Honeywell Momentum 2018 Day 2 featured Cybersecurity Expert — Kevin Smith, Tridium’s CTO & Chief Architect. Breakouts continued throughout the day, with sessions including: IP Controller Programming, Niagara 4 Security Updates, Sales Acceleration, and Analytics on the Edge. The evening ended with a Gala Celebration and the 2018 Honeywell Momentum Awards Dinner, which recognized Honeywell’s top Distributor and Contractor Performers. Many attendees commented — that with all things considered: location, business updates, product releases, guest speakers, and breakout sessions — this was the best Momentum to date. Congratulations to Mark Schlauderaff and the Honeywell team for a Momentum well done!
Episode 287: ControlTalk NOW — Smart Buildings Videocast and PodCast for week ending October 14, 2018 features our how to get yourself “Edge-You-Cated” interview with Automated Buildings’s owner and editor, Ken Sinclair. Midway through the interview we are joined by one the top Master System Integrators in North America, Hepta Systems’ Chief Information Officer, Jason Houck. Make your 2018 ControlTrends Awards Nominations today! Read your October Cybersecurity Month updates; How do I size the correct damper actuator, from Belimo; and Honeywell’s LCBS-T offers Simple, Efficient, and Future-Ready HVAC Control.
Make Your Nominations Now — for the 2018 ControlTrends Awards! It is time to nominate your favorite people, products, solutions and companies, for the 2018 ControlTrends Awards. The top 5 to 6 in each category will move on to the ControlTrends Awards finals. If you don’t already see your nominee on the ballot, or don’t already see a nominee in a category, please use the other option, and write in your choice, we will then add them on to the ballot.
This week’s ControlTalk NOW interview begins with Ken Sinclair’s discussion of his October edition of AutomatedBuildings.com and recent travels abroad to Italy. The October edition is nothing short of punderful. Ken’s deliberate play on words delivers yet another deep deliberation on humanized interactions, integrated and deployed with the hatching technologies. Midway through the interview, we are joined by one the top Master System Integrators in North America, Hepta Systems’ Chief Information Officer, Jason Houck, who shares his most recent experiences and insight. This is a must watch interview!
Cybersecurity Month Update: California Governor Signs Bills Aimed at Strengthening the Security of IoT Devices. In an effort to keep the ControlTrends Community in the loop during Cybersecurity Month, here is an interesting update on how IoT devices including microwaves, toys, thermostats, and security cameras are to be securitized. Of particular interest was the My Friend Cayla Smart Doll.
From the Belimo Support Center: How do I Size a Damper Actuator? How do I Size a Damper Actuator? The “10 questions” method for sizing and selection found in the attachment is recommended. It takes into consideration the total damper area, blade and seal construction, and air velocity as well as various actuator requirements such as supply voltage and control signal. For a more in-depth explanation of damper actuator sizing and performance you can download our Damper Application Guide.
Honeywell’s LCBS-T — Simple, Efficient, Future-Ready HVAC Control!When it comes to HVAC system control, different customers have different needs. With more than a century of building control experience and the resulting unmatched breadth of product, Honeywell gives our partners the flexibility to deliver the right solution to their customers every time. As a continuation of this product breadth strategy, we are pleased to announce that we will be making our LCBS-T Commercial Economizing Thermostat available as a stand-alone product with tools to help you sell to your customers.
VYKON Edge Controller 10 is a Single-tool Infrastructure with the Ability to Create Smarter, More Efficient Systems, and World-class Security. VYKON Edge Controller 10 is an IP-based field equipment controller powered by the Niagara Framework®. VYKON Edge Controller 10s drive applications such as zone temperature control, and the operation of fan coil units, single-stage air handling units, water-source heat pumps and more. VYKON Edge Controller 10s run the full Niagara stack, with 10 points of on-board IO and IO-R-34 expansion capability. VYKON Edge Controller 10 licensing supports three devices and 50 total points to harness the full power of Niagara at the edge.
In an effort to keep the ControlTrends Community in the loop during Cybersecurity Month, here is an interesting update on how IoT devices including microwaves, toys, thermostats, and security cameras are to be securitized. Of particular interest was the My Friend Cayla Smart Doll — a prime target for cyber hackers, who can use the toy’s technology to spy on families and collect private information — because the doll is designed to collect and transmit everything it hears to a voice recognition company. Yikes!
In short, the bills basically direct IoT device manufacturers to equip their devices with reasonable security features, requiring companies to take responsibility for considering the security aspects of their devices as they’re developed and produced.
AUTHOR: THEO DOUGLAS OCT 8, 2018. SOURCE: GOVERNMENT TECHNOLOGY (TRIBUNE NEWS SERVICE).
Gov. Jerry Brown has signed two bills that could make manufacturers of Internet-connected devices more responsible for ensuring the privacy and security of California residents.
The governor’s office announced on September 28 that Brown had signed the legislation, Assembly Bill 1906 and Senate Bill 327. He had until the end of the day on Sept. 30 to do so. Both bills will become law in about 15 months, on Jan. 1, 2020. That delayed effect, one of the lawmakers behind the legislation said, is designed to hold industry accountable but not stifle innovation or unduly burden it with regulation. Senate Bill 327 is the older of the two and was introduced in Feb. 2017 by state Sen. Hannah-Beth Jackson, D-Santa Barbara, but as currently amended, the senator told Government Technology, is “pretty much a mirror” of AB 1906, introduced in January by Assemblywoman Jacqui Irwin, D-Thousand Oaks.
Both require manufacturers of connected devices to equip them with a “reasonable security feature or features” that are appropriate to their nature and function, and the information they may collect, contain or transmit — and are designed to protect the device and its information from “unauthorized access, destruction, use, modification or disclosure.”
The bills also specify that if such a device has a “means for authentification outside a local area network,” that will be considered a reasonable security feature if either the preprogrammed password is unique to each device made; or the device requires a user to create a new “means of authentication” before initial access is granted.
They define “connected device” as a device with an Internet Protocol (IP) or Bluetooth address, and capable of connecting directly or indirectly to the Internet.
Jackson said she’s had “concerns about privacy issues for many, many years,” and was prompted to act last year after hearing from constituents and learning that the My Friend Cayla smart doll, which had been banned in Germany due to concerns about the safety of children, had not been banned in the U.S. She questioned how IoT devices including microwaves, thermostats and security cameras were securitized and was shocked by the lack of security she found.
“This bill basically directs those manufacturers to equip their devices with reasonable security features,” Jackson said, adding she thinks the legislation is “the first of its kind” calling on companies to take responsibility for considering the security aspects of their devices as they’re developed and produced.
However, the question of what defines a “reasonable security feature or features” is one of several that industry groups — among them, the Security Industry Association, the National Electrical Manufacturers Association (NEMA) and the California Manufacturers and Technology Association (CMTA) — cited in their opposition to AB 1906.
In a statement provided to GT, the CMTA said the bills are an attempt to “create a cybersecurity framework by imposing undefined rules on California manufacturers,” but instead create a loophole allowing imported devices to “avoid implementing any security features.” This, it said, makes the state less attractive to manufacturers, less competitive and increases the risk of cyberattacks.
“We recommend an approach that would ensure that all connected devices are compliant and secure, no matter where they are produced. These two innovation-stifling measures not only fail to protect consumers, but will drive away California manufacturing investment,” the CMTA said.
The Entertainment Software Association, one of three industry groups including NEMA that are opposed to SB 327, said existing law already requires manufacturers to set up “reasonable privacy protections appropriate to the nature of the information they collect.”
Jackson said the bills still leave it to industry to use “their best judgment” to determine reasonable security and disagreed with the idea that the bills might create a loophole for imported devices.
“The concern, I think, is misplaced, because when the products are sold in this country, they will have to meet those standards even if they’re manufactured elsewhere,” she said.
State law would have allowed the bills to become law if they were neither signed by Brown nor vetoed — but both pieces of legislation specified they must be signed by the governor and can only become law if the other bill is also signed. A member of Jackson’s staff characterized this as a provision aimed at ensuring both houses remain on the same footing.
Editor’s Note: This story has been updated to indicate that the Governor signed both pieces of legislation. An earlier version was published before this was reported.
Theo Douglas is a staff writer for Government Technology. His reporting experience includes covering municipal, county and state governments, business and breaking news. He has a Bachelor’s degree in Newspaper Journalism and a Master’s in History, both from California State University, Long Beach.
©2018 Government Technology
Visit Government Technology at www.govtech.com
Distributed by Tribune Content Agency, LLC.
October is National Cybersecurity Awareness Month (NCSAM). NCSAM is a collaborative effort between DHS and its public and private partners—including the National Cyber Security Alliance (NCSA)—to raise awareness about the vital role cybersecurity plays in the lives of U.S. citizens. NCCIC will be participating in NCSAM through weekly posts in the Current Activity section of the NCCIC website. Over the course of the month, these will touch on
NCCIC encourages users and administrators to review the Stay Safe Online NCSAM page and the Stay Safe Online NCSAM Events page for additional information and details on NCSA events.
Although a Methodology for Determining Forensic Data Requirements for Detecting Hypervisor Attacks notice may not seem to be of immediate importance to the ControlTrends Community, Cybersecurity requires a dutiful and relentless awareness, especially as we become more dependent on Cloud hosted services. The Nist website is a vital source of critical information available at your fingertips! NIST implements practical cybersecurity and privacy through outreach and effective application of standards and best practices necessary for the U.S. to adopt cybersecurity capabilities.
A Methodology for Determining Forensic Data Requirements for Detecting Hypervisor Attacks: NIST Releases Draft NIST Internal Report 8221. September 21, 2018: Hardware/server virtualization is now integral to the infrastructure of data centers used for cloud computing services and enterprise computing. However, the increasing popularity of cloud services and the complex nature of hypervisors, which are essentially large software modules, have led to malicious attackers exploiting hypervisor vulnerabilities to attack cloud services. One of the key strategies for managing the vulnerabilities of the hypervisor involves devising a methodology for determining the forensic data requirements for detecting attacks.
To better understand trends in hypervisor attacks and prevent future exploitation, NIST is releasing Draft NIST Internal Report (NISTIR) 8221, A Methodology for Determining Forensic Data Requirements for Detecting Hypervisor Attacks. This report analyzes recent vulnerabilities associated with two open-source hypervisors as reported by the NIST National Vulnerability Database, specifically Xen and KVM.
Ten functionalities traditionally provided by hypervisors are considered for the classification of hypervisor vulnerabilities. The document develops a profile of those vulnerabilities in terms of hypervisor functionality, attack type, and attack source. The objective is to determine the evidence coverage for detecting and reconstructing those attacks and subsequently identify the techniques required to gather missing evidence. The methodology outlined in the document can assist cloud providers in enhancing the security of their virtualized infrastructure and take proactive steps toward preventing such attacks on their operating environment in the future.
A public comment period for this draft document is open until October 12, 2018. See the document details for additional information and a copy of the publication.
Publication details: https://csrc.nist.gov/publications/detail/nistir/8221/draft
Cybersecurity advisory affecting Niagara AX- and Niagara 4-based systems.
Dear valued partner,
In June of 2018, Tridium incorporated a number of fixes to security vulnerabilities in Niagara AX and Niagara 4 through security update releases. Click to read the technical bulletin. Two of these vulnerabilities, which are affecting Niagara systems on Microsoft Windows platforms, were reported to the National Cybersecurity and Communications Integration Center (NCCIC). An Industrial Control Systems (ICS) Advisory has been issued.
It is important that all Niagara AX and Niagara 4 customers ensure they have updated their systems to the most current version to mitigate risk. Tridium takes cybersecurity very seriously. We recognize that the security of our products is of critical importance to our customers and the Niagara Community. If you have any questions, please contact your Tridium account manager or firstname.lastname@example.org.
It is important to note that JACE® controllers are not affected by these vulnerabilities, but the vulnerabilities are applicable to Niagara systems running on the Microsoft Windows operating system, including Niagara AX and Niagara 4 Supervisors.
For Niagara 4, the vulnerabilities were resolved in the latest two releases:
Niagara 4.6 (184.108.40.206.4), July 2018
Niagara 4.4u1 (220.127.116.11.1), June 2018
For Niagara AX, the vulnerabilities were resolved in the latest release:
Niagara AX 3.8u4 (3.8.401), June 2018
These fixes will be incorporated into all future releases of Niagara.
With the conference quickly approaching, we wanted to share with you the agenda (see below) for the Commercial and Corporate Real Estate Cybersecurity Forum. Much of the content for this Forum was developed from the ongoing work of the Real Estate Cyber Consortium.
Over the past decade, weaponized code delivered by malicious actors has evolved to be one of the greatest threats to our country’s welfare and economy. Cybercrime affects everyone, including individuals, businesses, organizations and government. It was inevitable that cyber threats would eventually find vulnerable commercial real estate targets, both at the enterprise and infrastructure level.
Cybersecurity as it impacts the built environment remains one of the most requested topics in our industry. This Forum will bring together industry thought leaders to address the most high-impact cyber threats and leverage their experience and knowledge to set benchmarks for cybersecurity strategy.
Real Estate Cyber Consortium (RECC) – An Industry Responds
There is no doubt that building cybersecurity is one of the most important issues facing our industry. The potential for human harm, business disruption, damage to brand and financial loss is high, and is finally getting attention in boardrooms everywhere. While Real Estate cybersecurity has been a discussion for years, it has now reached the point where it requires a more organized, consistent and comprehensive approach. Over the last 18 months, a group of dedicated organizations have been putting together a framework for the Real Estate Cyber Consortium (RECC). Representing some of the top real estate organizations in the world, this group is focusing on creating a consortium that can respond to this growing threat. This segment will provide an executive overview of RECC.
Leveraging Resources and Experience – DOD, ICS-CERT, ISA and the PNNL Weigh In
Keeping pace with the changing nature of cybersecurity is a daunting task. Offense is easy: pick a target and launch an attack. Defense on the other hand is almost impossible, requiring one to prepare for every possible threat from a disgruntled employee to a mischievous nation state. To maintain a reasonable defense strategy, it is critical to leverage as many resources as feasibly possible. In the United States, these are the organizations that focus specifically on the topic of cyber defense for buildings: The Department of Defense (DOD), Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), International Society of Automation (ISA) and Pacific Northwest National Labs (PNNL). They all have dedicated resources managing cybersecurity for the built environment and will participate in this important session.
Cyber Maturity Benchmarking Assessment – Where Does Your Organization Stand?
It has been more than five years since the Commercial and Corporate Real Estate industry began to focus on cybersecurity as it relates to the built environment, with organizations moving at varying speeds on their cyber programs. Given the complexity of threats and the critical nature of this issue, it is important to look to outside resources to assess an organization’s cyber maturity. How comprehensive is the cyber strategy? How does the organization compare to peers? Are the Cyber policies and programs improving over time? These are just a few of the questions that might be addressed in a formal assessment. This segment will be presented by real estate organizations that have experience in working with cyber maturity benchmarking assessments.
Building Automation, Smart Buildings & BIoT – Securing Smart Building Systems & Devices
Over time, building automation has evolved to be more open, integrated and interoperable, resulting in smarter buildings. Most recently, the next generation of building technologies has been referred to as the Internet of Things. This means that equipment other than traditional systems such as HVAC, lighting and access will need to communicate. Parking gates, signage, irrigation, various sensing devices and other systems will be connected to the network. With this expanded interconnectivity, cybersecurity becomes even more of an issue. The more devices, communication methods, software platforms and cloud connections we have, the greater the risk. This segment will address cybersecurity relating to building automation, smart buildings, the IoT and beyond.
Implementing Cyber Risk Assessments for Your Facilities – Real World Approaches
Cyber breach headlines are becoming all too common. We’re now seeing that many real estate organizations have begun the journey into a comprehensive cybersecurity strategy. When it comes to understanding and preparing for threats to the physical infrastructure, there’s a wide range of preparedness options. Organizations at the front of this conversation are better at understanding the framework or methodology required to assess, at a fairly granular level, how well prepared a facility is to identify, defend and respond to Cyber threats. A variety of thought leaders will share their real world approaches and lessons learned, and present a framework for tackling assessments, from single assets to entire portfolios.
Raising the bar around Cybersecurity – Partnering with Manufacturers and Solution Providers
The convergence of traditional IT and building technologies is happening at an ever increasing rate. This convergence is having a very disruptive impact on companies as traditional IT controls are being applied to building technologies that, given the age of most of these technologies, have varying degrees of technical sophistication and ability to address these controls. While heavily regulated industries are beginning to feel the impact from IT convergence now, other industries will soon be impacted as many of these changes are necessary to enhance the security and stability of these platforms. This segment will include leading manufacturers of smart building technologies that are ‘leaning in’ to this issue and are willing to create a more secure architecture for smart buildings. We will dive into those areas that are being most impacted by IT convergence and what the industry is doing to help address these issues.
If you are a registered attendee for Realcomm or IBcon, you are invited to attend the Cybersecurity Forum at no charge. Once you’ve registered for the conference, please RESERVE YOUR SEAT using the link below or by contacting Cheri Parr to let her know you are planning to attend. Space is limited so you must RSVP.
Cheri Parr, Program Manager | Phone: 310.421.4362 | email@example.com
Episode 260: ControlTalk NOW — Smart Buildings Videocast and PodCast for week ending March 25, 2018 features visionary Jim Young, Founder and CEO of Realcomm Conferences. Register now to take advantage of ControlTrends’ discounted rate for Realcomm20, at the Cosmopolitan, June 4-8, Las Vegas. Young Gun Aaron Gorka, Innovations Manager, ANT Technologies, introduces the ControlTrends Community to the CMPX Show and more. Great demo from Mike Glenn, Penn Controls, who is celebrating its 100th Anniversary! Gina Elliott joins EasyIO as VP of the Americas. Belimo releases New Globe Valve Assemblies with a Webinar; and make sure to register for the Iotium/Intelligent Building Cybersecurity Webinar.
ControlTalk NOW interview with Jim Young — founder of Realcomm Conference Group, an education organization that produces Realcomm, IBcon and CoRE Tech, the world’s leading conferences on technology, automated business solutions, intelligent buildings and energy efficiency for the commercial and corporate real estate industry. Stay tuned for more important updates and other conference information as it becomes available. Register now — using our ControlTrends’ discount code.
Young Gun Aaron Gorka,Innovations Manager, ANT Technologies, providers of paperless, cloud-based, operational technology for HVAC & Control Contractors, brings the ControlTrends Community up-to-speed with the CMPX Show (with over 500 exhibitors) that was held at the Metro Toronto Convention Centre, March 21-23, as well as introducing two other prominent Young Guns: Lawrence Beauchamp, Arrow Electronics and Mark Riley, Track GPS Fleet Management. Great question and answer session — and great assessment of our industry. Thanks Aaron, we look forward to your next update!
EasyIO News Update: Gina Elliott Vice President of the Americas. Gina Elliott has joined the EasyIO team as Vice President of the Americas. Throughout her career, Gina has worked to develop GTM strategies for emerging technologies in IT and OT. Gina started her “ITOT” career as a VAR for converged IT solutions and has continued to work with emerging technologies. Transitioning to OT in 2007, Gina has worked in design consulting for multi-system integration and interoperability of smart buildings.
Belimo’s New Globe Valve Assemblies — Greater Force & Flexibility! Webinar on Wed, April 4 at 1:00 PM EDT. Belimo now offers a full range of NPT pressure compensated globe valves. The new G2 and G3 with ANSI Class VI leakage and 100:1 rangeability provide accurate modulation at low flow. Belimo globe valve actuators incorporate Multi-Function Technology™ to allow for easy and flexible field configuration. Register today to learn more about Belimo’s new globe valve assemblies.
ControlTrends and Michael Glenn, Penn Refrigeration Business Development Manager at Johnson Controls review two exciting new controls from Penn Controls, who is celebrating its 100 year anniversary. Eric and Mike review the A525 Series Electronic Refrigeration Controllers with Adaptive Defrost, which manages cooling, defrost, alarms, communications and costs, offering a wide range of options that allow for customized control functions. The Quick Response Expansion Valve (QREV) with Precision Superheat Controller (PSHC) form an electronic solution that will maximize evaporator efficiency and save energy by maintaining target superheat, regardless of outside conditions.
Live Webinar: Building Cybersecurity is a Legacy Building Risk — Thursday, April 12, 2018, 8 am PT/ 11 am ET. It’s not smart buildings – but any commercial building built or renovated in the past 30 years are what you should worry about. Before the smart buildings concept, digital, Internet-connected controls systems, such as HVAC, lighting, and elevators have been installed and managed by non-IT persons from architects, engineers, contractors and property managers. Without IT best practices, much-less cybersecurity requirements, there is significant exposure to: Life Safety Risks, Equipment Failure, Productivity Loss, Network Hopping, and Brand Damage.
It’s not smart buildings – but any commercial building built or renovated in the past 30 years are what you should worry about.
Before the smart buildings concept, digital, Internet-connected controls systems, such as HVAC, lighting, and elevators have been installed and managed by non-IT persons from architects, engineers, contractors and property managers. Without IT best practices, much-less cybersecurity requirements, there is significant exposure to:
* Life Safety Risks
* Equipment Failure
* Productivity Loss
* Network Hopping
* Brand Damage
This webinar will address the cybersecurity condition that afflicts nearly all commercial building stock, what you can do about it and how to get started. We will cover:
* Legacy Building Controls Technology and Connectivity
* Risk Areas and Consequences
* Stakeholders Roles and Responsibilities
* Case Study Examples
* Step by Step Plan to Remediate
New Tridium white paper from Tridium chief architect Kevin T. Smith now available. Much has been written about the game-changing IoT. Network-connected devices and their capabilities have become a disruptive force in the business world.
Adding network connectivity to any “thing” adds tremendous value, but also brings potential risks to an organization. Cybersecurity should be a concern for everyone.
Learn about developing a strategy to defend against cyber threats in the new white paper, Cybersecurity and the IoT—Threats, Best Practices and Lessons Learned by Tridium chief architect Kevin T. Smith.
The market for the Internet of Things (IoT) is continuing to grow at a phenomenal pace. According to research from the International Data Corporation released early in 2017, the IoT market will reach $1.29 trillion by 2020.
1 IHS Markit forecasts that the IoT market will grow from what was an installed base of 15.4 billion devices in 2015 to 75.4 billion devices in 2025.
2 Other market research firms are releasing similar staggering statistics, and while estimates vary, all parties agree: network-connected devices and their capabilities are and will continue to be a disruptive force in the way that everyone does business.
But 15 years ago—long before anyone had ever heard of the IoT—Tridium developed the Niagara Framework, a general-purpose, open and extensible software framework built for the purpose of connecting, managing and controlling any device over computer networks.
A general-purpose IoT framework that allows integrators to connect and control devices, regardless of protocol and manufacturer, Niagara has changed the way that organizations do business, putting the “smarts” in smart buildings and data centers, providing significant cost savings and capabilities. Over the years, this experience has given us much insight into the areas of device connectivity and control, automation, analytics and cybersecurity.
Cybersecurity should be a concern for any user or owner of connected devices. In our fastpaced world of ever-changing technology, the cyberthreat landscape continues to evolve at an alarming rate. With recent cybersecurity incidents showing unprecedented growth in the frequency, scale and sophistication of advanced cyberattacks, combined with the number of high-profile data breaches and hacks hitting the front pages of newspapers on an almost weekly basis, it should not be a surprise that most organizations are taking a newfound interest in protecting the systems on their networks.
Regarding the IoT, adding network connectivity to any “thing” can certainly provide great value, but it also brings along with this connectivity potential risks related to network security. In the past few years, we have seen web cameras, baby monitors, smart refrigerators and even cars electronically hacked. We have seen an alarming rise in data breaches costing organizations billions of dollars. We have seen the rise of security and privacy concerns related to smart devices. We have seen an alarming rise in malware threats infecting computers and smart devices. We have seen the increase of hacker-friendly tools and websites that allow
Adding network connectivity to any “thing” can certainly provide great value, but it also brings along with this connectivity potential risks related to network security
2 bad actors to search for, discover and exploit Internet-connected devices. Specific to the IoT market, we saw the largest distributed denialof-service attack of its kind in October 2016, when an estimated hundreds of thousands of IoT devices were attacked, infected with a virus and used in a coordinated effort to attack domain name system (DNS) servers, effectively bringing down a significant portion of the Internet.
A successful cybersecurity program encompasses far more than simply an approach that is asset-focused or revolves around only technology. A more holistic, defense-in-depth security approach is needed — one that involves people, processes and technology.
Click here, to Dowload rest of White Paper.