OpenBlue Companion Hardening guide

OpenBlue Companion Hardening guide

GPS0025-CE-20210928-EN Rev A

© 2021 Johnson Controls. All rights reserved. Product offerings and specifications are subject to change without notice.

2

Introduction

Our solution provides peace of mind to our customers with a holistic cyber mind set beginning at initial design concept, continues through product development, and is supported through deployment, including a rapid incident response to meet the comprehensive and evolving cybersecurity environments.

The Hardening Guide intends to provide cybersecurity guidance used in planning, deployment and maintenance periods.

As cybersecurity threats have become a risk impacting all connected devices, it is important to ensure that cybersecurity is considered throughout the planning, deployment and maintenance phases associated with a solution’s functional operation.

This guide provides hardening guidance for configuration and maintenance, including the operating system, user accounts, permissions and roles, backup and restore, redundancy, and patch management.

OpenBlue Companion Cyber Security Hardening Guide


3

Legal disclaimer

The cybersecurity practices described in this guide are recommended practices to facilitate the secure installation and configuration of the products described herein. However, Johnson Controls cannot guaranty that the implementation of the cybersecurity practices or recommendations described in this guide will ensure the security of the relevant product or system, or prevent, or alter the potential impact of, any unauthorized access or damage caused by a cybersecurity incident. This guide is provided “as is”, and Johnson Controls makes no representation or warranty, express or implied, as to the efficacy of the cybersecurity practices or recommendations described in this guide. Johnson Controls disclaims all liability for any damages that may occur as a result of, or despite, reliance on this guide or compliance with any cybersecurity practices or recommendations set forth herein.


4

Table of Contents

Introduction ............................................................................................................................................................. 2

Legal disclaimer ...................................................................................................................................................... 3

Table of Contents ................................................................................................................................................... 4

1 Planning ............................................................................................................................................................ 6

1.1.0 Overview ................................................................................................................................................. 6

1.2.0 Deployment Architecture ........................................................................................................................ 7

1.3.0 Components ........................................................................................................................................... 8

1.3.1 Azure Cloud Components ................................................................................................................... 8

1.3.2 On Premise Components .................................................................................................................... 9

1.4.0 Cryptography .......................................................................................................................................... 9

1.5.0 Mobile Device Usage .............................................................................................................................. 9

1.6.0 Security feature set ................................................................................................................................. 9

1.6.1 User authentication ............................................................................................................................. 9

1.6.2 User accounts ................................................................................................................................... 10

1.6.3 User password policy ........................................................................................................................ 10

1.6.4 User authorization – Role based access control (RBAC) ................................................................. 10

1.6.5 Secure communications .................................................................................................................... 11

1.6.6 Database security ............................................................................................................................. 11

1.6.7 Database access ............................................................................................................................... 11

1.6.8 High availability assurance ................................................................................................................ 11

1.7.0 Intended environment ........................................................................................................................... 11

1.7.1 Internet connectivity .......................................................................................................................... 11

1.7.2 System integrations ........................................................................................................................... 11

1.8.0 Hardening methodology ........................................................................................................................ 12

1.8.1 User management best practices ..................................................................................................... 12

1.9.0 Network planning .................................................................................................................................. 13

1.9.1 Infrastructure protection .................................................................................................................... 13

1.10.0 Hardware and software requirements ................................................................................................... 13

1.10.1 Installation account requirements ..................................................................................................... 13

2 Deployment ..................................................................................................................................................... 14

2.1.0 Deployment overview ........................................................................................................................... 14

2.1.1 Getting started ................................................................................................................................... 14

2.1.2 Default security behavior ................................................................................................................... 14

2.2.0 Hardening Checklist .............................................................................................................................. 14



5

2.2.1 User management best practices ..................................................................................................... 14

2.2.2 Operating system updates ................................................................................................................ 15

2.3.0 Communication hardening .................................................................................................................... 15

2.3.1 Least functionality ............................................................................................................................. 15

2.3.2 Encrypted communications .............................................................................................................. 15

2.4.0 Configuring security monitoring features .............................................................................................. 15

2.4.1 Remote log storage ........................................................................................................................... 16

3 Maintain .......................................................................................................................................................... 17

3.1.0 Cybersecurity maintenance checklist ................................................................................................... 17

3.1.1 Backup runtime data ......................................................................................................................... 18

3.1.2 Backup configuration data ................................................................................................................. 18

3.1.3 Test backup data ............................................................................................................................... 18

3.1.4 Lock user accounts of terminated employees ................................................................................... 18

3.1.5 Remove inactive user accounts ........................................................................................................ 18

3.1.6 Update user accounts roles and permissions ................................................................................... 18

3.1.7 Disable unused features, ports and services .................................................................................... 18

3.1.8 Check for and prioritize advisories .................................................................................................... 18

3.1.9 Plan and execute advisory recommendations .................................................................................. 19

3.1.10 Check and prioritize patches and updates ........................................................................................ 19

3.1.11 Plan and execute software patches and updates ............................................................................. 19

3.1.12 Review updates to organizational policies. ....................................................................................... 19

3.1.13 Review updates to regulations. ......................................................................................................... 19

3.1.14 Conduct security audits. .................................................................................................................... 19

3.1.15 Update password policies ................................................................................................................. 19

3.1.16 Update as build documentation ......................................................................................................... 19

3.1.17 Update standard operating procedures ............................................................................................. 20

3.1.18 Update logon banners ....................................................................................................................... 20

3.1.19 Renew licensing agreements ............................................................................................................ 20

3.1.20 Renew support contracts .................................................................................................................. 20

3.1.21 Check for end-of-life announcements and plan for replacements ..................................................... 20

3.1.22 Periodically delete sensitive data in accordance with policies or regulations ................................... 20

3.1.23 Monitor for cyber attacks ................................................................................................................... 20


6

1 Planning This section helps plan for the deployment of OpenBlue Companion. The ideal hardening strategy for any software system is a blend of the following security controls, operational, infrastructure and application security. Hardening must include people, processes, and technology.

1.1.0 Overview The OpenBlue Platform is a flexible, scalable, cloud-based platform that reaches across silos to gather data from disparate sources, stores it securely and standardizes the data. It enables you to have a streamlined, more productive day-to-day experience. As a result, applications that use the platform also help building professionals extend the life of their HVAC equipment, proactively manage security risks and efficiently maintain a comfortable environment for building occupants. The platform provides engineering efficiencies through reuse, addressing common concerns through shared components. More importantly the platform enables integration and interoperability.

The OpenBlue Companion App is a smartphone application that empowers the people who occupy your facility to handle all kinds of day-to-day building-related experiences. From adjusting heating and lighting to scheduling conference rooms and facilities, the application gives occupants more control and makes your building smarter and more efficient.

This document describes cybersecurity hardening guidelines for OpenBlue Companion and details a comprehensive view of cybersecurity principles followed by OpenBlue Companion.



7

1.2.0 Deployment Architecture OpenBlue Companion uses HTTPS / Secure WebSocket to communication from its main interfaces; Mobile application, Kiosk and Admin portal.

Note: The items within the dashed red border are the core components of OpenBlue Companion and are described in more detail on the next page.


8

1.3.0 Components A Typical OpenBlue Companion system must include the following items:

CompanionMobileApplicationSmart phone Android or Apple store application to manage your OpenBlue space. Companion has a variety of features that empower occupants to create an optimal experience within their space. Smart integrations are cleverly exposed where and when users need them, for seamlessly productive days in the office.

Some of the main features include: Personalized dashboard Live map view Desk for a day and check-in Smarter calendars Help for people and spaces News and communication

CompanionKioskCompanion kiosks are suitable for building and space entrances. Users can access a number of Companion features on the Companion kiosk, including the workplace map, but the kiosk does not give access to a personalized Companion experience. Kiosk functionality is optional. Install Companion kiosk on any tablet or computer with a supported browser.

CompanionAdminPortalUse the Companion admin portal to set up Companion and begin to create smarter spaces. The admin portal is separate from the mobile application and kiosk.

The Admin Portal supports the following tasks:

Create and manage spaces along with the mapping of relevant resources and business units to those spaces.

Add users to Companion, which includes select groups such as first responders and HR to support the SOS feature.

Connect underlying integrated systems to create seamless experiences, including navigation systems and the calendar.

Set rules for the site, including whether unoccupied workspaces release after a period of time. Support flexibility in space use: alter capacity settings, indicate sanitization status, or exclude spaces from

booking. Support rotational schedules if occupants follow a hybrid on-site or remote work plan. Define items for helpdesk request and manage tickets. Create content for News items, site guidelines, and standard alerts. Configure access control system details. Where applicable, notify users when location badges are available for pickup.xxx

1.3.1 Azure Cloud Components

OpenBlueCompanionApplicationServerOpenBlue Companion connects to single or multiple on-premise IT/OT systems as well as cloud integrations to deliver seamless occupant experience. Companion interacts with access control systems, exchange, and locker



9

services to reflect real time data to end users in the mobile app and kiosk. OpenBlue Companion server resides in the cloud and communicates with the OpenBlue Platform.

CloudGateway(Optional)Functionality of Cloud-to-cloud integrations.

1.3.2 On Premise Components

FirewallA Firewall is an appliance or Application Server you can configure with security rules to monitor and control incoming and outgoing network traffic. With OpenBlue Companion, the rules in your Firewall allow authorized users to access OpenBlue while securing your internal network.

UniversalServicegateway(Optional)This gateway is used for integration of building management system components into the OpenBlue Cloud.

ApacheNiFiGateway(Optional)This gateway is used for integration of Operational technology (OT) system components

1.4.0 Cryptography We use platform and data-appropriate encryption based on validated formats and standard algorithms to encrypt data at rest.

1.5.0 Mobile Device Usage OpenBlue Companion is designed to be installed on either a company assigned or personal mobile device. However, organizational policies must be in place and always enforced to ensure the highest level of security. Violations to policies such as Rooted or Jail broken devices will pose significant security threats which would be out of JCI’s control.

1.6.0 Security feature set OpenBlue Companion includes the following security features:

User accounts including roles User account management Password strength enforcement IP address allowlist or denylist Transparent Data Encryption (TDE) API throttling and rate limiting Data masking Network protocol configuration Logging

1.6.1 User authentication Active Directory is the preferred authentication method. However, Companion has its own user authentication mechanism, where user creation and password management is performed on the Admin Portal. For the first-time


10

login, the user enters their username and password. Companion then identifies the tenant and processes the login request.

Companion supports two types of authentication flow, SAML and OAuth Resource Owner flow.

SAML 2.0: The user account is validated against Active Directory (AD) and the session ID is stored in the cookie after authentication. The same cookie is used for validating a user for subsequent API calls.

OAuth 2.0/JSON Web Token (JWT): Resource owner flow user’s password are stored in database, on authentication access token/refresh token is generated. Access token is passed in header in subsequent API calls for validating the user.

1.6.2 User accounts Companion supports are two types of user management, Active Directory (AD) and local accounts.

AD user accounts: AD manages and stores user accounts. Note: Active Directory is the more secure and preferred option.

Local user accounts: OpenBlue Companion securely manages users and passwords in the OpenBlue Companion data store.

Integrating Companion with Active Directory provides:

End-users with a convenient single sign-on Administrators with a single point of management for user credentials A convenient self-service password reset

1.6.3 User password policy The user password policies align with the chosen authentication flow:

SAML authentication flow: When SAML authentication flow is used, the user password policy is based on Azure AD.

OAuth Resource Owner authentication flow: When OAuth Resource Owner authentication is configurable with settings for password length, cases, and character type requirements.

Local authentication: A configurable password policy with settings for password length, history, uniqueness, case, character type requirements.

Multi-factor authentication (MFA): The mobile application facilitates multi-factor authentication for user's when configured by the customer's Active Directory administrator. This means if your organization has launched MFA, OpenBlue will seamlessly integrate with your current AD configuration options.

1.6.4 User authorization – Role based access control (RBAC) To create custom RBAC navigate to the admin portal Home page and select User Configuration. Some of the available options include:

Assign a role to a user to give them the access rights of the role. View Only, Partial Control or Full control



11

Map a space to the rights of a user. The space can be assigned to specific role rights

Apply validation on API calls and UI screen functionality.

1.6.5 Secure communications All the communication uses HTTPS/Secure WebSocket protocol through secure channels.

1.6.6 Database security This section describes database security.

1.6.6.1 Data at rest security

Data at rest is protected by Transparent Data Encryption (TDE) using Advanced Encryption Standard (AES) and Triple Data Encryption Algorithm (3DES) encryption algorithms.

1.6.6.2 Data Masking

By default, Johnson Controls utilized Data Masking. Data masking limits sensitive data exposure by masking or “hiding” it from non-privileged users.

1.6.7 Database access This section describes database access hardening.

1.6.7.1 Least privilege

The principle of least privilege is to ensure that every module must be able to access only the information or resources that are necessary for legitimate purpose. Johnson controls manages this feature through SQL accounts that read and/or write to APIs.

1.6.8 High availability assurance By default, OpenBlue Companion employs measures to ensure High availability. OpenBlue Companion operates in an Azure Cloud instance called the active region. If the active region experiences an issue, the passive region is ready and will become active, eliminating downtime. The following features illustrate OpenBlue Companion’s high availability assurance:

Handling downtime Redundancy for failure Software and data backups Restore Archive

If your organization employs on-premise servers, ensure that you have appropriate policies in place to administer, manage, backup and plan for disaster recovery of these devices.

1.7.0 Intended environment This section describes OpenBlue Companion’s intended environment.

1.7.1 Internet connectivity OpenBlue Companion works with Internet connectivity for communication between the mobile client, web client and server components hosted on Microsoft® Azure.

1.7.2 System integrations


12

You can integrate OpenBlue Companion with the following systems:

Johnson Controls Solutions

Location Based Services (LBS) Software House Johnson Controls P2000 Universal Software Gateway (USG)

Third-party solutions

Active Directory® Aruba Meridian System VergeSense Occupancy Management Herman Miller Smart Desk Cisco® Panel Microsoft® Exchange Office 365® Manhattan Space Management Trimble Space Scheduler HID® Access Control Systems Apache NiFi

Follow the hardening guides for both Johnson Controls and third-party solutions to ensure that your systems are up to date.

1.8.0 Hardening methodology This section describes hardening methodology including user management best practices.

1.8.1 User management best practices This section describes user management best practices including no shared accounts, least privilege, separation of duties, user management, remove or rename default user accounts, and change default passwords.

1.8.1.1 No shared accounts

OpenBlue Companion does not use any shared accounts. It is not best practice to use shared accounts. Each user or system with access to the mobile app or admin portal must have individual credentials. Separate accounts for each user ensures the principle of least privilege, separation of duties, and means finer granularity in logging. When you pair the no share accounts policy with good system information and event monitoring practices system administrators are better positioned to detect potential issues.

1.8.1.2 Least privilege

Least privilege is when only the minimum necessary rights are assigned to a subject that requests access to a resource and should be in effect for the shortest duration necessary (remember to relinquish privileges). Granting permissions to a user beyond the scope of the necessary rights of an action means the user may obtain or change information in unwanted ways. Careful delegation of access rights can limit attackers from damaging a system. For example, a user who needs to use a mobile app features and should not have administrative privileges for commissioning and configuration for master data management, user management, with which they can add or modify other user accounts. Following this practice reduces the potential for attacks, malfeasance, or accidental system damage.



13

1.8.1.3 Separation of duties

This is similar to but distinct from least privilege. Separation of duties involves creating accounts for specified purposes. For example, accounts with administrative access must not be used for common day-to-day tasks such as User Management on Admin Portal, Instead separate accounts should be used for these different tasks. This helps prevent attacks that take advantage of ongoing connections and allow event monitoring to more easily detect suspicious administrative actions.

1.8.1.4 User management

You must have administrative privileges to manage users in OpenBlue Companion Admin Portal. To manage users complete the following steps:

1. Navigate to the OpenBlue Companion admin portal link in a supported browser. 2. Type in your admin user credentials. 3. Click User Management.

You can now create or modify existing users and designate roles.

1.8.1.5 Remove or rename default user accounts

OpenBlue Companion does not use any default user accounts.

1.8.1.6 Change default passwords

For the Intrinsic Authentication/JWT type setup, OpenBlue Companion asks users to change default passwords on first log on attempt. For AD authentication OpenBlue Companion does not ask users to change default passwords.

1.9.0 Network planning This section describes network planning including infrastructure protection.

1.9.1 Infrastructure protection OpenBlue Companion enforces proper identity and access management roles for all personnel

accessing the cloud infrastructure.

1.10.0 Hardware and software requirements You must have an on-premise Apache NiFi Gateway.

1.10.1 Installation account requirements The OpenBlue Companion mobile application needs the following permissions:

Bluetooth® Location services Internet Camera Near Field Communication (NFC)


14

2 Deployment The contents in this section address how to initiate secure deployment for new installations, how to harden the solution and additional steps after commissioning required before turning over the solution to runtime operations.

2.1.0 Deployment overview The Open Blue Companion mobile application is on Google Play® Store for Android® and App Store for iOS® build. You can download the app from these public stores.

2.1.1 Getting started Before installing the solution, consider the following guidance:

For the mobile application configure the user’s email address and provide them with the necessary permissions to access the application features according to their user role.

2.1.2 Default security behavior Universal Software Gateway and OpenBlue Companion Admin Portal are enabled by default with a commissioning webpage on OpenBlue Companion Admin Portal. Only super admin accounts can access the commissioning webpage during set up.

2.2.0 Hardening Checklist

While OpenBlue Companion has several secure-by-default safeguards, you must harden OpenBlue Companion to meet the security requirements of the target environment.

� Hardening Step 1: Configure User Accounts

� Hardening Step 2: Operating System updates

� Hardening Step 3: Communication

� Hardening Step 4: Security Monitoring

2.2.1 User management best practices

The OpenBlue Companion Administrative account has the permission to create new user accounts. Following best practices for managing user accounts, account credentials and authorizations (permissions) can greatly improve the security for the system. Some guidance is presented in this section. For additional guidance, NIST standards such as SP 800-63 Digital Identity Guidelines may be consulted.

2.2.1.1 User management

HardeningStep1:ConfigureUserAccounts

Create unique user role for each role type. An RBAC feature set controls operator functions in OpenBlue Companion. With RBAC, a user is assigned a role in which they acquire the permissions associated with that role.

The proper configuration of individual user accounts ensures that security best practices are followed and that all user actions cannot be repudiated.



15

To create new user accounts, edit existing accounts, navigate to the OpenBlue Companion admin portal.

Use unique accounts during all phases of operation for OpenBlue Companion. Installers, technicians, auditors and other deployment phase users must not share common user accounts to ensure a non-reputable audit trail of their actions.

2.2.1.2 User passwords

SAML 2.0: User password policy is based on Azure AD. OAuth 2.0: Resource owner flow user password should be minimum of 6, maximum of 16 characters,

must have at least one uppercase, one lowercase, one numeric and one special character. Intrinsic Authentication/JWT: OpenBlue Companion recommends following for user password:

˗ A password must consist of a minimum of eight characters ˗ A password must not be a duplicate of the previous three passwords associated with that

credential ˗ A password must differ by a minimum of three characters from the previously assigned password ˗ A password must obey at least three of the following rules ˗ A password contains an uppercase letter ˗ A password contains a lowercase letter ˗ A password contains a number ˗ A password contains one of the following special characters [ ] { } ( ) ^ $ #+ _ - ~ ! * %

2.2.2 Operating system updates

HardeningStep2:OperatingSystemupdates

To reduce attack surfaces on the operating system, follow guidance from the Center for Internet Security (CIS) https://www.cisecurity.org/. The CIS hardening checklist includes:

Automatically applying OS updates, service packs, and patches Removing or disabling non-essential software, drivers, services, file sharing, and functionality, which can

act as back doors to the system Requiring all users to implement strong passwords and change them on a regular basis Logging all activity, errors, and warnings Restricting unauthorized access and implementing privileged user controls

2.3.0 Communication hardening

HardeningStep3:Communication

Implement the following techniques to harden the communication interfaces and the transmission of data.

2.3.1 Least functionality Least functionality is a security measure designed to limit functions only to those that the target application and communication sessions require at a given time. When you apply least functionality when you configure components you reduce the attack surface and minimize the risk of a cybersecurity breach.

2.3.2 Encrypted communications Encrypted communications help to stop attacks by preventing simple connection eavesdropping. This feature is enabled by default.

2.4.0 Configuring security monitoring features This section describes configuring monitoring features including audit logs and remote log storage


16

2.4.1 Remote log storage

HardeningStep4:SecurityMonitoring

Remote logs are available if your local device loses memory. They can be stored locally or within the cloud.

Depending on your solution, please refer to the Installation Guide for options such as the following:

Local Log files and scheduling a Cronjob to backup and move logs Storing Remote logs within the cloud



17

3 Maintain Use this section to monitor for potential cybersecurity issues and maintain protection levels as conditions change. Throughout the deployed lifetime of OpenBlue Companion is it important to monitor and maintain it in addition to the network infrastructure it is deployed into.

3.1.0 Cybersecurity maintenance checklist Continuously or periodically practice the following cybersecurity maintenance items. The frequency of their execution will depend on the policies and regulations which govern the site.

The typical maintenance periods provided are a starting point and adjusted to best suit the target conditions of the deployed environment:

Item Description Imm

edia

te

Bas

e o

n

Pri

ori

ty

Dai

ly

Wee

kly

Mo

nth

ly

Qu

arte

rly

An

nu

al

1 Backup runtime data

2 Backup configuration data

3 Test backup data

4 Lock user accounts of terminated employees

5 Remove inactive user accounts

6 Update user account roles and permissions

7 Disable unused features, ports, and services

8 Check for and prioritize advisories

9 Plan and execute advisory recommendations

10 Check and prioritize software patches and updates

11 Plan and execute software patches and updates

12 Review updates to organizational policies

13 Review updates to regulations

14 Conduct security audits

15 Update password policies

16 Update as build documentation

17 Update standard operating procedures

18 Update logon banners

19 Renew licensing agreements

20 Renew support contracts

21 Check for end-of-life announcements and plan for replacements

22 Periodically delete sensitive data in accordance to policies or regulations

23 Monitor for cyber attacks


18

3.1.1 Backup runtime data If you need to restore or replace a configuration of OpenBlue Companion system for a particular customer, it is important to have a backup of its configuration data to minimize the time required to restore functionality.

3.1.2 Backup configuration data If you need to restore or replace a component it is important to have a backup of its configuration data to minimize the time required to restore its functions. If you need to restore or replace a component it is important to have a backup of its configuration data to minimize the time required to restore its functions. Please not that a manual record of the encryption configuration will help assure that the system can be reconstituted should a self-encrypting drive need to be restored.

3.1.3 Test backup data Test backups to provide assurance that the data backups contain the expected data and integrity. Disable accounts on termination of employment

Disable user accounts of personnel who voluntarily or non-voluntarily are terminated from employment immediately.

3.1.4 Lock user accounts of terminated employees Disable user accounts of personnel who voluntarily or non-voluntarily are terminated from employment immediately.

3.1.5 Remove inactive user accounts While an employee may still be employed by an organization in which the system is owned, managed, serviced, or used by, they may not have utilized it for a long period. This suggests that independent of being authorized to use the system, they do not have a need to use the system and you should remove their user account. This is sometimes referred to as a use it or lose it policy. This best practice reduced the amount of active user accounts in the system and therefore lowers the potential attack footprint.

3.1.6 Update user accounts roles and permissions While an employee may still be employed by an organization that owns, manages, or services the system, they may have changed roles or have increased or decrease their need to use the system. When you add a role or a permission to a user's account when that user is granted new authorizations due to an organizational role change, be sure to update roles and permissions no longer required or used in their new role.

3.1.7 Disable unused features, ports and services If you no longer require optional features, ports, and services disable them. This practice lowers the attack surface of OpenBlue Companion resulting in a higher level of protection.

3.1.8 Check for and prioritize advisories You can find security advisories for OpenBlue on the Cyber Protection website. Access is provided once you have registered a user account with that site. User account registration is open to JCI customers and authorized representatives. Determine if OpenBlue is impacted by the conditions outlined in the advisories. Based on how the OpenBlue system is deployed, configured, and used, the advisory may not be of concern. Referring to as-built documentation of the OpenBlue system will help with this assessment. A good set of as-built documentation will help you identify the number of components impacted and where they are located. While advisories call attention to a cybersecurity issue, it is not always possible to take immediate action or execute the full recommendation described in the advisories. If so, prioritization will aid in your planning to ensure that any issue impacting your system is fully and appropriately addressed in order of priority. Check for advisories from third



19

party components such as networking equipment and operating systems by consulting with the respective vendor.

3.1.9 Plan and execute advisory recommendations If OpenBlue Companion is impacted by the conditions outlined in the advisories, including those from third party components, then action must be taken to mitigate the issues raised. The specific action is based upon the content of the advisories distributed and depends upon the environment OpenBlue Companion is deployed into. Plans for executing the advisory recommendations must consider the Hosting platform and environment.

3.1.10 Check and prioritize patches and updates While an OpenBlue Companion patch or update may or may not relate to an advisory, it is always best practice to apply the most current patches and updates. These patches and updates can include cybersecurity enhancements and fixes to known issues. Review the release notes and prioritize the benefits of the patch or update. The overall benefit should include the improved protection that lowers the cybersecurity risk. Check for updates and patches of third party components such as networking equipment and operating systems by consulting with the respective vendor.

3.1.11 Plan and execute software patches and updates Create a plan to apply software updates on a regular basis. This plan should include provisions for the unlikely event of service impact. Make considerations regarding schedule and deployed environment in order to minimize service disruptions.

3.1.12 Review updates to organizational policies. Organizations may update their policies which include cybersecurity requirements. Changes to these policies can impact systems which complied prior to the change. Periodically check to see if policy changes were made and re-assess compliance with those policies

3.1.13 Review updates to regulations. If OpenBlue is deployed in a location that is governed by regulation, it is important to check to see if there are any updates to those regulations. In some cases, new regulations are introduced. Whether it is a review of an updated regulation to maintain compliance and a new regulation, an assessment of the changes should be conducted periodically.

3.1.14 Conduct security audits. Periodic security audits are necessary as cybersecurity guidance, organizational policies, regulations, auditing processes, system use, and configuration and threats have likely changed since the last audit. By conducting periodic security audits, the latest knowledge and conditions can be applied revealing gaps in protection previously undetected or created by changes in system use of configuration.

3.1.15 Update password policies Guidance on password policies has been evolving. Password policies should be re-assessed periodically to make sure the right policy in place for the target environment based on current organizational policies, regulations and guidance from standards organizations such as NIST.

3.1.16 Update as build documentation Update as-build documentation if the deployment architecture or component configuration changes. Some configuration changes happen without a formal project or plan and if such cases it may be common to negate updating the as-built documentation. Schedule a full update of the as-built documentation on a regular basis to ensure that all changes are documented.


20

3.1.17 Update standard operating procedures Including best practices for cybersecurity within standard operating procedures can complement the protection that the system can deliver on its own. Depending on the procedures an operator uses, a gap in protection can be created, prevented or closed. Therefore, it is important to update standard operating procedures periodically.

3.1.18 Update logon banners The system use policy details included on logon banners can change over time. Review and update as required.

3.1.19 Renew licensing agreements Assure that your OpenBlue software license supports the necessary functions.

3.1.20 Renew support contracts Assure that your OpenBlue software support agreement (SSA) is up to date

3.1.21 Check for end-of-life announcements and plan for replacements Review product announcements to determine if any of the components of OpenBlue have a planned end-of-life announcement.

3.1.22 Periodically delete sensitive data in accordance with policies or regulations Collect details on policies and regulations that apply

3.1.23 Monitor for cyber attacks Monitoring site perimeters, networks and endpoints for cyber-attacks is a part of good cybersecurity operation. Many tools are available to assist with real-time analytics-based detection.

Note: It is your responsibility to verify that OpenBlue continues to operate properly after you have installed any security monitoring tools.

OpenBlue Companion Hardening guide

Documents

Transcript of OpenBlue Companion Hardening guide