OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

obix message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: FW: [obix] oBIX and Security (Forwarded for Chris Bogen)

Chris's submission bounced. See below.

-----Original Message-----
From: Bogen, Chris ERDC-RDE-ITL-MS [mailto:Chris.Bogen@erdc.dren.mil] 
Sent: Friday, March 01, 2013 9:02 AM
To: Toby Considine; obix@lists.oasis-open.org
Subject: RE: [obix] oBIX and Security (UNCLASSIFIED)

Classification: UNCLASSIFIED
Caveats: FOUO

What about adding some core contracts that wrap points with some
access-control-oriented attributes?  

Or could we suggest that these issues be addressed through access control of
REST end-points?

This issue could surely take us down a rabbit hole at the expense of other
core issues.

Chris Bogen, Ph.D.
Computer Scientist
US Army Corps of Engineers
Engineer Research Development Center
Vicksburg, MS

-----Original Message-----
From: obix@lists.oasis-open.org [mailto:obix@lists.oasis-open.org] On Behalf
Of Toby Considine
Sent: Thursday, February 28, 2013 3:57 PM
To: obix@lists.oasis-open.org
Subject: [obix] oBIX and Security

So we touched on Security today in the meeting. In the last oBIX series, we
pretty much skipped right over Security. The security sub-committee, after
much though, suggested folks use passwords and that we support HTTPS. This
was both good and bad.


This week, RSA has been meeting an my news feeds are full of stories like
those below.


Vint Cerf: 'The internet of things needs to be locked down'
RSA 2013 Device manufacturers who are sticking internet connections into
everything from TVs to toasters need to lock down their systems with strong
authentication, Google's chief internet evangelist Vint Cerf warned the RSA
keynote audience. Cerf said ...

RSA Conference: Age of internet of things is upon us
SC Magazine UK
The challenge of hyper-connected devices and the 'internet of things' will
see billions of devices connected by the end of this decade, and all need to
be secured. Speaking at the RSA Conference in San Francisco, Philippe
Courtot, chairman and CEO of ...

RSA 2013: Vint Cerf Issues Challenge To Secure Internet Of Things
TechWeekEurope UK
Founding father of the Internet Vint Cerf has issued a challenge for
security researchers to ensure that the surge of devices hooking up to the
Web in the so-called "Internet of Things". Cerf, who is now an evangelist at
Google, said an identity-led ...


First, what's good about what we did with security last time? Well, what's
good is that we didn't do it. We did not create some absolutely required
greatest security of 2005, regularly hacked by script kiddies since 2008,
and mandatory on all implementations. Security should be composable, i.e.,
added into the standard as needed. Some scenarios have large risks, and
large sums of money at risk, or put strong implications for privacy, and
others do not. Users of the [oBIX] specifications should be able to compose
in the appropriate security for their needs. That is the god news, that we
did nothing.


The bad news is that we did nothing. There is no framework for security in
the current oBIX. We do not distinguish between point know only to the
integrator, points settable by the tenant, and points visible to the


And there is no practical way to secure a point. What would it even mean?
Secure all points, sure. But if I have 10,000 points, there is no usefull
way to apply ACLs to each of them. Groups of points, which somehow sharer
something in common can be secured together. Policy-based security,
declarative security can be applied to groups of points that are somehow
similar. oBIX today has no way to declare similar.


Security always requires a context. We have no means to set context. Does an
oBIX building have 20 tenants? Is each of these tenants able to view their
own energy usage, and set their own thermostats? Is it a school, and the
various tenants are competing on energy use, and can see all, but only
manage their own space? Is the ability to discover that certain systems are
in a building a security risk? (Universities and Research Facilities like to
keep quiet about their animal care facilties.) We must have a way to segment
oBIX. Even as points get relayed through multiple systems to the cloud.


Today we discussed the intersection of BIM and oBIX. Once the building is
built, BIM is about space. People and business process inhabit space.
Building systems are installed in space. Space is the semantic middleware
between the oBIX Points and the services they provide. Perhaps BIM, when
known, where present, can provide part of a semantic framework for
policy-based security. "Tenants can set all thermostats in space that they
lease" can lead to automated unraveling of what space does this tenant lease
to what spaces are in the the oBIX server to what points relate to that


BIM should be part of the security framework we define in oBIX. Actual
security details are to be composed later. BIM can provide the hooks.









"If something is not worth doing, it`s not worth doing well "    -- Peter


Toby Considine
TC9, Inc

OASIS TC Chair: oBIX & WS-Calendar

OASIS TC Editor: EMIX, Energy Interoperation

SGIP Smart Grid Architecture Committee


Email: Toby.Considine@gmail.com <mailto:Toby.Considine@fac.unc.edu> 
Phone: (919)619-2104

blog: http://www.NewDaedalus.com 


Classification: UNCLASSIFIED
Caveats: FOUO

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]