OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.

 


Help: OASIS Mailing Lists Help | MarkMail Help

obix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]


Subject: oBIX and Security


So we touched on Security today in the meeting. In the last oBIX series, we pretty much skipped right over Security. The security sub-committee, after much though, suggested folks use passwords and that we support HTTPS. This was both good and bad.

 

This week, RSA has been meeting an my news feeds are full of stories like those below.

 

Vint Cerf: 'The internet of things needs to be locked down'
Register
RSA 2013 Device manufacturers who are sticking internet connections into everything from TVs to toasters need to lock down their systems with strong authentication, Google's chief internet evangelist Vint Cerf warned the RSA keynote audience. Cerf said ...

RSA Conference: Age of internet of things is upon us
SC Magazine UK
The challenge of hyper-connected devices and the 'internet of things' will see billions of devices connected by the end of this decade, and all need to be secured. Speaking at the RSA Conference in San Francisco, Philippe Courtot, chairman and CEO of ...

RSA 2013: Vint Cerf Issues Challenge To Secure Internet Of Things
TechWeekEurope UK
Founding father of the Internet Vint Cerf has issued a challenge for security researchers to ensure that the surge of devices hooking up to the Web in the so-called “Internet of Things”. Cerf, who is now an evangelist at Google, said an identity-led ...

 

First, what’s good about what we did with security last time? Well, what’s good is that we didn’t do it. We did not create some absolutely required greatest security of 2005, regularly hacked by script kiddies since 2008, and mandatory on all implementations. Security should be composable, i.e., added into the standard as needed. Some scenarios have large risks, and large sums of money at risk, or put strong implications for privacy, and others do not. Users of the [oBIX] specifications should be able to compose in the appropriate security for their needs. That is the god news, that we did nothing.

 

The bad news is that we did nothing. There is no framework for security in the current oBIX. We do not distinguish between point know only to the integrator, points settable by the tenant, and points visible to the passer-by.

 

And there is no practical way to secure a point. What would it even mean? Secure all points, sure. But if I have 10,000 points, there is no usefull way to apply ACLs to each of them. Groups of points, which somehow sharer something in common can be secured together. Policy-based security, declarative security can be applied to groups of points that are somehow similar. oBIX today has no way to declare similar.

 

Security always requires a context. We have no means to set context. Does an oBIX building have 20 tenants? Is each of these tenants able to view their own energy usage, and set their own thermostats? Is it a school, and the various tenants are competing on energy use, and can see all, but only manage their own space? Is the ability to discover that certain systems are in a building a security risk? (Universities and Research Facilities like to keep quiet about their animal care facilties.) We must have a way to segment oBIX. Even as points get relayed through multiple systems to the cloud.

 

Today we discussed the intersection of BIM and oBIX. Once the building is built, BIM is about space. People and business process inhabit space. Building systems are installed in space. Space is the semantic middleware between the oBIX Points and the services they provide. Perhaps BIM, when known, where present, can provide part of a semantic framework for policy-based security. “Tenants can set all thermostats in space that they lease” can lead to automated unraveling of what space does this tenant lease to what spaces are in the the oBIX server to what points relate to that space.

 

BIM should be part of the security framework we define in oBIX. Actual security details are to be composed later. BIM can provide the hooks.

 

http://www.newdaedalus.com/articles/bouncer-or-prison-guard.html

 

 

 

tc

 


"If something is not worth doing, it`s not worth doing well "    -- Peter Drucker


Toby Considine
TC9, Inc

OASIS TC Chair: oBIX & WS-Calendar

OASIS TC Editor: EMIX, Energy Interoperation

SGIP Smart Grid Architecture Committee

  

Email: Toby.Considine@gmail.com
Phone: (919)619-2104

http://www.tcnine.com
blog: http://www.NewDaedalus.com

 



[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]