[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Avoiding Security Rabbit Hole (was oBIX and Security (Forwarded for Chris Bogen))
I believe it is impossible to secure any large number of things without a security framework, preferably one that supports policy-based assertions. By any definition most building control systems involve a large number of things (points) The simplest framework, all or nothing, is incompatible with enterprise interactivity or internet accessibility. The problem is it is unclear what *all* the frameworks might be. - BIM, or perhaps the subset of BIM, Space, as mentioned before - Role, as in Integrator / Maintenance / Operator / Tenant / Auditor / Guest - Process, and process segmentation, i.e. ISO 15926 and various manufacturing scenarios (we might call these the Security Ontologies of the system) A given system might need any 1, 2, or 3 of Ontologies above -or it might need one not named. A given system should be able to share which ontologies it uses, although the details of that sharing might themselves be subject to security concerns. (I Offer security based on Space and Role.) (What spaces do you support - I am an auditor) (What spaces can I operate as a tenant?) Without assigning the Ontologies, can we define a framework for attaching such an ontology to an oBIX system? Can we do this without going down the rabbit hole? Tc It strikes me that if a single building had multiple oBIX servers, the a single ontology might be shared by multiple servers. Not sure what that means. -----Original Message----- From: obix@lists.oasis-open.org [mailto:obix@lists.oasis-open.org] On Behalf Of Toby Considine Sent: Saturday, March 02, 2013 10:20 AM To: obix@lists.oasis-open.org Subject: FW: [obix] oBIX and Security (Forwarded for Chris Bogen) Chris's submission bounced. See below. -----Original Message----- From: Bogen, Chris ERDC-RDE-ITL-MS [mailto:Chris.Bogen@erdc.dren.mil] Sent: Friday, March 01, 2013 9:02 AM To: Toby Considine; obix@lists.oasis-open.org Subject: RE: [obix] oBIX and Security (UNCLASSIFIED) Classification: UNCLASSIFIED Caveats: FOUO What about adding some core contracts that wrap points with some access-control-oriented attributes? Or could we suggest that these issues be addressed through access control of REST end-points? This issue could surely take us down a rabbit hole at the expense of other core issues. Chris Bogen, Ph.D. Computer Scientist US Army Corps of Engineers Engineer Research Development Center Vicksburg, MS 601-634-4624 -----Original Message----- From: obix@lists.oasis-open.org [mailto:obix@lists.oasis-open.org] On Behalf Of Toby Considine Sent: Thursday, February 28, 2013 3:57 PM To: obix@lists.oasis-open.org Subject: [obix] oBIX and Security So we touched on Security today in the meeting. In the last oBIX series, we pretty much skipped right over Security. The security sub-committee, after much though, suggested folks use passwords and that we support HTTPS. This was both good and bad. This week, RSA has been meeting an my news feeds are full of stories like those below. Vint Cerf: 'The internet of things needs to be locked down' <http://www.google.com/url?sa=X&q=http://www.theregister.co.uk/2013/02/27/vi nt_cerf_rsa_keynote/&ct=ga&cad=CAcQAhgAIAAoATAAOABAuI--iQVIAVAAWABiBWVuLVVT& cd=XRrQKx2aV48&usg=AFQjCNFy9-tCpf5-OqpvVF8rLPjTbMCpJQ> Register RSA 2013 Device manufacturers who are sticking internet connections into everything from TVs to toasters need to lock down their systems with strong authentication, Google's chief internet evangelist Vint Cerf warned the RSA keynote audience. Cerf said ... RSA Conference: Age of internet of things is upon us <http://www.google.com/url?sa=X&q=http://www.scmagazineuk.com/rsa-conference -age-of-internet-of-things-is-upon-us/article/282206/&ct=ga&cad=CAcQAhgAIAAo ATACOAJAuI--iQVIAVAAWABiBWVuLVVT&cd=XRrQKx2aV48&usg=AFQjCNGHOwc3WD4Gtl_H44uf rTcMVj3--Q> SC Magazine UK The challenge of hyper-connected devices and the 'internet of things' will see billions of devices connected by the end of this decade, and all need to be secured. Speaking at the RSA Conference in San Francisco, Philippe Courtot, chairman and CEO of ... RSA 2013: Vint Cerf Issues Challenge To Secure Internet Of Things <http://www.google.com/url?sa=X&q=http://www.techweekeurope.co.uk/news/rsa-2 013-vint-cerf-security-internet-of-things-108947&ct=ga&cad=CAcQAhgAIAAoATAEO ARAuI--iQVIAVAAWABiBWVuLVVT&cd=XRrQKx2aV48&usg=AFQjCNFRSNZHTsV45jyhlWM545T3a IdDTw> TechWeekEurope UK Founding father of the Internet Vint Cerf has issued a challenge for security researchers to ensure that the surge of devices hooking up to the Web in the so-called "Internet of Things". Cerf, who is now an evangelist at Google, said an identity-led ... First, what's good about what we did with security last time? Well, what's good is that we didn't do it. We did not create some absolutely required greatest security of 2005, regularly hacked by script kiddies since 2008, and mandatory on all implementations. Security should be composable, i.e., added into the standard as needed. Some scenarios have large risks, and large sums of money at risk, or put strong implications for privacy, and others do not. Users of the [oBIX] specifications should be able to compose in the appropriate security for their needs. That is the god news, that we did nothing. The bad news is that we did nothing. There is no framework for security in the current oBIX. We do not distinguish between point know only to the integrator, points settable by the tenant, and points visible to the passer-by. And there is no practical way to secure a point. What would it even mean? Secure all points, sure. But if I have 10,000 points, there is no usefull way to apply ACLs to each of them. Groups of points, which somehow sharer something in common can be secured together. Policy-based security, declarative security can be applied to groups of points that are somehow similar. oBIX today has no way to declare similar. Security always requires a context. We have no means to set context. Does an oBIX building have 20 tenants? Is each of these tenants able to view their own energy usage, and set their own thermostats? Is it a school, and the various tenants are competing on energy use, and can see all, but only manage their own space? Is the ability to discover that certain systems are in a building a security risk? (Universities and Research Facilities like to keep quiet about their animal care facilties.) We must have a way to segment oBIX. Even as points get relayed through multiple systems to the cloud. Today we discussed the intersection of BIM and oBIX. Once the building is built, BIM is about space. People and business process inhabit space. Building systems are installed in space. Space is the semantic middleware between the oBIX Points and the services they provide. Perhaps BIM, when known, where present, can provide part of a semantic framework for policy-based security. "Tenants can set all thermostats in space that they lease" can lead to automated unraveling of what space does this tenant lease to what spaces are in the the oBIX server to what points relate to that space. BIM should be part of the security framework we define in oBIX. Actual security details are to be composed later. BIM can provide the hooks. http://www.newdaedalus.com/articles/bouncer-or-prison-guard.html tc ________________________________ "If something is not worth doing, it`s not worth doing well " -- Peter Drucker ________________________________ Toby Considine TC9, Inc OASIS TC Chair: oBIX & WS-Calendar OASIS TC Editor: EMIX, Energy Interoperation SGIP Smart Grid Architecture Committee Email: Toby.Considine@gmail.com <mailto:Toby.Considine@fac.unc.edu> Phone: (919)619-2104 http://www.tcnine.com blog: http://www.NewDaedalus.com Classification: UNCLASSIFIED Caveats: FOUO --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]