Johnson Controls is a leading provider of building technology and solutions, with a broad portfolio of products and services supporting a wide range of industries. The Johnson Controls Metasys Building Automation System creates intelligent environments by connecting HVAC, lighting, security and protection systems on a single platform to deliver the information building operators need to help ensure comfort, safety and security for building occupants.

Two critical components of the Metasys product line are the SNE Series Network Engine and SNC Series Network Control Engine. These SNE and SNC series network engines offer cost-effective solutions for providing supervisory control and coordination and control over subnetworks of equipment controllers. SNCs have the added capability of input/output (I/O) interfaces used for directly controlling central plants and large built-up air handlers.

When installed in actual buildings, SNE/SNCs are often networked to each other, to third party devices, and to host client computing devices using an IoT or IP networking infrastructure, making them potential targets for cyberattacks. Johnson Controls required a solution with a high assurance of product security, spanning the development, manufacturing, and entire life cycle of the SNE/SNCs, including:

• A mechanism to securely identify and protect firmware by verifying that the correct, authenticated firmware package is loaded at bootup.
• The ability to provision software during the manufacturing process while maintaining IP confidentiality.
• Support for a quick recovery in the event of a device failure by rapidly loading a backup software image.
• A secure process for updating SNE/SNC software, by local installation or remote download.
• Easy integration with Johnson Controls building control applications.
• A best-practice solution that could be easily implemented across Johnson Controls product lines.

Johnson Controls implemented the Sequitur Labs EmSPARK™ Security Suite to address the SNE/SNC requirements in a scalable, replicable manner.

• The EmSPARK™ boot process was used to ensure software protection from ROM boot to critical application execution. This includes loading Linux files and device firmware followed by creating a secure memory partition for the EmSPARK™ CoreTEE™ Trusted Execution Environment. At bootup, the firmware is verified, secure applications are loaded in the CoreTEE™ environment, and known software such as Linux is booted and loaded into memory.
• Johnson Controls created a diversified set of tools for device identification (IDs, keys) in the manufacturing process in order to ensure firmware protection.
• Real-time integrity checking was implemented to monitor the integrity of firmware and the Linux kernel, with a quick remediation in the event of failure.
• Key and certificate-based payload authentication mechanisms were enabled to ensure secure SNE/SNC updates.

*Photo Credit: Header Image provided by Anthony DELANOIX on Unsplash.