The Metasys system offers secure user access by authenticating the user name and password of any user who attempts to connect to the system.
The Site Management Portal UI also supports authentication using the Microsoft Active Directory® directory service. Refer to the Security Administrator System Technical Bulletin (LIT-1201528) for details.
When a valid user account has been identified, the connection is authorized, and system access is granted based on the access privileges defined by the Metasys security administrator system for the user account.
Access privileges are assigned by system categories and action sets to individual users or to a group of users with the same role. System categories define the type of building equipment and points accessible when operating the system. Action sets define the authorized operation level. Users may be authorized to only view items or may be allowed to also acknowledge alarms and issue commands. At the highest level, users are authorized to modify system configuration parameters.
In addition to system access privileges assigned to users, you can also assign access to spaces and equipment serving spaces with the Space Authorization feature in the Metasys UI.
The Audit Trail on the ADS-Lite-A records user activities such as alarm acknowledgment, sending commands, and point modification.
In addition to user authentication, standard IT security technologies including firewall programs and encoding protocols protect the building automation system and network from unauthorized access.
Hypertext Transfer Protocol Secure (HTTPS) with TLS 1.2 is now implemented between Metasys components, including the ADS-Lite-A, Metasys UI, System Configuration Tool (SCT), and network engines. This enhancement ensures the highest level of security to protect your building automation system from unauthorized users and computer hackers.
Self-signed certificates are installed by default on the ADS-Lite-A. As an option, the customer can apply or purchase trusted certificates on the ADS-Lite-A.
One of three new security shield icons are displayed in the Site Management Portal (SMP) to indicate the current level of a connection: trusted, self-signed, or untrusted.
You can configure the use of an external Syslog server to capture messages from the Metasys system. Network engines send audit log entries and event notifications to an external, customer-provided industry-standard Syslog server destination.
A secure authentication process between Supervisory Devices and the Site Director that involves Device Pairing is available. An attribute in the Site object called Advanced Security Enabled controls the Device Pairing feature.
BACnet/SC with TLS 1.3 in now implemented on Metasys. This eliminates the need for static IP addresses, encrypts communication, and authenticates devices.