K-Comm: Security Information
Network Security
Many Building Automation Systems (BAS) have a dedicated VLAN, kept from the rest of their network for security reasons. The K-Comm device is designed to work with these systems to preserve security and create a secure means of connecting.
Even if your BAS doesn’t have a dedicated VLAN, the K-Comm device is a push device that sends GET and PUSH requests to our REST API using SSL. It has all the precompiled code to connect to your BAS to read and write data and does not need additional access or privileges to your LAN outside of an IP address.
CopperTree Analytics’ devices are typically configured with limited specific outbound ports and restricted to the domains listed in this document. Furthermore, internet access is limited to the IP addresses of applicable BAS controllers or front ends when connected to an internal network.
Passwords & System Security
We do not keep any passwords or information about your networks within the API. Some BAS connections require a username and password. The permissions are configured during setup and are stored securely (encrypted) on the local device. We do not store passwords in the API, and passwords are not accessible externally.
For some types of networks and BAS vendors, the K-Comm device requires a read and write account and password for the BAS.
Device Security
CopperTree Analytics’ devices use SSL POST and GET requests to the CopperTree Analytics REST API. The requests are used for software updates, to retrieve instructions used by the device to execute BACnet writes, and to report execution results for action login in Kaizen.
BACnet Write Commands
The ability to write values to BACnet object properties is a distinctive feature of the K-Comm device. The device is only able to follow instructions issued by Kaizen as it does not contain logic to generate instructions by itself. K-Comm must be explicitly allowed to retrieve instructions from CopperTree’s servers by having its public IP address added to the firewall rules.
Write Permission
Permission to write values to BACnet object properties must be explicitly granted via an allow-list. For each instruction issued from Kaizen, K-comm verifies that the BACnet object and property is listed in the allow-list before a write command is executed.
Write Priority
By default, BACnet writes are performed at the lowest priority level (i.e., 16) as defined in the standard BACnet Priority Array, unless a higher priority level is defined in the instruction issued by Kaizen.
Write Logs
Execution results of all BACnet writes for each BACnet object and property are communicated back to Kaizen where all bi-directional activity is logged.
Data Encryption
All data in motion is encrypted by TLS 1.3. All data at rest on our cloud servers uses AES256 encryption.
Cloud Data Residency & Sovereignty
CopperTree hosts our cloud application, Kaizen, on Amazon Web Services (AWS) in Canada as well as in the US depending on the geolocation requirements related to our data storage policies. All data resides permanently within the boundaries of Canada or in the US depending on the requirements provided to us.
Additional Security
CopperTree Analytics’ architects can be available for discussions or concerns around security. Additional security measures can be put in place as required.