Hackers who take over a lighting system may cause irritation but they do no damage. They do show that it is possible, and that is the rub. Because what if someone wants to do harm and is after company data? Or private data for blackmail? Cybersecurity needs to be given serious attention. Martin van Ling, director of Hestia Domotica, talks about the practical side of online security.
By: Marion de Graaff, Installation Journal
Van Ling is a member of both the technical committee and the marketing committee of KNX Nederland, and is the director of Hestia Domotica. As a system integrator, he works with all systems on the market, and has extensive experience in securing all these different systems online.
KNX
To start, Van Ling briefly explains that the KNX protocol connects all systems to each other. “It ensures that everything can talk to each other, even if the components come from different manufacturers or from a completely different type of installation. In order to be able to secure a system, it is important to understand the topology. With KNX, this is as follows: you build a line, to which you can then connect 255 bus participants. If you want to accommodate more components, you create a main line and connect the required number of lines to it using line couplers. You can then create 15 lines, and with the help of a backbone you can do this 15 more times. In this way, you can build an enormous network. The only restriction is that you do not make circles, for example by connecting the lines to each other. That entire network can be connected to an IP so that you can make a connection with all kinds of equipment from the system world. You can also choose to connect all lines directly to an IP backbone using IP routers. This allows you to make visualizations of the entire system possible, but also to program and manage it remotely. Indispensable if you monitor customers' central heating boilers from the business. Or if you want to read out an entire HVAC installation because a fault has been reported."
Gate 3671
“And where are the threats?”, Van Ling asks. “Of course, they come first from the evil outside world. All sorts of things can come in via a router, and what you should absolutely never do is open port 3671. An ethical hacker recently discovered that this happens on a large scale. I tell you: Don’t do it. You open the system to all sorts of misery from outside, and hackers can get into your network, with all the consequences that entails.”
Programming routers
Programming routers and Wi-Fi access points may not be very difficult, but you still need to know what you are doing, says Van Ling. “If you are configuring a router and access point for a customer somewhere and he indicates that he also wants a guest network, you can simply create an SSID and call it a guest network. But then you are on the same network, and a guest can access everything. Setting up a VLAN is the solution here, but don't start if you don't know how to do it. Cyber security is largely a matter of awareness, of realizing how it works and understanding what can go wrong.”
The hacker in you
In addition to external threats, the computer itself is also an element in security. Van Ling: “Do you let your children play a game in the evening on the laptop that you use during the day to work on customer installations? Don't do that! A virus is quickly caught and then spreads to your customer's network, you don't want to be responsible for that. And then there is the KNX installation itself. It is also important to work with expertise when configuring KNX components. The settings of both the router to the IP network, and the line couplers and bus participants themselves must be correct and coordinated with each other and the intended use. We should not take this lightly, a mistake is easily made. When I stay in a hotel room, I always try to get on the network, especially if KNX is installed. Just to see if it works, just to see what I can get to... There is a hacker in all of us. Use that curiosity when you design, build, configure or integrate a system. That will help you secure it online.”
Admin admin
“The last aspect is the human factor,” says Van Ling. “Because people build systems, secure them and use them. Do you leave your laptop unattended? Do you always shut it down properly? Have you secured it, and if so, how? The human being itself is the greatest threat. And then there are also countless installation components that you can just walk into with the username admin and password admin. The best-known examples are of course wireless surveillance cameras and intelligent doorbells, but professional installations also often contain unsecured components or the password is simply stated on the back. Don't give hackers a chance. Secure the router, the computer, the network. Also make sure that hackers don't have easy physical opportunities. Loose wiring in a public space, switches at eye level, an outdoor lamp with a motion sensor on a facade: all potential dangers. Make use of the functionalities of a system, such as a filter table in the line coupler. By activating this, only the telegrams that are required for the components on the relevant line are allowed through. If you create a separate segment like this, nothing can be seen from the outside.”
VPN, ISE and KNX Secure
“How can you secure a system – KNX, BACnet, LON, or whatever – if you still want to be able to access it via the internet?” Van Ling then asks. “The best way to do this is with VPN, because the security levels are scaled up there. But be on your guard. What was safe two years ago is not done today. For example, a VPN based on PPTP was common two years ago but is now considered unsafe. At least L2TP, IPsec, OpenVPN and here too the rule applies: if you don't know the ins and outs, don't start. Manufacturer-specific security by means of a security component in the network is a good alternative, but be aware that you are then dependent on this manufacturer. This applies to the security itself, but also to continuity. If the manufacturer stops or worse, is hacked or goes bankrupt, the security will also be lost. So make sure you are informed, or leave it to a specialized company.”
Techniek Nederland, together with a number of partners, including FHI Gebouw Automatisering, organised information about cyber security during three Cyber Security MeetingsMartin van Ling, director of Hestia Domotica, was one of the organizers and speakers.
Related companies
Nederlands