Pointer to article:
Building automation control (BAC) systems are an obvious application of the “identity of things,” right there alongside RFID and identity dataweb in potential ubiquity. It’s good to see that OASIS’ Open Building Information Exchange (OBIX) TC is composing their specs with WSRF, WSDM, and other critical WS-* standards.
As regards BAC and the identity of things, the following article excerpt should raise alarm bells:
• “Security is a problem at multiple levels, says Toby Considine, chairman of the OASIS OBIX committee. Control system manufacturers have rudimentary password security mechanisms, but most have ‘no concept of directory-enabled security,’ he says.”
Hmmm…does that mean there’s no directory-centric device authentication, or multifactor facility administrator authentication on many BAC systems? If that’s so, then we’re opening our buildings to all manner of imposters masquerading as facility administrators, custodians, etc. And, lacking directory-centric device authentication, wouldn’t it be possible to plug in rogue automated doorlocks, security cameras, and so forth in many BAC systems and have them go unauthenticated and undetected? And we’re worrying about people bringing cellular cameraphones into offices! Imagine the even greater damage that can be done by having rogue fixed cameras and microphones in your offices 7x24, aimed at computer screens, eavesdropping on conversations, etc.
Actually, I’d prefer that my BAC systems continue to function as separate technology silos until these authentication/directory issues are addressed by BAC and IT vendors. As we’ve learned from the Internet, spyware, spam, viruses, etc, exposure is the flipside of interoperability. I’m not all that concerned with whether we can control HVAC systems room by room. Businesspeople don’t lie awake at night worrying about the office thermostat.