This is Part 2 of a 2-part series. Read 20 Questions About WACS Answered: Part 1 here.

Inspired by the tremendous interest in Web-accessible controls systems (WACS) observed during the 2001 International Air-Conditioning, Heating, Refrigerating Exposition (AHR Expo 2001) in Atlanta, HPAC Engineering composed a list of 20 questions about WACS that designers and owner-engineers might have. Those questions then were sent to more than a dozen manufacturers, as well as a few designers and owner-engineers. In April, we published responses to the first 10 of those questions. Following are responses to the other 10.

11. Can Web accessibility be provided by a third-party supplier? Can a WACS “integrate” multiple BAS or controls products?

“Today, Web-access tools come from the BAS manufacturer,” Brady Nations, manager of business development for Johnson Controls Inc., said. “This is not likely to change in the near future because the manufacturer knows the requirements for interfacing with their specific system.”

In theory, a WACS enabling device manufactured by a third party that can connect to any BACnet-compliant system is possible, Nations said; however, “Standards continue to be moving targets that result in different methods of implementation by manufacturers.”

To the extent that they support interoperability, Steve Tom, director of technical information for Automated Logic Corp., said, existing building automation systems and controls products can be integrated by a WACS.

“If the equipment vendor is willing to share data with the WACSÑand especially if the data is available through an open protocol such as BACnetÑthen the integration can be relatively simple,” Tom said.

Larry Haakenstad, director of sales for Alerton Technologies Inc., said a WACS can integrate products from other companies as long as its Web server can communicate with them.

Chief Engineer Mike Donlon and IT Strategist Rehan Kamal of Computrols Inc. said there is BAS software that can integrate equipment from multiple manufacturers independent of the Web product.

“This, in turn, can be placed on the Web,” Donlon and Kamal said. “So, although (the) Web product can be used to integrate multiple vendors, this capability has nothing to do with the Internet access itself.”

Some Internet-ready controllers, “on the other hand, were made to have completely open Internet connectivity right down to the controller level,” Donlon and Kamal continued. ÒWWW access is available at the controller level for human-to-controller access. But more importantly, XML and other standards are being used for truly open, third-party controller-to-controller connectivity.”

Kevin Osburn, vice president of Apogee product marketing and development for Siemens Building Technologies Inc., said a WACS cannot directly integrate multiple building automation systems or controls products. However, once integration between two such systems or products is established, a WACS should be able to Òseamlessly provide” consistent monitoring of them, he continued.

12. Can WACS be hacked by outsiders or unauthorized insiders?

“Security is a relative quantity,” Donlon and Kamal of Computrols said. “Vendors (who) say they provide access to the entire world while providing absolute security are in denial. Is there any bank that cannot be robbed? Extremely secure military facilities have their network security compromised regularly. The question is how easy is it and what damage can be done.Ó

Unauthorized insiders pose a much greater threat to WACS security than do outsiders, and in this respect, WACS are no more or less vulnerable than are conventional building automation systems, Tom of Automated Logic said.

“If the WACS doesn’t provide multiple levels of access with tighter control of critical building functions,” Tom said, “if the WACS doesn’t provide a way to give each operator a unique login and track that operator’s activities, and if the system administrator doesn’t keep an eye on who does what and isn’t vigilant about deleting logins of ex-employees, then the unauthorized insider poses a threat.”

Osburn of Siemens disagreed: “Given that WACS use sophisticated means to secure access, IT people still will be more concerned with Internet access than (with) intranet access.”

That users are limited in the tasks they can perform provides some protection, Paul Ehrlich, business-development leader for The Trane Company, said.

“Being on a shared network is always riskier than being on a dedicated network,” Ehrlich said, “but these risks are balanced by the potential rewards.”

“Fortunately, the technology being used to develop WACS applications is the same technology used in the most critical data systems,” Nations of Johnson Controls said. An example is Secure Socket Layer encryption, which Tom explained, “is widely used to protect credit-card transactions and other financial communications on the Web.”

Donlon and Kamal of Computrols said protection can be provided by first setting up standard Linux firewalls.

“All BAS components use intranet connections that are behind the firewall and protected from actual Internet connections,” Donlon and Kamal said.

Next, secure connections over the Web and encrypted transmissions between the Web server and the building server are made to further discourage “attacks from within the firewall,” Donlon and Kamal continued.

The third step in providing security for WACS involves limiting functionality from the Web server to what is needed from the Web clients.

“Even if Web access is accomplished by hackers, there is a limit to what they can do,” Donlon and Kamal said.

Finally, incoming IPs are limited to specific addresses or ranges of addresses.

“This offers one of the best defenses available,” Donlon and Kamal said. “It allows only connections from known computers.”

Acceptable Use Policy blog comments powered by Disqus