Close this search box.

The Role of the Distributor in “Cyber Harmony”

Mike Mitchell - CTO for Cochrane Supply

I was talking the other day to Greg Fitzpatrick about that great new concept of “Cyber Harmony” – basically, it’s getting all involved parties for a building controls system on the same page in regard to the processes and requirements where cybersecurity for those systems are concerned.  You know, best practices, designing the systems with the Defense-In-Depth concepts in mind, knowing the better vendors for cybersecurity products; the ones that try to make things simple to deploy, but provide robust protection, that sort of thing.  In discussing it, I mentioned our role, coming from Cochrane Supply, a Controls Distributor, in the relations between the parties involved. 

So, in looking at that, my first observation (beside the fact that it’s a cool concept that illustrates a great point) was… “we’re the glue!”

The Glue

So, maybe glue, maybe we’re the connectors, the wiring – pick your analogy.  But in essence, distributor (and one that which fully supports the components and devices we sell, along with our vendors) is to enable and support the communication between all those entities pictured above.  The end goal is to make the job go better, and to make sure everyone is on board and is aware of the responsibilities and requirements of each party involved.  In the 23 years I’ve worked for Cochrane Supply, we’ve helped each entity with their requirements, even to the point of educating them as to the existence of these requirements!

Here’s some examples:

Large Commercial Building’s OT Network

About 22 years ago, when I first came on board Cochrane Supply, I didn’t leave the I.T. world behind, I entered a new dimension of it.  The similarities between protecting networks and systems on an I.T. network were very similar to an O.T. network in basic concept, but it would turn out that some of the practices involved would prove to be quite different.  The practice of aggressively scanning an office network of desktop PCs, for example, might not work out so well on an OT network’s system of controllers that rely on timely communication, where any significant interruption could result in… well, let’s just say, bad things happening. 

As such, separating the building control system’s devices from the regular office network seemed to be a good idea, and there was a 16 story building in downtown Detroit that was in the process of installing 36 Tridium R2 Jace controllers.  Most of the communication trunks back then were serial trunks – Lon or BACnet or what have you.  So, protecting and securing this new style network was important!  We helped all the parties involved, from Limbach (the controls contractor), Wallbridge-Aldinger (the General), the building-owner-and-end-user Compuware, to the fantastic sales and support teams from Tridium, get involved in deep discussions on the best ways to go about things.  Switch selection, technologies required for those switches, best placement in the building per each floor’s controller requirements, whether remote access inbound would be allowed, who would be responsible for each aspect of the job, you name it.  It was a great experience, and I met a great many of the people in the industry who I would continue to work with over the next two decades.

Ohio College’s Secure Remote Access to OT Network

Another job involved a large college campus in the Cleveland area.  For that one, there were again many entities involved – Siemens, I believe, was the main contractor involved, but they had also subcontracted others, and used a variety of controls to get the job done.  Some were already pre-existing (and required some new drivers for modern communications to happen), and some were retrofitted with newer controls.  Again, an IP network was to be installed for the building controls devices, with serial trunk gateways at certain points in the system.  Limited remote access needed to be provided to some of the parties involved, so we wound up organizing a few roundtables with the I.T. staff of the college so that they would feel comfortable with our suggestions and that a secure agreed-upon solution could be provided.  The job also required some limited outbound access for the emailing of reports necessary to prove out the worth of the new installation. 

With all those necessary people in the room, they were able to hear out these requirements and to hash out what would and should be allowed for access inbound and outbound from the OT network and the selected controllers in question, and whose responsibilities it would be for those things to happen.  We helped the subcontractor for the controls with a new serial bus driver to an old system, helped them talk the I.T. talk to the college’s staff under the auspices of the General, and helped them write the specific control programming to enable those outbound reports.

Michigan College’s Secure Local Device Access to OT Network

For this last example, it’s a more recent one using more advanced technologies.  We helped to roll out a trial of a new Augmented Reality device, a Hololens 2 from Microsoft, that would help the college staff and their building control system’s integrator and service provider to visualize their devices and data in a new way.  The Hololens 2, for those that may not have seen it, is a wearable headset that uses a transparent viewscreen before the eyes of the user in which is displayed three-dimensional models and data.  This data includes things like 3d-models of floorplans and buildings, 3d-models of layouts of ductwork and device locations, to 3d-models of the air handler (and chiller and boiler and vav equipment), including live data from those systems. 

In order for this to work, secure wireless communications would need to be provided to the Hololens 2 from the various building control systems involved.  We organized meetings between the integrator, the support staff for the buildings, and the CyberSecurity-related support staff of the college, and after just two meetings, we had a great plan for providing that connectivity in a way that reduced the potential attack vectors to the existing OT network, yet provided just what was needed for the project to move forward.  This one is still ongoing today!

So by now, you probably get the jist.  With the knowledge we have of best practices in the realm of building control systems, and the connectivity that these require, especially with the advent of Cloud technologies, AR/VR, and AI, it’s even more important that all parties involved in a project are on board and aware of the implementation of the devices involved; and how to best protect those systems from harm.  It’s important to always strive for methods that include a “Defense-In-Depth” approach, and keeping all parties involved, it can and will help with identifying and resolving any holes in the system.  Our role, while perhaps a little unconventional, winds up being an important one to the process!  I guess I’m just not sure which identifying term I’m happier owning; CyberSecurity Enabler? Well, it’s better than BAS System Glue, I suppose!