Mission: This mission of the group is to define standard XML data representations and web services for data acquisition and control systems. The core of the standard will be a foundation of common types and services applicable to horizontal issues including discovery, points, historical trends, and alarming. Additional libraries may be defined upon this foundation for vertical domains (HVAC, lighting, security, etc) and heterogeneous protocols (BACnet, Lonworks, Mobus, etc).

Task Group Leader:

Aaron Hansen, Senior Software Engineer, Tridium Inc.

Active Participants:

Security Working Group

Task Group Mission & Objectives:

To understand the scope, structure and functions of the oBIX platform
To research and define security technology appropriate to that platform
To define general and specific security issues of the platform
To create a guideline for the application of the technology to address those issues

No new technology will be offered by the group. Rather, the guidelines will help practitioners to identify the appropriate technology to be used and implemented in order to deal with defined vulnerabilities and threats.

The working group recognizes that security imposes financial and performance burdens on systems and the group will strive to identify what constitutes ‘just enough’ security.

Organizations may need to implement specific safeguards which go beyond the proposed guidelines. Consequently the guidelines must be flexible enough to accommodate specific requirements.

Task Group Leader:

Peter Manolescue – Senior Consultant, securityXML Ltd

The target audience for the guidelines include:

IT managers
Network operators
Network security managers
Software programmers
Building control system architects
Facility managers
System integrators
Building system dealers

Security guidelines will be formulated as a function of the output of the other oBIX groups and consist of:

1) Use cases showing specific, real-life scenarios of how buildings systems could be compromised from inside or outside of the organization. These scenarios will be presented in plain English to highlight vulnerabilities and threats in order to reveal the plausibility and seriousness of potential security breaches. Network security risks fall under five general headings:

Authentication
Authorization
Confidentiality
Integrity
Non-Repudiation

2) An overview of appropriate IP, XML and Web Services technologies that have been approved by industry bodies such as W3C, OASIS, WS-I and the Liberty Alliance. Technologies to be considered will include:

HTTP/S
XML-Signature
XML Encryption
XKMS
SAML
WS-Security

3) Examples to show how these technologies address identified risks as presented in the use cases.

Research in IT shows that security should be designed in at the earliest moment rather than added on after the design of a component or a system.

Therefore, in addition, a methodology will be identified or developed to assist the target group to:

- identify the risks present at the level of the work for which they are responsible
- analyze the security technologies that are already present in the components they are working with
- indicate what additional measures and technologies are required to provide the appropriate level of security

All output of the security working group will be submitted to the other oBIX groups for comment and eventual modification.