Dia 1 - LonMark International
Contents
1. P E 6 e 7 e https 192 168 24 150 webul data Igtw dp G x Zertifikat Zertifizierungspfad Anzeigen lt Alle gt gt Zertifizierungspfad A 132 168 24 150 Aussteller loytec CA Development LOY G ltig ab w bis rug Antragsteller 192 168 24 150 LOYTEC LO ffentlicher Schl ssel RSA 1024 Bits Fingerabdruckalgorithmus shal Fingerabdruck eb 10 4e 9c 46 78 17 90 1e 96 Securing CEA 852 Integrity Pre shared key MD5 Channel delay against replay Access control channel list Confidentiality Requires VPN solution Securing BACnet IP Access Control BACnet IP ACL Device Recipients Time Master ACL Slave Proxy IP Address Subnet Mask Access 10 101 17 2 255 255 255 255 allow 192 168 0 0 255 255 197 0 allow 0 000 0 0 0 0 deny Confidentiality Internet VPN solution VPN Solution VPN Tunnel Use VPN routers IPsec PPTP Security Updates Firmware Upgrades Kernel updates for known security Issues Permanent checks with newest attack tools Protects against exploits Firmware Upgrade Task List Task SAworkspacesylink zigbee QUTPUT arm at91 linux biny Update device Tita Hardening Guide Hardening Guide Turn off insecure protocols Document open services Logging system log2. Secure Mode Hardening by one switch User Manual Appendix Approved by GSA U S General Services Administration Select Models Security on some models L INX 12x 15x 22x L GATE 95x L ROC all models L VIS 7 12 15 e Refer to lock panbot in product catalog Conclusion Security Built In Firewall Secure protocols Server authentication Hardening Made Easy Flip the secure mode switch Create server certificate Change Passwords Questions Firewall Server x Authentication IP Channel Encryption
3. I Security Hardening in Building Challenges in making Building Networks secure from inside and outside threads and how we can manage this a The Next Generation Presenter Hans J rg Schweinzer LOYTEC Founding Partner and CEO Marketing Business Development Sales Involvement Fieldbus and Internet technology for more than 25 years Active in CEN 247 ISO TC205 CENELEC C205 Overview Motivation Security Threats Network Security Secure Protocols System Hardening Secure Mode Motivation Internal comm P based protocols IT components Controller to controller Controller to panels External comm Mobile devices Web Access BMS Access Exp e K m o Stuxnet on Iranian Centrifuge Threats in The Press Worm infecting industrial controller equipment IEEE Spectrum The Real Story of Stuxnet Marvel of connectivity illustrates new cyber SPECTRUM risks Hackers focus on Internet connected control systems July 12 2012 Botnet captures routers Che Washington Post Malware on Routers for spying on traffic report passwords c t 21 2013 4 heise Security A Threats Clear Text Clear Text Filter tep stream eq No Time 735 23 3653 736 23 3666 737 740 741 742 743 746 747 748 749 750 761
4. 762 765 766 767 23 23 a 36678 435 1 23 23 23 JI 23 23 23 23 23 23 23 23 23 46505 46510 46605 916167000 192 Read user password break in Record usage behavior burglars Stream Content welcome to rtems 4 6 2 ARM ARMVAT 1c3k COPYRIGHT c 1989 1999 On Line Applications Research Corporation OAR login admin admin Password admin Entire conversation 361 bytes see asa 7 EBCDIC O Hex Dump 917339000 192 168 2 183 192 168 2 75 TCP 60 telnet gt 60104 AC 920302000 192 168 2 183 192 168 2 75 TELNET 60 Telnet Data Threats Replay did a mM gt s Lars regimer tr ee o 63 2 585755000 192 168 24 250 192 168 2 75 TCP 60 http gt 55513 ACK 5eq l 64 2 585785000 192 168 2 75 192 168 24 250 HTTP XML 654 POST DA HTTP 1 1 65 2 586292000 192 168 24 250 192 168 2 75 TCP 60 http gt 55513 ACK Seq i A 4 Frame 64 654 bytes wire 5232 bits 654 bytes captured 5232 bits on interface 0 Ethernet II src DigitalD 95 56 c4 00 11 6b 95 56 c4 Dst LoytecEl 02 7c 39 00 0a b0 02 7c 39 Transmission Control Protocol 5rc Port 55513 55513 Dst Port http 80 5eq 327 Ack 1 Len 600 2 Reassembled TCP Segments 926 bytes 62 326 64 600 Internet Protocol version 4 src 192 168 2 75 192 168 2 75 Dst 192 168 2
5. Encryption HTTPS Web UI Web services configuration OPC UA BMS Visualization SSH trouble shooting Certificate Management Pre installed self signed Server amp CA site Client certificates Secure Configuration Keep Passwords Secret Use HTTPS on Web UI Configurator secure connection Device Connection Templates Status Idle Mame 4 LIH X Serial Mo 016101 8000000DEAAB HTTP Port 80 HTTPS Port 443 Server Certificates Create Site CA Certificate Sign Server Certificate Use HTTPS Create certificate request Common name IP address or DNS name Install Server certificate on device Site CA certificate on client Sign Server Certificate 1 DLOYTEC LINX 151 Logged in as admin 2013 10 01 11 52 38 Install Certificate Create Certificate OPC UA Self Signed amp CA Request Device Info Data RSA Key size 1024 Common Name 192 168 24 150 Organization LOYTEC electronics GmbH Organization Unit LOYTEC City Vienna State Vienna Country AT Austria Validity Start Date B saa Validity End Date L B Backup Restore B Port Config B CEA 709 Router B CEA G52 Server B CEA 852 Ch List m Removable Media m BACnet Config m E mail EC61131 B Certificates networks under control Create Certificate Request Sign Server Certificate 2 Install Ce
6. 4 250 192 168 24 250 E extensible Markup Language xml soap Envelope xmlns saapn htrp schemas xm snap org 5oap envelope xmlns xsd http www w3 org 2001 XMLSchema xmlns xsi http www w3 org 2001 XMLSchema instance gt lt soap Body gt write xmlns http opcfoundation org webservices XMLDA 1 0 L We D e rV e Returnvaluesonreply true gt E Options E lt ItemList ItemPath gt 3 5 2 Items BACnet TP ie e asd boolean gt false T Threats Man In The Middle Secure Traffic Zu A Man In The Middle Threats Exploits Denial of service Keep device from productive function Use open ports Exploit vulnerability e g reboot Security Communication Integrity Confidentiality Authenticity Non Repudiation System Strong passwords Alice Bob Restrict access Integrity Message integrity Verify message is not altered in transit from Alice to Bob Message Authentication Code MAC with shared secret Non transmitted secret Secure one way digest function MD5 SHA Fingerprint check Confidentiality Encryption No clear text Chuck cannot read Passwords are confidential Prevent eavesdropping on control data Stream Cipher Encrypti
7. e sysadm n a access n a system n a lantronix a b WbvCndpRn vYetbYhpeyd n a MASTER ltNzZgYHQ MNhtdCzEregq vikram singh MALwKk 5Q PenBziOJiNngAtNnV 9688 12728 vhsoPuxi admin none n a admin admin admin DLOYTEC LINX 151 Logged in as admin 2013 10 02 09 38 18 Device Info Config E System Passwords s under control Change Passwords Enter the desired password for the Administrator and Guest accounts The Administrator has full access to the device whereas a Guest can only view the status information but not change the configuration In order to clear a password leave the password field empty Account admin New password 29488488 Retype password s Chanqe password Block Access Firewall Secure Mode Block all insecure ports Allow defined services Access Control Lists Allow certain IP addresses BACnet IP ACL LON 852 channel list Web Service ACL Firewall and ACL La Ethernet All Protocols UA OPC XML DA BACnet TTPS Secure Mode Configure Secure Mode Turn on switch Add secure services Access over Web service secure Mode input binary secure Mode Set output binary Secure Services input string Secure Services Set output string normal normal normal normal active active HTTPS HTTPS OPC E X Secure Protocols
8. on key symmetric Must be secret Pre shared Key exchange between Alice and Bob Establish a Secret Alice Bob Common paint Secret colours Public transport assume that mixture separation 15 expensive Secret colours Diffie Hellman Key Exchange Common secret Digital Signature Asymmetric Cryptography se Private key is secret Public key to anyone Complete operation needs both keys Digital Signature Detect forgery and tampering Prove origin of message authentication Sender cannot deny non repudiation Message fingerprint encrypted w private key we Verify Use public key and compare Public key certificate Certificate Document with digital signature Bind public key to identity Inforz s n O r Installed Server certificate Self signed RSA Key Size Validity Start Date Validity End Date Common Name Organization Name Organization Unit City State Country MD5 Fingerprint SHA1 Fingerprint 1024 2013 09 17 2023 09 15 l yterc local LOYTEC electronics GmbH Development Vienna Vienna AT 43G B6 4D 79 DD EE 77 43E FZ 35 BFE 6D 47 B323 LDB 54 D amp AE 4D DF A4D 2A T56 74 amp 57 58B8 40 43E 8BA 55 4F B3 CZ72 B1 AA l1F Public Key Infrastructure 509 certificates Standardized format Common name identifies server Validity
9. period Self signed certificate Trust Server by Server Web of trust Trust certificate authority Sign server certificate by CA Server CA certificates Trust Certificates Trust CA certificate j Verify device by server certificate _ i I i Firewall Server Authentication Channel Encryption User Restrictions Change The Password Admin Operator Guest Users PIN Protection on LCD Use Strong Password not admin 123 asd Practice Memorize Sentence LINX security is good for you gt Lsig4u www defaultpassword com default password list Browse by character ABCDEFGHIJKLMNOPOQORSTUVW X Y Z 0 9 Displaying 78 passwords of total 1812 entrys Manufactor Product Lanier 5618 Lantronics Lantronics Terminal Server Lantronics Lantronics Terminal Server Lantronix Lantronix Terminal lawl yo LdxWXAzHx xXTGryMUTUScSdRuINI Leading Edge PC BIOS LeXKceHcgNSOo ArOpIQXYqsGYTyMIJ LG mobile handset LgKwakilHCuGnQg IgwLRDhWeOs qxIfGICGTSHUdiFu LHDDrASZcoahZ V RNBqXuueWqsUaq Linksys BEFW1154 Linksys DSL Linksys E3000 Revision Protocol Multi TCP 7000 TCP 7000 7000 JetiximzZAWXFn Console dFhnHHBxm Multi wfpkwvAiHJI LGpYMIDRfKdxOadUR SSH DCBIcCtyFLmMILNpPg SNMP 1 HTTP Telnet 1 0 User Password non
10. rtificate Create Certificate UA CA Request Pending Certificate Request Send to CA MIIBS3jJCCARSCADBzMQOSWDOYDVOOHEWZWaNVubmE FzAVBgNYBAMTDJESMi4xNj gu HjOuMIUwMOswCOYDVOOGEwJBVDENMASsGATIUEChMEQUIDTzECMBOGAIUECEXMIRmFJj aWxpdHkgIWFuYWdlbWVudDENMASsGAlUECBMEImSuzICBnzANBgkghkiGSwOBAQEF AAOBjQA wgYkCQgYEAyRJJL42aA7TX42ircV6aL WAAWxcdEmzPvIDEhjAIICHEh72X98k OBcbsxtk8uelB8pqjarOTMEKaGo ezMX60 4cMt 4DPA1427EhTMXpZGPdh50HkdZaQil pkrblw98XV9581G8ZJ JB8BrValDTMtCGJCbUgMVmS5 eBhqrl1j30iLfJXVdOKOO0CAwEA AaAAMAOGCSqGSIb3DQEBBQUAAAJGBAASvCxIOlYc dwwOHbHlAJZyorgkgOXkdRJnO ZHIZrCtmlaHmV6ezeegnB8zoHGQqGJRAOVFEARb4TiJhowhllmGAt35aVebWHOsr7CX ZhZqctcNNDJoPQBOFUHEQ pRep3zEMERKIWHUBNw 4FS88TpR5kjWPhA4A3xCSv UkEWxQelv Certificate Request from CA here Verify amp Install Cancel Request Copy Request Paste Response Installed Certificate Install Certificate Create Certificate OPC UA Installed Server certificate RSA Key 5ize Validity Start Date Common Name m Organization Unit City State Country MD5 Fingerprint SHAT Fingerprint 1024 2013 10 01 192 168 24 150 Ti L BIELITONICS MDF LOYTEC CBh ZqdH8 dd5 62 DE E1 5D B4 7C A amp 5 C amp D8 l18 T BE HBHE EB 10 42E 90C 24256 7TE 17 980 1E 956 54A 20C 4A4 D4 B5D E8 3E amp C EF C3 Install certificates pem Server certificate CA certificate Reset certificates Trusted CA Certificate
Download Pdf Manuals
Related Search