[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [energyinterop] RE: Initial Port of OpenADR to EnergyInterop
Hi Toby, from a security
perspective, I totally agree with you. But, then again, words like “firewall
off” have specific connotations relating to IP firewalls. The main
questions are: are we getting that deep in the protocol stack? Are you simply
suggesting that each building should have a firewall? If so, then we will have
also address DMZ, Green Zone, and LAN. i.e. not all firewall solutions comprise
one [logical] box or one boundary. Personally, if ESI is essentially
a firewall, then it should be called a firewall or even a Security Zone where
only specific access is granted to specific interfaces based on specific actors. With kind regards, ******************************** Michel Kohanim,
C.E.O Universal
Devices, Inc. (p)
818.631.0333 (f)
818.708.0755 http://www.universal-devices.com ******************************** From: Considine, Toby
(Campus Services IT) [mailto:Toby.Considine@unc.edu] I’m not sure I lump then
onto one box. They are a penetration of the firewall around building systems.
They can be used to induce changes in energy using systems or corporate
purchasing behavior, so they all have a specific set of security requirements.
These requirements all apply to energyinterop. Now whether the ESI is for an
entire neighborhood as in some HAN implementations or for one per floor of a
commercial building is something else. My personal preference is that we
firewall off the home/office/industry from direct access/control by third
parties in general, utilities in specific -
Utilities
do not know enough about building systems -
I
do not assume that the equipment manufacturers will be make the [refrigerator]
secure enough to be placed on the grid -
There
should always be the opportunity for the enterprise (or home) in the middle. -
Even
the Home-based PEV should be able to check the little league schedule before
responding to DR… Especially when most things will
be legacy for some time, I have to assume that the EMS will be unsecured,
preferably kept on a private network, and instructed by the ESI… Now if in some future
new-installation world, it makes sense to bolt an ESI on the outside of the
EMS, that also is fine. tc "A man should never be
ashamed to own that he has been in the wrong, which is but saying ... that he
is wiser today than yesterday." -- Jonathan Swift
From: Michel Kohanim
[mailto:michel@universal-devices.com] Toby, this is excellent
information. Now, my question is: why should
we lump the “interfaces” that the facility uses to interact with
the outside world all into a BOX called ESI? If they are interfaces, they
should be treated as such with appropriate actors … i.e. Market
Operations Interface, actors: Market Operations Service, Facility EMS/Manager,
etc. Thank you. ******************************** Michel Kohanim,
C.E.O Universal
Devices, Inc. (p)
818.631.0333 (f)
818.708.0755 http://www.universal-devices.com ******************************** From: Considine, Toby
(Campus Services IT) [mailto:Toby.Considine@unc.edu] I must say that ESI and what is
the ESI is a matter in a lot of conflict on the smart grid team. I think we get
to define it. As I see it, ESI is the
abstraction for all communications, occluding internal technologies, enforcing
security policy, etc. There are three external interfaces that I know: 1)
Market
Operations 2)
Curtailment 3)
Verification 4)
Proxy
for Direct Control I think energy interoperation is
concerned with (1) and (2). (4) is something else. (3) is one of the
great questions on the draft. What does it mean going forward. I expect we may
spend as much time on determining what if any of (3) is involved. I highlighted
it in the draft for that reason/// As to using BACnet-ws in
energyinterop—I just can’t see it. BACnet-WS was never designed to
be in the wild. tc "A man should never be
ashamed to own that he has been in the wrong, which is but saying ... that he
is wiser today than yesterday." -- Jonathan Swift
From: Holmberg, David
[mailto:david.holmberg@nist.gov] Toby, Sharon, I believe Ed’s reference
to BACnet was to the use of BACnet web services in the OpenADR spec as one of
the options between DRAS and DRAS Client. Thus BACnet WS is in scope, but
otherwise I agree. So, what is the ESI? In my mind it is an external gateway
for access to the facility network, often owned by the IT dept (if there is
one), with the purpose of firewalling and routing to appropriate box on the
inside (like the EMS). David From: Dinges, Sharon
[mailto:sdinges@trane.com] Toby, I believe this is a fair assessment. The interactions between
the EMS and the external ESI are more appropriately communicated using XML and
web services. Then, at the EMS level, the systems would communicate using BACnet,
LonWorks, OPC, HAN, DALI, etc. Regards, Sharon From: Considine, Toby (Campus Services IT)
[mailto:Toby.Considine@unc.edu] In terms of the smart grid
diagrams, outside communications should be with Energy Services Interface
(ESI), which is something different than the Energy Management System (EMS).
Makers of BACnet, LON, HAN, DALI, et al will each figure out what the middle
layer is. Oft times, the enterprise will be in between the ESI and any
EMS. It certainly will be in any industrial environment… BACNET, LON and friends are out
of scope… "A man should never be ashamed
to own that he has been in the wrong, which is but saying ... that he is wiser
today than yesterday." -- Jonathan Swift
From: Edward Koch
[mailto:ed@akuacom.com] Enclosed is a pass on the
document that Toby sent out. I mostly tried to answer some of his
questions and added some comments of my own. Here are some general comments: It looked like there is some
material missing at the end. Clearly there needs to be some
verbiage added concerning security requirements. There needs to be some meat added
for the interaction and data models. Perhaps adding in some of the
diagrams from the spec will fulfill this requirement. We need to give some thought to
what we are going to do with the various interfaces, i.e. BACnet versus REST
versus SOAP, etc. -ed koch The
information contained in this message is privileged and intended only for the
recipients named. If the reader is not a representative of the intended
recipient, any review, dissemination or copying of this message or the
information it contains is prohibited. If you have received this message in
error, please immediately notify the sender, and delete the original message
and attachment.. |
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]