Ethernet BackboneEthernet Backbone
ELEVATORELEVATOR
WATER
LIGHTING
HVAC
IT Motivation
• Corporate IT Department
• Institutional IT Department
• Property Management IT Department
• “What I have seen”
– The bigger the networked lighting project the more involved IT becomes.
– IT does not get praised for keeping the network running. “Great jog be all were able to logon today” Never happens
– IT gets in trouble for it not running so anything that is unfamiliar or can’t control is BAD
Not your Home Wi-Fi Router
• Home Wi-Fi wireless router is not corporate IT.
• How Corporate IT thinks about this device
– “The term Wi-Fi router kind-of a misnomer, actually its”:
1. Wireless access point (WAP)
2. Layer 2 bridge between IEEE 802.3(Ethernet) and IEEE 802.11(Wi-Fi)
3. Layer 2 unmanaged switch
4. Layer 3 router between your ISP and Home LAN
5. DHCP server
• Corporate IT handles each part individually So
uth
Par
k St
ud
ios
How Corporate IT thinks
• OSI Model – Networking is made-
up of 7 operating layers which work together and at the same time
– Hardware and software are separate
• Mix and match Layers
– The OSI model is the basis for every IT department
7
Software
and
Software
Addresses
Connections
and
Hardware
Addresses
TCP/UDP
Telnet
FTP
HT
TP
=
=
IP
Ethern
et
Wi-Fi
7 < Layers > 1
2 Data
1 Physical
3 Network
4 Transport
5 Session
6 Presentation
7 Application
=
=
Like a dinner menu where you can select Appetizer from column A
Entree from column B Desert from column C
How Corporate IT thinks
• Layers 1 to 4 – network communications
• Medium sending the message
• Packaging of the message
• Identifying the message
• Layers 5 to 7 – application layers
• Message format
• Message structure
8
TCP/UDP
Telnet
FTP
HT
TP
IP Eth
ernet
Wi-Fi
2 Data
1 Physical
3 Network
4 Transport
5 Session
6 Presentation
7 Application
=
=
MAC Address
IP Address
Ports
switch
Cables
Router
=
Ports
JUST FOR FUN“The True Story Of Network layering” https://www.cs.purdue.edu/homes/dec/essay.network.layers.html
When is Your Network Under IT?
• Triggers that CAN put YOU under corporate IT management when you did not think you were 1. The obvious is when using the existing corporate IT equipment
like network switches, routers, servers, fiber or copper runs BUT using ANY part of the existing IT infrastructure may put you under IT like:
a) Using the fiber between buildings
i. Don’t think you will be digging your own trench
b) Needing Remote Access.
i. Unless y our are setting up your own cellular hotspot
ii. Don’t assume you can bring in a separate line with your own ISP
c) WiFi for app.
i. Don’t assume you can put in your own wireless as a competing network
d) Interconnecting different building systems
i. Connecting to the BMS or ProAV network already on the corporate intranet puts you on the corporate intranet.
e) Cloud access over the internet
i. SEE REMOTE ACCESS IT’S THE SAME THING
Don’t assume with IT Management
• Do not assume network lighting is not under the corporate IT policies?
• Example: You were told by the manufacturer to use a server with
two Network Interface Cards (NICs) to isolate the Lighting network from the corporate intranet. The only thing corporate IT needs to worry about is the server.
What equipment will be on the Corporate network? What are the 2 NICs for? NO THEY DON’T! That would basically bridge the networks! Lets start at the beginning and tell me all about your lighting network!!!
We only need a windows server with 2 NICs. They separate the lighting network from your network. They Don’t???? Oh? HUMM?????
IT
YOU
Don’t assume with IT Management
• Do not assume network lighting that is not IP is not under the corporate IT policies?
• Example: You were told it since it is Thread or Zigbee or
Bluetooth or other that it is not under IT policy.
I hear you are using wireless at 2.4 GHz? What type of wireless protocol is it? Is it connected to our intranet? Now I am more worried then ever!!!!
Yes but it is _______ and not Wi-Fi. Its follows IEEE 802.15.4 and is AES 128 encrypted. Yes, but through a gateway so you don't have to worry about it. IT
YOU
JUST FOR FUN “A Stick Figure Guide to the Advanced Encryption Standard (AES)” http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html
Meeting with IT
• Who are you talking to in the IT department?
• Never the same org chart, Not all IT departments are created equal.
• Do you need to talk to multiple people?
• Is it the right people?
Server needs
Cloud and remote access
Physical Network
Buying your
equipment
Security?
IT departments are like snow flakes
everyone is different
Design Phase
• Do you need to use the corporate Ethernet or Wi-Fi?
• Who provides standard network Hardware/cables?
• Meet with IT management if possible for any special policies should be put in spec security/equipment?
LIGHTING
DESIGNERARCHITECH
ELECTRICAL
ENGINEER
Design Phase
• Who else will be operating on the shared network, Environmental Systems, A/V, etc?
• Placed in Division 26 or 27 or 25 or all?
• Is outside Internet access required?”
• Lighting system Dependent on the Network?
LIGHTING
DESIGNERARCHITECH
ELECTRICAL
ENGINEER
Pre Installation phase
• Does the network have to be in place prior to system commission?
• Is the IT authority on site yet?
• Is the Lighting network infrastructure staying separate until the end?
• Any Network pre-testing requirement?
Pre Installation phase
• Do you need secure room access?
• Meet with IT groups Pre installations Services/Applications/Network Services/ Security?
• Active Directory?
• Admin access?
Post Installation phase
• Meet with IT groups during installations Services/Applications/Network Services/ Security?
• Remote access for maintenance procedure?
• Sever setup, cloud or local?
Documentation
• A Network Diagram
– Is not a reflected ceiling plan, or one-line
– Only showing Items relevant to the Corporate network
– If it has an IP address
– Should show at least: • What devices in the lighting system are on the network
• Physical wired or wireless structure (Ethernet, Cable type, etc.)
• Hardware types and placement (switch, router, …)
• Network addressing schema (IPv4, IPv6, Class A, etc…)
• Server types and placement (webserver, data, cloud, edge..)
• Basic methodology (unicast, multicast, broadcast)
• Protocols used (Ethernet, UDP, PIM, IGMP, CoAP, etc.)
• UI connectivity and placement
• Any additional notes
–
Network Diagram Example
Documentation
• IT specification or Guide
– Not installation instructions or product specs
– You are not telling IT what you need but seeing if your requirements is allowed by the corporate IT guidelines.
– Only referencing Items on the network and how requirements of the connection. • They don’t care that you have an open or close loop
daylight sensor.
Johnson Controls LIT-1201578
Documentation
• IT Specification or Guide to hand to IT
– Basic network information such as: • Network Architecture overview (multicast, VLAN, etc.…)
• Hardware and wiring configuration (physical and datalink layer)
• Address Configuration (network layer)
• Ports (Transport layer)
• PC and/or server requirements
• Protocols used (HTTPS, PIM, Ethernet, etc….)
• Server Architecture (N-Tier, Remote, OS, etc…)
• Access Requirements
Security
• “Security by Obscurity” is gone for our industry.
• Products with a microcontroller are not thought to be immune anymore!
• Department of Homeland Security puts out weekly found vulnerabilities on software and operating systems https://www.us-cert.gov
• Products from our industry including PLCs have made the cut!
Security
• All Layers are vulnerable
Tell me about your security? And? That tells me about layer 1 and 2 but what about the other layers or your application. Is the password, just txt, Hashed, Salted ?
We use AES 128! And What? Applications? HUMM????
IT
YOU
https://www.us-cert.gov/security-publications/DDoS-Quick-Guide
Ports
• Ports are the Gateway between Applications and transport of Data.
• Basic mechanism firewalls rely on for allowing or denying network traffic.
• Make sure ports are on your documentation
TCP/UDP
Telnet
HT
TPS
HT
TP
IP
Ethern
et
Wi-Fi
Po
rt 23
Po
rt 443
Po
rt 80
For your web server what port do you need open? We don’t allow HTTP only HTTPS on our network requiring TLS at least Version 1.1 security OK!
443 or 80. 443 it is! IT
YOU
NIST Cyber Security Framework
– More about IT security procedures then protocols and specifics • Meaning difficult to add to specifications
• https://www.nist.gov/cyberframework
– NIST 800 Computer Security Publications • computer/cyber/information, security guidelines,
recommendations and reference materials
• http://csrc.nist.gov/publications/PubsSPs.html
– NIST 1800 NIST Cybersecurity Practice Guides • practical, user-friendly guides for SP 800s
• http://csrc.nist.gov/publications/PubsSPs.html
– Defacto IT security policy for many sensitive installations • Example C137.2 proposed Cybersecurity Requirements for
Lighting Systems for Parking Facilities references NIST Cybersecurity extensively
Other Security Items
• Penetration Testing
– An authorized simulated attack on a hardware connected to a network reporting results
– GSA • Highly Adaptive Cybersecurity Service(HACS) offers Special
Item Numbers (SINs) for this testing
• Hardening Document
– Document on removing all non-essential programs and utilities and closing all non-essential ports from the device
Other Security Items
• UL Cybersecurity Assistance Program (CAP)
– Using UL 2900 standards
– Is in development NOW
– Has the potential for easier specification
Conclusion
• It is not for IT to work within your requirements but you to work within theirs!
• Meet with IT in all phases of Design, Installation, and Commissioning!
• Documentation need to be direct, complete, and concise to IT policy need and not about the lighting!
• Cyber Security is never perfect but the more information IT has the more they can plan to fill the gaps!
Questions
Scott Ziegenfus CEM, CLEP, CDSM, GGP, GPCP, LEED AP
Manager, Government and Industry Relations
Hubbell Lighting, Inc.
701 Millennium Blvd.
Greenville, SC 29607
m: 484.225.6345
Please remember to
complete the
course evaluations.
Thank you.
