Difference between revisions of "ES/S-A HOTA"
(→Security) |
|||
(22 intermediate revisions by the same user not shown) | |||
Line 73: | Line 73: | ||
<td style="line-height: 12px;"> | <td style="line-height: 12px;"> | ||
<ul style="list-style:none;margin-left:0;font-size:14px;margin-bottom: 10px;"> | <ul style="list-style:none;margin-left:0;font-size:14px;margin-bottom: 10px;"> | ||
− | <li> | + | <li>TYRACS (-2017) |
<ul style="list-style:none;margin-left: 10px;"><li>↳ ES/S-A (2017-)</li></ul> | <ul style="list-style:none;margin-left: 10px;"><li>↳ ES/S-A (2017-)</li></ul> | ||
</li> | </li> | ||
Line 91: | Line 91: | ||
− | '''ES/S-A HOTA''' ''"Heart of the Appliance"'' is a open, modular [[Virtualized Automation]] System developed on base of the Extensible Services / Server for Automation Platform. | + | '''ES/S-A HOTA''' ''"Heart of the Appliance"'' is a open, modular [[Virtualized Automation]] System developed on base of the Extensible Services / Server for Automation Platform (ES/S-A CS J1). |
− | This Automation system was the first member of the newly created ES/S-A Platform, and was subjected to replace the outdated Predecessor | + | This Automation system was the first member of the newly created ES/S-A Platform, and was subjected to replace the outdated Predecessor TYRACS, that was both technically and schematically inferior. |
The ES/S-A Core has been planned extensively in regards to stability, persistency, viability and security. To also serve the technically sensitive subject of public facility automation, the software has been required to pass certain aspects on conventions, reliability and safety. The application is also subjected to certain requirements in engineering that point to it's origins in public applications, the follow-strict escalation sequence is one of these requiements. | The ES/S-A Core has been planned extensively in regards to stability, persistency, viability and security. To also serve the technically sensitive subject of public facility automation, the software has been required to pass certain aspects on conventions, reliability and safety. The application is also subjected to certain requirements in engineering that point to it's origins in public applications, the follow-strict escalation sequence is one of these requiements. | ||
Line 104: | Line 104: | ||
== Technical == | == Technical == | ||
+ | The ES/S-A CS J1 (ES/S Automation Core Services Java 1) is the first Automation Core Services provider that provides the runtime for the | ||
+ | ES/S Modules, Interopability and abstract data types / bindings. | ||
The ES/S-A Core application consists of the ESSInstance, that monitors, starts and ends all further processes, delegates resources and serves as mediator between components (Modularity). The System has integrated modules for | The ES/S-A Core application consists of the ESSInstance, that monitors, starts and ends all further processes, delegates resources and serves as mediator between components (Modularity). The System has integrated modules for | ||
Line 123: | Line 125: | ||
* Electric Planning and Lookup | * Electric Planning and Lookup | ||
* Fire and Threat Protection | * Fire and Threat Protection | ||
+ | * [[Almbus/IP]] | ||
− | == | + | == Third-Party Modules == |
* Primitive Abstraction Layers | * Primitive Abstraction Layers | ||
− | ** | + | ** INEG-L Protocol, via UDP/IP |
− | ** KNX Bus IEC 14543-3 via IP, USB, Serial | + | ** Modbus/RTU/ASCII/TCP via IP (open-mbus), Serial |
− | ** ARTNET, via IP, USB | + | ** EIB/KNX Bus IEC 14543-3 via IP (cEMI), USB, Serial |
+ | ** Artistic Licence ARTNET for DMX512, via IP, USB | ||
** Modbus RTU/IP, via IP, USB, Serial | ** Modbus RTU/IP, via IP, USB, Serial | ||
** ASHRAE BACnet, via IP | ** ASHRAE BACnet, via IP | ||
+ | ** X10 (CM11A) Protocol, Serial | ||
+ | * Autonomous Instances | ||
+ | ** Asterisk PBX | ||
+ | |||
+ | * Printer Drivers | ||
+ | ** ESC/POS | ||
+ | ** ESC/P2 | ||
+ | ** IBM ProPrinter | ||
== User Interfaces == | == User Interfaces == | ||
Line 164: | Line 176: | ||
| '''esterm''' | | '''esterm''' | ||
| TCP/IP | | TCP/IP | ||
− | | Provides partial graphical control of the system using text-only transmission utilizing the ESTERM Protocol, can be used with Netroda Technologies NETerm. | + | | Provides partial graphical control of the system using text-only transmission utilizing the ESTERM Protocol, can be used with Netroda Technologies [[NETerm]]. |
|} | |} | ||
Line 176: | Line 188: | ||
== Support == | == Support == | ||
− | + | Support for ES/S-A HOTA is available is currently limited to e-mail support in english only. | |
== Security == | == Security == | ||
Line 182: | Line 194: | ||
The default configuration does neither allow anonymous users, nor default credentials or insecure WAN access to recude the probability of security issues by misconfiguration or negligence. | The default configuration does neither allow anonymous users, nor default credentials or insecure WAN access to recude the probability of security issues by misconfiguration or negligence. | ||
+ | |||
+ | The architecture requires modules accessing the core or other modules to obtain required privileges to execute specific actions. Responsible for distribution and approving is the ESAuthority, a integral core module. The system works by identifying module instances with unique and temporary tokens, that must be validated prior to execute actions in the target module. Applicable modules must provide necessary API functionality (ESAuthorityAwareService, ESAuthorityAwareCaller) and are responsible to correctly implement these by themself. ESContextAuthority provides information of call origins, and can differentiate many cases, such as automation, user interaction or remote procedure requests. | ||
A zero-day vulnerability involving remote code execution in Log4j 2, (a Logging utility for Java) , given the descriptor CVE-2021-44228, was found and reported to Apache by Alibaba on November 24, 2021, and published in a tweet on December 9, 2021. Investigations proceeded and it was reported to customers, that ES/S-A HOTA is not affected, as Log4j (used by various components) is replaced by the distributed debugging service in release versions. | A zero-day vulnerability involving remote code execution in Log4j 2, (a Logging utility for Java) , given the descriptor CVE-2021-44228, was found and reported to Apache by Alibaba on November 24, 2021, and published in a tweet on December 9, 2021. Investigations proceeded and it was reported to customers, that ES/S-A HOTA is not affected, as Log4j (used by various components) is replaced by the distributed debugging service in release versions. | ||
+ | |||
+ | It is recommended to protect facility systems with at least two firewalls from different vendors or with different software. | ||
== See also == | == See also == |
Latest revision as of 04:15, 19 August 2024
ES/S-A HOTA | |
---|---|
Developer | Netroda Technologies |
Product Family | Extensible Services / Server |
Licenses | N.P.A.L., FoundationShield (EULA) |
Initial release | 14 February 2017 |
Current Version | 1.9.05-SN (November 2022) |
Timeline |
ENTHALPY (1.9.05-SN) (Current Version) |
Platform | Windows NT, FreeBSD, macOS, GNU Linux |
Type | Facility Automation |
Programmed in | Java, Extensible Object Script |
Origin |
|
Language(s) | English, varies by used user interface |
ES/S-A HOTA "Heart of the Appliance" is a open, modular Virtualized Automation System developed on base of the Extensible Services / Server for Automation Platform (ES/S-A CS J1).
This Automation system was the first member of the newly created ES/S-A Platform, and was subjected to replace the outdated Predecessor TYRACS, that was both technically and schematically inferior.
The ES/S-A Core has been planned extensively in regards to stability, persistency, viability and security. To also serve the technically sensitive subject of public facility automation, the software has been required to pass certain aspects on conventions, reliability and safety. The application is also subjected to certain requirements in engineering that point to it's origins in public applications, the follow-strict escalation sequence is one of these requiements.
Contents
Overview
The first version was published early 2017. The predecessor has been phased out completely mid 2017. The first version had poor support for additional abstraction layers and experienced major issues with persistency (state consistency).
The need for constant impovements to usability and interopability led the team of engineers to permanently install the current stable version in a one-of-a-kind research building, to monitor, analyze and improve the system under exceptionally real conditions. By 1.2.08-SN (03/2019) most teething has been eradicated, and the platform maintains scalar performance on all supported platforms, including Windows Server
Technical
The ES/S-A CS J1 (ES/S Automation Core Services Java 1) is the first Automation Core Services provider that provides the runtime for the ES/S Modules, Interopability and abstract data types / bindings.
The ES/S-A Core application consists of the ESSInstance, that monitors, starts and ends all further processes, delegates resources and serves as mediator between components (Modularity). The System has integrated modules for
- HTTP(S) Web Services
- TCP/IP Communication
- PBX Interfaces
- Public Announcements and SIP Calling
- E-Mail Signaling
- Primitive Abstraction Layers (PAL)
- Facility Services
- Primive Data Points
- Complex Objects
- Script Engines (Extensible Object Script)
- Building Model Providers
- Network Cell Presency
- HVAC and Climatization
- Energy Monitoring
- Electric Planning and Lookup
- Fire and Threat Protection
- Almbus/IP
Third-Party Modules
- Primitive Abstraction Layers
- INEG-L Protocol, via UDP/IP
- Modbus/RTU/ASCII/TCP via IP (open-mbus), Serial
- EIB/KNX Bus IEC 14543-3 via IP (cEMI), USB, Serial
- Artistic Licence ARTNET for DMX512, via IP, USB
- Modbus RTU/IP, via IP, USB, Serial
- ASHRAE BACnet, via IP
- X10 (CM11A) Protocol, Serial
- Autonomous Instances
- Asterisk PBX
- Printer Drivers
- ESC/POS
- ESC/P2
- IBM ProPrinter
User Interfaces
ES/S-A HOTA runs as command-line output only application. Most of the User interfaces are delivered via HTTP and renderen in a Browser Window. User interface can be serve interactive resources that are either directly accessible or require a middleware.
User Interface | Type | Audience |
---|---|---|
sv_ata | HTML5 (HTTP/S) | Residential focused user interface with support for mobile devices and touch screens, rich animated using extesively graphics elements, fun to use and interact with. Low technical knowledge required. Has many features like Screensavers, News, Weather forecast, Graphs, Visual control, Virtual Tours and more. |
sv_gna | HTML5 (HTTP/S) | Professional focused user interface with support for multi-screen setups. Technical knowledge required to address all functions. |
mta | JSON (HTTP/S) | Used for the MicroTaskInvoker application (Native Windows Application). Provides minimal acces to preconfigured functions. |
cisco | XML (HTTP/S) | Used for Cisco SCCP Telephones to access the system via various Cisco IP Phones. Provides secured access to number and call registers, system shortcuts and control of devices. |
telnet | TCP/IP | Provides remote control of the system using minimal bandwidth. Has access to many features of the system. Please notice that remote access must be provided by using an encrypted tunnel like IKEv2, because Telnet does not support TLS encryption. |
esterm | TCP/IP | Provides partial graphical control of the system using text-only transmission utilizing the ESTERM Protocol, can be used with Netroda Technologies NETerm. |
Globalization
ES/S-A HOTA uses English only, the various user interfaces that can be installed have variying international support. sv_ata currently supports 4 languages
- English
- Deutsch
- 中国人
- Tiếng Việt
Support
Support for ES/S-A HOTA is available is currently limited to e-mail support in english only.
Security
ES/S-A HOTA Supports TLS for the Secure HTTP Service (HTTPS) version 1.3. The web interfaces can be protected from bogon requests, internet access in WAN Networks. Network services feature automatic blacklisting and source-network abuse query. By utilizing FoundationShield or any other Firewall or Network monitor, ES/S-A HOTA can be securely exposed to the internet, following a positive risk assessment concering stability agains Distributed DOS (DDoS) attacks.
The default configuration does neither allow anonymous users, nor default credentials or insecure WAN access to recude the probability of security issues by misconfiguration or negligence.
The architecture requires modules accessing the core or other modules to obtain required privileges to execute specific actions. Responsible for distribution and approving is the ESAuthority, a integral core module. The system works by identifying module instances with unique and temporary tokens, that must be validated prior to execute actions in the target module. Applicable modules must provide necessary API functionality (ESAuthorityAwareService, ESAuthorityAwareCaller) and are responsible to correctly implement these by themself. ESContextAuthority provides information of call origins, and can differentiate many cases, such as automation, user interaction or remote procedure requests.
A zero-day vulnerability involving remote code execution in Log4j 2, (a Logging utility for Java) , given the descriptor CVE-2021-44228, was found and reported to Apache by Alibaba on November 24, 2021, and published in a tweet on December 9, 2021. Investigations proceeded and it was reported to customers, that ES/S-A HOTA is not affected, as Log4j (used by various components) is replaced by the distributed debugging service in release versions.
It is recommended to protect facility systems with at least two firewalls from different vendors or with different software.