Innovations in Comfort, Efficiency, and Safety Solutions.
New Cybersecurity Standards for the Internet of Things
OpenC2 is a communication standard for coordinating responses to cybersecurity attacks without regard to the technology of the device that is responding.
As I write this, the Oasis Open Command and Control (OPENC2) specification is going through its final vote. OpenC2 is a communication standard for coordinating responses to cybersecurity attacks without regard to the technology of the device that is responding. In effect, OpenC2 defines Service Oriented Security. The target use of OpenC2 is in the Internet of Things (IoT)
Service Oriented Architectures receive requests to provide a service, rather than the detailed control instructions that typify communications with building systems. OpenADR is a good example, whereby a utility or other energy supplier can request that a building reduce energy usage during a particular window for a price. OpenADR is a profile of OASIS Energy Interoperation that defines the services for coordinating energy supply and consumption. A request for a commercial building to switch to its open hours operating posture might be another service. In OpenC2, the services requested are tied to cybersecurity.
OpenC2 defines a Message that may
contain one or more Commands. Each Command is described using an
Actuator Profile. Standard Actuator Profiles are defined in the
Standard. Custom Actuator Profiles are submitted by users, or by device
makers to describe what their system or device can do, and how it will
reply. The initial messages are in structured JSON sent over
HTTPS—there are already other formats being standardized. The system
will be expected to share their Cybersecurity capabilities almost as
device drivers are shared today, by exposing Actuator Profiles to those
The initial Standard Profiles look like firewall commands. The commands are brand agnostic—a stateless packet filter request is the same no matter what brand of firewall router it is sent to. But OpenC2 is intended for the Internet of Things. Already ATT, a committee member, is planning to send OpenC2 commands to hundreds of thousands of devices at one time. A building management system or even a small device can be the target of command as well. The aquarium thermometer that was famously hacked in a Casino a couple of years ago could potentially receive an OpenC2 request as well.
Already there is talk of OpenC2 profiles
for Electric Power. Microgrids, storage systems, and generators could
all respond to commands using the same Profile. These profiles don’t
look like traditional cybersecurity requests but may include protecting
systems from hacks on the power itself. (See http://www.newdaedalus.com/articles/2019/6/27/cybersecurity-of-powerresources.html).
The network interfaces of these power devices could also respond to
firewall requests as well, dropping packets from known dangerous
Future work is adding new message types to OpenC2; they may be requests for polling, or to extend situation awareness from the distributed node back to the center. The one thing that is certain is that some of your biggest customers will require OpenC2 in their purchasing decisions. It is already time to begin watching this standard.
For now, the easiest way to participate
is by submitting your own custom profiles to the OpenC2 Repositories.
The Custom Actuator Profile library is at https://github.com/oasis-open/openc2-custom-aps. How can your building system participate in cybersecurity?
Or write me if you want to know more…
[Click Banner To Learn More]
[Home Page] [The Automator] [About] [Subscribe ] [Contact Us]