ICSIS/SCADA Hacker
ASSIGNMENT 7 (W12)
TERM PAPER CONCEPT DEVELOPMENT (OUTLINE)
|
Name |
Deepak Bhusal |
|
| |
|
Course Number |
CSCI 497.1SW (Commerce) and 497.6SW (RELLIS) |
|
Course Time |
Monday: 1700 - 1930h |
|
Semester |
Fall 2021 |
|
Submission |
Assignment 7 |
|
Due Date |
November 22, 2021 |
|
Instructor |
Joel Langill |
|
| |
|
Phone |
+1 (920) 594-0321 |
|
Office Hours |
By Appointment (Moodle Message or Email) |
The assignment for this week consists of you completing the following:
· Ensure that you have selected a topic under the “Term Paper Topic Selection” activity under the Term Paper section of the course
· Review the “Term Paper Requirements” activity “Contents and Structure” chapter under the Term Paper section of the course
· Complete the outline as directed in this Assignment Submittal on the following pages
Please be sure and complete the cover page with your name as it appears on your university identification card, your corresponding email address, and whether you are attending the Commerce or RELLIS campus course prior to submission. Do not forget to submit your work when you have completed this assignment.
(Note: problems may to occur if using Google Chrome as a browser where it tries to open links in Google Docs. The "Docs PDF/PowerPoint Viewer (by Google)" extension must be disabled or removed.)
The term research paper and associated presentation should be logically divided into sections that follow sound research paper style and address each of the areas defined by the “Term Paper Requirements”. You are free to organization the paper and presentation as appropriate, however a template has been provided for both the paper and presentation to help start the initial paper structure.
This Assignment requires that you provide the high-level organization and key factual items that will form the basis of the paper. Please supply as indicated below. Information presented should be summarized and demonstrate that the foundation for completion of the paper by the required Due Date has been collected and is understood.
The topics presented in this Assignment are provided to assist in data collection, and do not necessarily need to be covered in the paper in their entirety.
Company Overview
Company Name: Johnson Controls - Metasys (Building Automation)
Company Headquarters: Cork, Ireland
Major Geographical Regions Served: Ireland, Asia, China.
System Name: Metasys
System First Released: 1990
Sales Website URL: https://www.johnsoncontrols.com/buildings/campaign/metasys
Service and Support Website URL: https://www.johnsoncontrols.com/services-and-support
System Overview Brochure URL: https://www.johnsoncontrols.com/building-automation-and-controls/building-management/building-automation-systems-bas
System Overview
Please attach a System Overview graphic (copy/paste from brochure):
Metasays is the automation building system Metasys software functions as a complete family of systems. Metasys is the autoamtion building automation system that makes to operates the electrical and mechanical components and these component can be used according to the customer demands. The Metasys build support many servers to work together as one cohesive. It is most reliable and demanding application, Metasys® software is made up of various components that provide coordinated control over your building’s systems
The area where the Metasys consists of one more Metasys devices that continuously connected IP network. The primary area of networks has one or more engines and these engines provides the site Management Portal UI. Through the area management portal UI we can identify the primary network and watch the users of all devices on the network. The engine types are SNE Series of Network Engines, which succeed the Network Automation Engines (NAEs); Network Integration Engines (NIEs); SNC Series of Network Control Engines, which succeed the Network Control Engines (NCEs); or LonWorks® Control Servers (LCSs). These engines are described in further detail in this document.(Johnson control, 2020)
A site can optionally have one or more Metasys servers—computer-based devices that add long-term data storage and support for larger Metasys networks. Metasys server products include Application and Data Servers (ADS), ADS-Lite (available only in specific markets), Extended Application and Data Servers (ADX), Open Application Server (OAS), and BACnet® Open Data Servers (ODS), which are described in further detail in this document. Metasys servers provide the same Site Management Portal UI as the engines. Additionally, the Metasys UI is installed with the Metasys server software, with the exception of ODS, which does not include the Metasys UI.
Each Metasys site has one device (engine or server) that is designated as the Site Director. Typically, the Site Director is the single point of access for all Site Management Portal UI users because the Site Director includes a view of all Metasys devices on the site. If a server is connected to a site, you must designate the server as the Site Director.
The Metasys system uses the standard data formats and communication protocols of the BAS and IT worlds, it is compatible with the networking infrastructure found in most buildings today. The Metasys system integrates building equipment and systems using BACnet/IP, BACnet MS/TP, N2, LonTalk®, MODBUS, M-Bus, KNX, OPC UA (new at Release 11.0) and web services communication technology. The Metasys system supports BACnet Protocol Revision 18. Johnson Controls BACnet devices and third-party BACnet devices can be connected directly to the IP Ethernet network or to the MS/TP Field Bus. BACnet/IP is also used to integrate SIMPLEX Fire Systems and lighting systems from preferred partners into the Metasys system. LonWorks® controllers from Johnson Controls or LonMark® certified devices from other manufacturers can integrate into the Metasys system architecture. In a similar fashion, prior generations of N2-based Metasys components can integrate into the newer architecture, helping to modernize legacy Metasys installations. The Metasys system also communicates to third-party devices using MODBUS, KNX, and M-Bus integrations. Regardless of the protocols used, the data is available for display in the Metasys user interface, for archiving in application servers, and for transmission to other devices on the IP network.
https://cgproducts.johnsoncontrols.com/met_pdf/1201526.pdf
Names and Functions of Key System Components:
ADS/ADX: The Application and Data Server (ADS) and ADX is a software package that you can use to monitor and control the entire Metasys system. The ADS also serves as a long-term storage device for alarm and event messages, trend data, and user transactions.
The ADX is offered in several models to support up to 10, 25, 50, or 100 concurrent users. As Site Director, the ADS/ADX provides secure communication to a network of NAE, NIE, NCE, SNE and SNC series engines. The ADS/ADX supports robust features that continue to position the Metasys system as the leading building automation system in the industry, including: Fault detection, fault triangle, Building Network tree allows for faster delivery of the Metasys user Interface(UI) by enabling it’s deployment prior to the equipment’s and spaces configuration process, The Metasys operator find and report on operational data and make massive commands to restore order by the Metasys UI through the advanced search and reporting, Custom dashboards for the Metasys user Interface etc.
https://cgproducts.johnsoncontrols.com/cat_pdf/1900200.pdf
https://cgproducts.johnsoncontrols.com/cat_pdf/1900200.pdf
OAS: OAS was introduced in Metasys Release 10.1. You can use an OAS as the point of access into a building automation system (BAS) and to archive historical and configuration data for a site. You can use an OAS as the supervisory device for 200 or fewer field devices through BACnet/IP or Remote Field Bus protocols.
The OAS combines many of the functions of a Network Engine with a Metasys Server into a single piece of software with optional add-on features that can be hosted on a virtual machine with required specifications or can be purchased as a turnkey offering, where Johnson Controls provides hardware with software already installed on it. Starting at Release 11.0, there are two licensing options available for the OAS, the OAS Minimum (M4-OASMIN-0) and the OAS Standard (M4-OASSTD-0). The OAS Minimum is a variant of the OAS offering whose capabilities are license-limited. The OAS Minimum cannot supervise child network engines unless a migration license (M4-OASSTD-8) is purchased. The OAS Minimum is offered at a lower price point than the OAS Standard. This provides an affordable Server option for smaller or less complex projects
Network Engine: The network engine is a family of devices that supervise lower-level field controllers over the Metasys BAS. It provides management and system-wide control over one or more network of equipment controllers. The network engines are bind together for scaling up a large project.
The network engines can be networked together for scaling up on large projects, and they can be networked with an ADS, ADX, or OAS for additional functionality and site unification. Network engines provide building control scheduling, alarm and event management, energy management, data exchange, historical data storage and management, and custom control logic. Network engines include an embedded user interface called the Site Management Portal (SMP). Users access the SMP for system navigation and operation using web browser connections.
Network engines are secured from unauthorized access using password protection and permission access control as well as IT security best practices. In addition to providing general comprehensive equipment monitoring and control, network engines also offer specialized capabilities by series, model, and software release to meet a variety of application requirements. The network engines are identified by three types:
Small-capacity engines.
Network Automation Engines: NAE35 and NAE45
SNE Series of Network Engines: SNE1050x and SNE1100x
Large-capacity engines.
Network Automation Engine: NAE55
SNE Series of Network Engines: SNE2200x
Software-only engines.
Network Automation Engine: NAE85
system user interface: Metasys UI and Site Management Portal (SMP).You can use the System Configuration Tool in all phases of engineering, installing, and commissioning of devices that make up the Metasys system. The Metasys UI provides a simple location-based navigation approach to finding information, including the ability to search for any location by name and to bookmark a location in the browser. All data displayed in the Metasys UI is organized in a dashboard format, presenting to you the complete story of what is happening within a space, equipment, or central plant. You can access the Metasys UI from any type of client device with any screen size. The Metasys UI includes features ideal for efficient building operations.
Features of Metasys UI
Fault Detection
Fault Triage
Show Involvement
Send Announcement
ADD/Delete Configure objects.
The Metasys SMP provides real-time and historical data views, extensive alarm management capabilities, and system configuration functions for system administrators or dedicated building operators. The SMP transforms the raw data from the site and organizes it into a comprehensive set of information management tools and reports. You can access this portal using the Launcher through an Internet or intranet connection to a Metasys server or engine. The SMP has all the features one expects from a traditional workstation.
pop-up alarm windows
navigation tree—you can create multiple custom trees to best represent the logical layout of the facility
dynamic graphics of systems and floor plans that you can zoom in on to show fine details
multiple display areas you can size and control individually
lobal search function and sorting capability that help you find system information within seconds
the entire user manual available in the Help system
System Configuration Tool (SCT):
The System Configuration Tool (SCT) supports the engineering, installation, and commissioning of your building automation system. The SCT application enables fast offline generation and Metasys UI configuration of the complete site, including point naming; integration of N1, N2, BACnet®, and LonWorks® networks; integration of Modbus, M-Bus, and KNX third-party protocols; integration of local and remote MS/TP devices; definition of tailored summaries and user views; the creation of custom control logic using a graphical user interface; and integration of building systems such as C•CURE 9000 access control, victor video management, Simplex® fire, Zettler® fire, connected lighting systems from preferred vendors, and OPC UA. SCT offers productivity features that includes the migration of supervisory devices and the mass creation of equipment, spaces, and serving relationships
Names of System Communication Networks:
N2 field bus
M-Bus
KNX
Lon
BACnet/IP
Modbus
BACnet MS/TP
Ethernet/IP
What vendor-supplied security components are available?
Monitor the HVAC, lighting, and security systems through a unified user interface.
Alert the operators of facility problems by detecting problems before they become an issue.
Perform a pre-defined action during an alarm event
Create action interlocks to occur within the Metasys system when granted access to the control system.
Initiate a door-open command or trigger a security output point from a single seat operation through our improved unified user experience.
Coordinate control with fire, security, lighting, and other non-HVAC building systems.
Use available options to achieve UL/cUL 864 UUKL 10th Edition Smoke Control listing.
Support your remote monitoring services.
Support of Microsoft® Active Directory Federation Services (ADFS) with the opportunity for a single sign-on (SSO) experience and two-factor authentication (2FA)
Does the vendor offer any other systems as part of their portfolio? If so, please provide system names.
No
Communications and Protocols
Describe the primary protocols and methods used between the key system asset types. This must address communication to/from field-connected controllers, communication to/from human-machine interfaces, and communication to/from historical data repositories as a minimum.
BAC/IP:
BACnet MS/TP:
N2 communication Interface:
The Johnson Controls N2 Technology Option provides a serial data port, allowing VSDs (variable speed drives) to be linked to form a network. Using a Network Control Module, this network can be continuously controlled to provide supervision and monitoring for each VSD in the system. With each unit under local control, the central supervisor performs only periodic setpoint updating, control sequencing and data collection.
LON:
MODBUS KNX M-BUS:
H-LINK:
Zigb-WIRELESS:
Are any of these protocols proprietary? If so, please describe.
Yes, The N2 is the proprietary protocol.
N2:
Industry Sectors using this System
Please provide the primary markets the system is targeted. You can either use U.S. defined Critical Infrastructure and Key Resources (CIKR), or Standard Industry Classification (SIC) for industry identification.
(hint: https://en.wikipedia.org/wiki/Standard_Industrial_Classification )
Environmental control(HAVAC): SIS=3822
Metasys Building Automation and Energy Management system. SIC Code 1711
Metasys safety and fire protection. NAICS = 922160
https://siccode.com/business/digital-media-solutions-2
Vulnerabilities Disclosed for this System
Please provide any vulnerabilities that have been publicly disclosed that target the system under consideration. Include source, year, and disclosure reference identifier.
(hint: useful links are provided under the Week 9 Vulnerability and Exploit References provided on the Moodle
LMS)
CVE-2021-27657
allowing them to access or modify system files by sending specifically crafted web messages to the Metasys system.
Published: June 04, 2021; 11:15:07 AM -0400
CVE-2020-9050
allow a remote unauthenticated attacker to access and download arbitrary files from the system.
Published: February 19, 2021; 1:15:11 PM -0500
CVE-2020-9044
XXE vulnerability exists in the Metasys family of product Web Services which has the potential to facilitate DoS attacks or harvesting of ASCII server files.
Published: March 10, 2020; 4:15:22 PM -0400
CVE-2018-10624
allow an attacker to obtain technical information.
Published: August 01, 2018; 5:29:00 PM -0400
CVE-2014-5428
allows remote attackers to execute arbitrary code by uploading a shell script.
Published: March 29, 2015; 6:59:01 AM -0400
CVE-2014-5427
allows remote attackers to read password hashes via a POST request.
Published: March 29, 2015; 6:59:00 AM -0400
Were publicly available exploit packages made available that target the identified vulnerabilities?
(hint: useful links are provided under the Week 9 Vulnerability and Exploit References provided on the Moodle LMS)
No
Impact and Consequences to Industry Sectors Served (Risk Identification)
For the top 2-3 vulnerabilities discussed above, please provide a brief scenario (1-2 sentences) of how the successful exploitation of the vulnerability would impact the operating of the system and how it delivered its essential services to the industry it is deployed.
CVE-2018-10624:
The vulnerabilities result from the improper error handling in HTTP-based communication which result the attacker to obtain technical information.
CVE-2014-5427:
The successful exploitation, allow remote attackers to read password hashes via a post request. This cause access to the system where the attacker might steal the value able data or might cause the physical damage to the system.
Mitigation (Risk Reduction)
Though NOT required for this Assignment, please be prepared in the term paper to discuss the vendor’s recommendations to mitigate the risk introduced from these vulnerabilities, and AT LEAST one compensating control that could be used to reduce risk in the absence of applying the vendor’s recommended corrective action. Attention should focus on minimizing the severity of the Consequence/Impact and not that of the vulnerability alone in isolation.
Do not forget to submit your work when you have completed this assignment.
CSCI 497 CSCI 497 F21 - Assignment 7
Fundamentals of Industrial Control System Cyber Security © 2012-2021 ICSCSI LLC
Fall 2021 Page 1 of 12