ICSIS/SCADA Hacker

profileDavid123456
CSCI497F21-Assignment7-Bhusal.docx

ASSIGNMENT 7 (W12)

TERM PAPER CONCEPT DEVELOPMENT (OUTLINE)

Name

Deepak Bhusal

Email

[email protected]

Course Number

CSCI 497.1SW (Commerce) and 497.6SW (RELLIS)

Course Time

Monday: 1700 - 1930h

Semester

Fall 2021

Submission

Assignment 7

Due Date

November 22, 2021

Instructor

Joel Langill

Email

[email protected]

Phone

+1 (920) 594-0321

Office Hours

By Appointment (Moodle Message or Email)

The assignment for this week consists of you completing the following:

· Ensure that you have selected a topic under the “Term Paper Topic Selection” activity under the Term Paper section of the course

· Review the “Term Paper Requirements” activity “Contents and Structure” chapter under the Term Paper section of the course

· Complete the outline as directed in this Assignment Submittal on the following pages

Please be sure and complete the cover page with your name as it appears on your university identification card, your corresponding email address, and whether you are attending the Commerce or RELLIS campus course prior to submission. Do not forget to submit your work when you have completed this assignment.

(Note: problems may to occur if using Google Chrome as a browser where it tries to open links in Google Docs. The "Docs PDF/PowerPoint Viewer (by Google)" extension must be disabled or removed.)

The term research paper and associated presentation should be logically divided into sections that follow sound research paper style and address each of the areas defined by the “Term Paper Requirements”. You are free to organization the paper and presentation as appropriate, however a template has been provided for both the paper and presentation to help start the initial paper structure.

This Assignment requires that you provide the high-level organization and key factual items that will form the basis of the paper. Please supply as indicated below. Information presented should be summarized and demonstrate that the foundation for completion of the paper by the required Due Date has been collected and is understood.

The topics presented in this Assignment are provided to assist in data collection, and do not necessarily need to be covered in the paper in their entirety.

Company Overview

Company Name: Johnson Controls - Metasys (Building Automation)

Company Headquarters: Cork, Ireland

Major Geographical Regions Served: Ireland, Asia, China.

System Name: Metasys

System First Released: 1990

Sales Website URL: https://www.johnsoncontrols.com/buildings/campaign/metasys

Service and Support Website URL: https://www.johnsoncontrols.com/services-and-support

System Overview Brochure URL: https://www.johnsoncontrols.com/building-automation-and-controls/building-management/building-automation-systems-bas

System Overview

Please attach a System Overview graphic (copy/paste from brochure):

Metasays is the automation building system Metasys software functions as a complete family of systems. Metasys is the autoamtion building automation system that makes to operates the electrical and mechanical components and these component can be used according to the customer demands. The Metasys build support many servers to work together as one cohesive. It is most reliable and demanding application, Metasys® software is made up of various components that provide coordinated control over your building’s systems

The area where the Metasys consists of one more Metasys devices that continuously connected IP network. The primary area of networks has one or more engines and these engines provides the site Management Portal UI. Through the area management portal UI we can identify the primary network and watch the users of all devices on the network. The engine types are SNE Series of Network Engines, which succeed the Network Automation Engines (NAEs); Network Integration Engines (NIEs); SNC Series of Network Control Engines, which succeed the Network Control Engines (NCEs); or LonWorks® Control Servers (LCSs). These engines are described in further detail in this document.(Johnson control, 2020)

A site can optionally have one or more Metasys servers—computer-based devices that add long-term data storage and support for larger Metasys networks. Metasys server products include Application and Data Servers (ADS), ADS-Lite (available only in specific markets), Extended Application and Data Servers (ADX), Open Application Server (OAS), and BACnet® Open Data Servers (ODS), which are described in further detail in this document. Metasys servers provide the same Site Management Portal UI as the engines. Additionally, the Metasys UI is installed with the Metasys server software, with the exception of ODS, which does not include the Metasys UI.

Each Metasys site has one device (engine or server) that is designated as the Site Director. Typically, the Site Director is the single point of access for all Site Management Portal UI users because the Site Director includes a view of all Metasys devices on the site. If a server is connected to a site, you must designate the server as the Site Director.

The Metasys system uses the standard data formats and communication protocols of the BAS and IT worlds, it is compatible with the networking infrastructure found in most buildings today. The Metasys system integrates building equipment and systems using BACnet/IP, BACnet MS/TP, N2, LonTalk®, MODBUS, M-Bus, KNX, OPC UA (new at Release 11.0) and web services communication technology. The Metasys system supports BACnet Protocol Revision 18. Johnson Controls BACnet devices and third-party BACnet devices can be connected directly to the IP Ethernet network or to the MS/TP Field Bus. BACnet/IP is also used to integrate SIMPLEX Fire Systems and lighting systems from preferred partners into the Metasys system. LonWorks® controllers from Johnson Controls or LonMark® certified devices from other manufacturers can integrate into the Metasys system architecture. In a similar fashion, prior generations of N2-based Metasys components can integrate into the newer architecture, helping to modernize legacy Metasys installations. The Metasys system also communicates to third-party devices using MODBUS, KNX, and M-Bus integrations. Regardless of the protocols used, the data is available for display in the Metasys user interface, for archiving in application servers, and for transmission to other devices on the IP network.

https://docs.johnsoncontrols.com/bas/r/Metasys/en-US/Metasys-System-Configuration-Guide/10.1/Metasys-system

https://cgproducts.johnsoncontrols.com/met_pdf/1201526.pdf

Names and Functions of Key System Components:

ADS/ADX: The Application and Data Server (ADS) and ADX is a software package that you can use to monitor and control the entire Metasys system. The ADS also serves as a long-term storage device for alarm and event messages, trend data, and user transactions.

The ADX is offered in several models to support up to 10, 25, 50, or 100 concurrent users. As Site Director, the ADS/ADX provides secure communication to a network of NAE, NIE, NCE, SNE and SNC series engines. The ADS/ADX supports robust features that continue to position the Metasys system as the leading building automation system in the industry, including: Fault detection, fault triangle, Building Network tree allows for faster delivery of the Metasys user Interface(UI) by enabling it’s deployment prior to the equipment’s and spaces configuration process, The Metasys operator find and report on operational data and make massive commands to restore order by the Metasys UI through the advanced search and reporting, Custom dashboards for the Metasys user Interface etc.

https://cgproducts.johnsoncontrols.com/cat_pdf/1900200.pdf

https://cgproducts.johnsoncontrols.com/cat_pdf/1900200.pdf

OAS: OAS was introduced in Metasys Release 10.1. You can use an OAS as the point of access into a building automation system (BAS) and to archive historical and configuration data for a site. You can use an OAS as the supervisory device for 200 or fewer field devices through BACnet/IP or Remote Field Bus protocols.

The OAS combines many of the functions of a Network Engine with a Metasys Server into a single piece of software with optional add-on features that can be hosted on a virtual machine with required specifications or can be purchased as a turnkey offering, where Johnson Controls provides hardware with software already installed on it. Starting at Release 11.0, there are two licensing options available for the OAS, the OAS Minimum (M4-OASMIN-0) and the OAS Standard (M4-OASSTD-0). The OAS Minimum is a variant of the OAS offering whose capabilities are license-limited. The OAS Minimum cannot supervise child network engines unless a migration license (M4-OASSTD-8) is purchased. The OAS Minimum is offered at a lower price point than the OAS Standard. This provides an affordable Server option for smaller or less complex projects

Network Engine: The network engine is a family of devices that supervise lower-level field controllers over the Metasys BAS. It provides management and system-wide control over one or more network of equipment controllers. The network engines are bind together for scaling up a large project.

The network engines can be networked together for scaling up on large projects, and they can be networked with an ADS, ADX, or OAS for additional functionality and site unification. Network engines provide building control scheduling, alarm and event management, energy management, data exchange, historical data storage and management, and custom control logic. Network engines include an embedded user interface called the Site Management Portal (SMP). Users access the SMP for system navigation and operation using web browser connections.

Network engines are secured from unauthorized access using password protection and permission access control as well as IT security best practices. In addition to providing general comprehensive equipment monitoring and control, network engines also offer specialized capabilities by series, model, and software release to meet a variety of application requirements. The network engines are identified by three types:

Small-capacity engines.

Network Automation Engines: NAE35 and NAE45

SNE Series of Network Engines: SNE1050x and SNE1100x

Large-capacity engines.

Network Automation Engine: NAE55

SNE Series of Network Engines: SNE2200x

Software-only engines.

Network Automation Engine: NAE85

system user interface: Metasys UI and Site Management Portal (SMP).You can use the System Configuration Tool in all phases of engineering, installing, and commissioning of devices that make up the Metasys system. The Metasys UI provides a simple location-based navigation approach to finding information, including the ability to search for any location by name and to bookmark a location in the browser. All data displayed in the Metasys UI is organized in a dashboard format, presenting to you the complete story of what is happening within a space, equipment, or central plant. You can access the Metasys UI from any type of client device with any screen size. The Metasys UI includes features ideal for efficient building operations.

Features of Metasys UI

Fault Detection

Fault Triage

Show Involvement

Send Announcement

ADD/Delete Configure objects.

The Metasys SMP provides real-time and historical data views, extensive alarm management capabilities, and system configuration functions for system administrators or dedicated building operators. The SMP transforms the raw data from the site and organizes it into a comprehensive set of information management tools and reports. You can access this portal using the Launcher through an Internet or intranet connection to a Metasys server or engine. The SMP has all the features one expects from a traditional workstation.

pop-up alarm windows

navigation tree—you can create multiple custom trees to best represent the logical layout of the facility

dynamic graphics of systems and floor plans that you can zoom in on to show fine details

multiple display areas you can size and control individually

lobal search function and sorting capability that help you find system information within seconds

the entire user manual available in the Help system

System Configuration Tool (SCT):

The System Configuration Tool (SCT) supports the engineering, installation, and commissioning of your building automation system. The SCT application enables fast offline generation and Metasys UI configuration of the complete site, including point naming; integration of N1, N2, BACnet®, and LonWorks® networks; integration of Modbus, M-Bus, and KNX third-party protocols; integration of local and remote MS/TP devices; definition of tailored summaries and user views; the creation of custom control logic using a graphical user interface; and integration of building systems such as C•CURE 9000 access control, victor video management, Simplex® fire, Zettler® fire, connected lighting systems from preferred vendors, and OPC UA. SCT offers productivity features that includes the migration of supervisory devices and the mass creation of equipment, spaces, and serving relationships

Names of System Communication Networks:

N2 field bus

M-Bus

KNX

Lon

BACnet/IP

Modbus

BACnet MS/TP

Ethernet/IP

What vendor-supplied security components are available?

Monitor the HVAC, lighting, and security systems through a unified user interface.

Alert the operators of facility problems by detecting problems before they become an issue.

Perform a pre-defined action during an alarm event

Create action interlocks to occur within the Metasys system when granted access to the control system.

Initiate a door-open command or trigger a security output point from a single seat operation through our improved unified user experience.

Coordinate control with fire, security, lighting, and other non-HVAC building systems.

Use available options to achieve UL/cUL 864 UUKL 10th Edition Smoke Control listing.

Support your remote monitoring services.

Support of Microsoft® Active Directory Federation Services (ADFS) with the opportunity for a single sign-on (SSO) experience and two-factor authentication (2FA)

Does the vendor offer any other systems as part of their portfolio? If so, please provide system names.

No

Communications and Protocols

Describe the primary protocols and methods used between the key system asset types. This must address communication to/from field-connected controllers, communication to/from human-machine interfaces, and communication to/from historical data repositories as a minimum.

BAC/IP:

BACnet MS/TP:

N2 communication Interface:

The Johnson Controls N2 Technology Option provides a serial data port, allowing VSDs (variable speed drives) to be linked to form a network. Using a Network Control Module, this network can be continuously controlled to provide supervision and monitoring for each VSD in the system. With each unit under local control, the central supervisor performs only periodic setpoint updating, control sequencing and data collection.

LON:

MODBUS KNX M-BUS:

H-LINK:

Zigb-WIRELESS:

Are any of these protocols proprietary? If so, please describe.

Yes, The N2 is the proprietary protocol.

N2:

Industry Sectors using this System

Please provide the primary markets the system is targeted. You can either use U.S. defined Critical Infrastructure and Key Resources (CIKR), or Standard Industry Classification (SIC) for industry identification.

(hint: https://en.wikipedia.org/wiki/Standard_Industrial_Classification )

Environmental control(HAVAC): SIS=3822

Metasys Building Automation and Energy Management system. SIC Code 1711

Metasys safety and fire protection. NAICS = 922160

https://siccode.com/business/digital-media-solutions-2

Vulnerabilities Disclosed for this System

Please provide any vulnerabilities that have been publicly disclosed that target the system under consideration. Include source, year, and disclosure reference identifier.

(hint: useful links are provided under the Week 9 Vulnerability and Exploit References provided on the Moodle

LMS)

CVE-2021-27657

allowing them to access or modify system files by sending specifically crafted web messages to the Metasys system.

Published: June 04, 2021; 11:15:07 AM -0400

CVE-2020-9050

allow a remote unauthenticated attacker to access and download arbitrary files from the system.

Published: February 19, 2021; 1:15:11 PM -0500

CVE-2020-9044

XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files.

Published: March 10, 2020; 4:15:22 PM -0400

CVE-2018-10624

allow an attacker to obtain technical information.

Published: August 01, 2018; 5:29:00 PM -0400

CVE-2014-5428

allows remote attackers to execute arbitrary code by uploading a shell script.

Published: March 29, 2015; 6:59:01 AM -0400

CVE-2014-5427

allows remote attackers to read password hashes via a POST request.

Published: March 29, 2015; 6:59:00 AM -0400

Were publicly available exploit packages made available that target the identified vulnerabilities?

(hint: useful links are provided under the Week 9 Vulnerability and Exploit References provided on the Moodle LMS)

No

Impact and Consequences to Industry Sectors Served (Risk Identification)

For the top 2-3 vulnerabilities discussed above, please provide a brief scenario (1-2 sentences) of how the successful exploitation of the vulnerability would impact the operating of the system and how it delivered its essential services to the industry it is deployed.

CVE-2018-10624:

The vulnerabilities result from the improper error handling in HTTP-based communication which result the attacker to obtain technical information.

CVE-2014-5427:

The successful exploitation, allow remote attackers to read password hashes via a post request. This cause access to the system where the attacker might steal the value able data or might cause the physical damage to the system.

Mitigation (Risk Reduction)

Though NOT required for this Assignment, please be prepared in the term paper to discuss the vendor’s recommendations to mitigate the risk introduced from these vulnerabilities, and AT LEAST one compensating control that could be used to reduce risk in the absence of applying the vendor’s recommended corrective action. Attention should focus on minimizing the severity of the Consequence/Impact and not that of the vulnerability alone in isolation.

Do not forget to submit your work when you have completed this assignment.

CSCI 497 CSCI 497 F21 - Assignment 7

Fundamentals of Industrial Control System Cyber Security © 2012-2021 ICSCSI LLC

Fall 2021 Page 1 of 12