BMS Cybersecurity Products and Solutions

ECLYPSE | EC-Net

By default, the ECLYPSE and EC-Net are secure platforms when placed in an appropriate network environment and setup by following the appropriate user guide. We recommend to always run the latest firmware available from the software center and never place the controller directly on a public network.



ECLYPSE

ECLYPSE Connected Controller platform for future-ready buildings providing comfort management, efficiency, and unrivalled, proven connectivity open to digital services.

 

    Physical Security

    Protection of the physical assets that are hosting the data we wish to secure.

    physical security

    Secure Boot

    ECLYPSE APEX only. Benefit from secure boot and cybersecure communication between OT, IT, and cloud-based platforms, making it the ideal all-in-one solution for local and remote applications.

    Network & System Security

    A network perimeter demarcates the boundary between an organization’s intranet and the external or public-facing internet. Vulnerabilities create the risk that attackers can use the internet to attack resources connected to it.3

    network and system security

    3https://www.gartner.com/en/topics/cybersecurity

    Authentication

    • Single Sign-On (SSO) with ECY-APEX as an Identity Provider
    • ECLYPSE Authentication is Basic or SSO, using OpenID Connect.
    • The SSO service allows a user to use one set of login credentials (e.g. username and password) to access multiple ECLYPSE controllers that are on the same network. This provides a secure centralized login method to authenticate users.
    • The basic functionality behind an SSO service with ECLYPSE controllers is the Client-Server architecture where one controller is defined as the Server dedicated to authentication/authorization purposes to access the Client controllers.
    • The SSO authenticates the user for all the controllers the user has been given rights to and eliminates further login prompts when the user accesses other controllers within the same session.
    • The session ends if you close the web browser or you log out. It is recommended that you close your web browser after logging out.

    User Authorization

    • RBAC (Role-Based Access Control)

    General Security Requirements

    • All Security Requirements for ECLYPSE derived from ISA 62443 Security Level 4

    Access Control

    Identity infrastructure and PKI integration
    • PKI
    • SSO

    Topology

    • RESTful API

    Data Security

    It comprises the processes and associated tools that protect sensitive information assets, either in transit or at rest. Data security methods include encryption, which ensures sensitive data is erased, and creating data backups.4

    data security

    4https://www.gartner.com/en/topics/cybersecurity

    Encryption

    Data Encryption

    • ECLYPSE Controllers have encryption that meets the FIPS 140-2 federal standard except for ECY-STAT and APEX.
    • Basic security audit logs containing information about changes to the users as well as user successful and unsuccessful sign-ins.
    • Meets encryption standards for mission-critical industries such as banking and for US government contracts.

    Standards and protocols 

    • TLS minimum Protocol Version: TLSv1+, TLSv1.1+, or TLSv1.2

    Digital signatures 

    • SHA256withRSA (2048-bit RSA asymmetric key)

    Application Security

    The tools available to monitor and confirm the state of the system’s security posture.

    application security

    Monitoring

    Security Audit Log

    • Basic security audit logs containing information about changes to the users as well as user successful and unsuccessful sign-ins.

     

    It is the responsibility of the developer to account for the intellectual property and security concerns when they are building and programming a docker compatible image. Additionally, use the best practices when deploying the docker container over IoT Edge. See Microsoft and Docker documentation for more details and best practices


    Cybersecurity Best Practice Websites

    microsoftl_logo_345x225

    Microsoft Azure compliance website

     

     

    amazon_345x225

    Amazon compliance website

     

     

    google_cloudl_logo_345x225

    Google Cloud compliance website

     

     



    EC-Net

    The EC-Net™ web-based building management platform is powered by the Niagara Framework® to provide all the essential functionality required for single buildings up to large, multi-site deployments. EC-Net was developed with an approach to cybersecurity that can be customized to the security policy of any organization. The approach for doing this revolves around making it easier for users to secure an EC-Net system, along with enforcing good “cyber behaviour” through technology controls.

     

      Physical Security

      Protection of the physical assets that are hosting the data we wish to secure.

      physical security

      Secure Boot

      EC-BOS-8 will only boot-up with digitally signed trusted software, providing assurance against alteration

      Network & System Security

      A network perimeter demarcates the boundary between an organization’s intranet and the external or public-facing internet. Vulnerabilities create the risk that attackers can use the internet to attack resources connected to it.1

      network and system security

      1https://www.gartner.com/en/topics/cybersecurity

      Authentication

      “Secure by Default”

      • Users forced to have strong password strengths
      • Users set up with the strongest authentication mechanism
      • User lockouts upon consecutive bad log-ins 
      • Factory default password must be changed after commissioning

      Single Sign-On with EC-Net as an Identity Provider

      • SSO allows users to login into one station and access all other connected stations via a browser without having to re-authenticate. 
      • Eliminates need to manually configure and manage an external IdP. 

      Multi-Factor Authentication (MFA)

      • Google 2 Factor Authentication

      Digital certificate authentication

      • Beneficial for kiosks via browser web connections

      802.1x device network authentication

      Access Control

      Identity infrastructure and PKI integration

      • LDAP
      • Kerberos
      • SAML 2 Identity Providers for Single Sign-On

      Role-Based Access Control

      • Provides access control for users by security role
      • Managed by CategoryService and RoleService and assigned within UserService

      Authorization

      Authorization at API level

      • Controls what individual software components can do

      Standard and protocols

      • SCRAM-SHA (256/512 bit) DIGEST – default
      • EC-BOS-8: WPA-PSK128, WPA2PSK256
      • Google 2 Factor Auth
      • Client Cert Auth (Kiosk Mode)
      • PKI
      • LDAP
      • Kerberos
      • SAML 2 IDP SSO Integration

      Data Security

      It comprises the processes and associated tools that protect sensitive information assets, either in transit or at rest. Data security methods include encryption, which ensures sensitive data is erased, and creating data backups.2

      data security

      2https://www.gartner.com/en/topics/cybersecurity

      Encryption

      Data Encryption

      • All connections to stations are secured and encrypted, e.g. workbench to station, station to station and web connections
      • Both EC-BOS-8 and EC-Net Supervisor have encryption that meets the FIPS 140-2 federal standard. 
      • Meets encryption standards for mission-critical industries such as banking and for US government contracts.
      • Data is encrypted when sent/received, as well as at rest

      Encrypted Protocols

      • BACnet Secure Connect

      Built in PKI management tools

      • Niagara can integrate with any PKI infrastructure, LDAP directories, Kerberos

      Third-Party Module Signing

      • EC-Net now enforces the signing of newly added modules and makes administrators aware of any existing, unsigned third-party modules.
      • Automatically eliminates the risk that modules may have been tampered with or come from an untrustworthy source.

      Standard and protocols

      • TLS 1.3, 1.2, 1.1, 1.0 issued with RSA 2048 bit certificate, SHA256withRSA
      • AES 256-CBC Symmetric Key Encryption
      • AES GCM)
      • PBKDF2-HMAC-SHA256
      • Digital signatures: SHA256withRSA (2048-bit RSA asymmetric key)
      • FIPS 140-2 cryptographic module

       

      Application Security

      The tools available to monitor and confirm the state of the system’s security posture.

      application security

      Monitoring

      Security Audit Log

      • Provides users with a history of who, or what, is logging into or changing security-related settings on an EC-Net station

      Security Dashboard

      • Provides an actional view into security posture of your systems & other connected Niagara systems on your network