Product security processes - Johnson Controls - LIT-12013696 - OpenBlue Location Manager - 2.2.1

OpenBlue Location Manager Security and IT Guide

Product
Building Automation Systems > Building Automation Systems > OpenBlue Location Manager
Document type
Security and IT Guide
Document number
LIT-12013696
Version
2.2.1
Revision date
2021-10-30

The Location Manager undergoes regular penetration testing cycles to ensure that it does not introduce any security risks to the networks on which it is deployed. This testing validates that the Location Manager delivers a secure environment for data ingestion and user interaction activities, and protects the integrity of the overall data. Location Manager security precautions include the following actions:

  • Scans application components, libraries, modules, frameworks, platform, and operating systems regularly for known security vulnerabilities.
  • Builds paths from trusted CA to TLS 1.2 server certificates.
  • Uses strong ciphers through cert hierarchy.
  • Enforces authentication and authorization on all communication between devices, sensors, and applications.
  • Credentials for accessing services or devices external to the device or application are hashed, encrypted, and stored in protected locations.
  • Strong, random anti-CSRF tokens for transaction protection.
  • All ingress data handled in secured Azure environments.
  • Secure communication protocols for all connections including both external and backend connections.
  • Anti-automation measures, such as throttling and source blocking, to prevent breached credential testing, brute force, and account lockout attacks.
  • Account lockout features with password complexity and cryptographically random hashing enforced with principle of least privilege.
  • Sensitive information encrypted at rest and in transit.
  • Server side security controls are centralized, with separation of layers for enforcement of security decisions on trusted systems.

More detailed information on the Location Manager security features can be provided on request.