In this age of digital transformation, Johnson Controls is committed to develop connected BAS that handle and transmit customer data according to the following security principles:
All data at rest has protection and security.
Data transactions are encrypted and securely transmitted.
All access to resources is protected through the use of strict authentication and authorization.
Engineering teams follow industry standard secure development lifecycle best practices.
Disciplined product security support and incident response is in place.
Products comply with security standards required for SOC2 and ISO 27001 certification.
At scheduled intervals, all products, devices, infrastructures, and services are scanned and tested for security weaknesses. The following tests are performed:
- Open Source Code Scans
- Static Application Security Testing (SAST)
- Dynamic Application Security Testing (DAST)
- Vulnerability Scanning
- Source Code Assessments
- Penetration Testing
- Audit Assurance and Compliance
Johnson Controls targets the following industry standards and certifications:
- Cloud Security Alliance (CSA): a guided assessment using the CSA Consensus Assessments Initiative Questionnaire to identify gaps in the various product lines. Johnson Controls creates a compliance document to help customers assess the security posture.
- SOC 2: SOC 2 certification helps to ensure our systems handle clients’ sensitive data securely.
- ISO/IEC 27001:2013: this standard specifies a management system that is intended to bring information security under management control and gives specific requirements.
The implementation and verification of security measures is a part of each stage of the product development process. A product component is not promoted to the next development stage unless the security considerations are approved by the respective owners.
Support programs for the product development teams
The cyber solutions team supports the product development teams during the full product lifecycle.
Development processes optimized for security
Engineering teams follow the Agile development approach. This approach promotes the rapid delivery of features that are repeatedly and thoroughly inspected and refined during the development cycle. The aim of this process is to ensure that the features meet quality objectives and align with customer needs.
Johnson Controls has created several roles and measures to ensure that cybersecurity is an integral part of product design and development. Design for security includes the following roles and measures:
- Security Champion: A senior product developer or software engineer for each
product to assist in the compliance process outlined within the Design for
Security Program. Security champions have the following certifications:
- Certified Secure Software Lifecycle Professional (CSSLP)
- Certified Ethical Hacker (C|EH)
- Certified Information Systems Security Professional (CISSP)
- Certified Cloud Security Professional (CCSP)
- Security Architect: A global cybersecurity expert who works with Security Champions to guide them through DFS activities and answer difficult security questions.
- DFS Requirements: Each product team implement security controls during the design and development phase to create a resilient product for release to market.
- Security Council: All Security Champions and Security Architects are members of the Johnson Controls Security Council and meet on a regular basis to share challenges and solutions across business units and disciplines.
- Product Management: Product management provides appropriate resources to develop non-functional features that focus on security.
- Security feature design review: security-aware reviewers identify the security features in each system and then look for problems that can cause these features to fail or prove insufficient.
- Product architecture documentation includes a dedicated section on product security and the documentation is constantly updated to reflect the current state.
- Development environments are isolated from production and staging environments.
- Cryptography: platform- and data-appropriate encryption that uses open validated formats and standard algorithms is used to encrypt data at rest.
- Code reviews: secondary code reviews identify dangerous code potentially written by malicious in-house developers or outsourced providers.
- Test dependencies: at the end of each release, testers run test scripts that focus on security.
- Continuous threat modeling: Johnson Controls defines and documents a process for threat modeling and applies it to all design reviews to find flaws.
- Definition of done (DoD): with security considerations directly included in our DoD, we ensure that necessary security activities are completed before any product feature is considered complete.
Product security includes the following measures:
- Password security: all products require that users sign in with secure credentials. Passwords are stored using modern password-based key derivation functions. Products support configurable password policy enforcement (for example, minimum length, age, history, complexity). Products support strong multi-factor authentication (MFA) options.
- Open standards: the OpenID Connect protocol is used to perform authentication between cloud endpoints.
- IP whitelisting: users of an account are restricted so that they can log in only from specified IP addresses or address ranges.
- Sessions: when a user account has a password changed or the account is disabled, all active sessions for that account are terminated.
- Demonstrable security: upon customer request, product teams can provide SOC2 or ISO/IEC 27001 certification details, results from third-party audits, penetration test results, completion of the customer-supplied RFI forms, and white papers.
Infrastructure security includes the following measures:
- Communication security: all communications are encrypted using TLS 1.2 or later. Only strong algorithms, ciphers, and protocols are enabled, with the strongest algorithms and ciphers set as preferred.
- Data security: customer data is protected using a combination of security controls: encryption at rest, strict access control, usage auditing, and secure deletion. All Personally Identifiable Information (PII) is segregated from other data and securely encrypted.
- Network segmentation: private networks are used to isolate resources and provide protection from direct internet access. Use of a secure VPN connection with multi-factor authentication is required to access these resources.
- Public footprint: the principle of least privilege is applied to all systems to reduce the surface area for potential attacks. Servers do not have public IP addresses unless needed, and traffic is routed through a reverse proxy layer. All unnecessary ports are blocked and remote access connections are allowed only through a VPN with strong authentication.
- Intrusion detection: we implement industry-leading network intrusion detection (IDS) solutions to help facilitate timely detection, root cause analysis, and response to security incidents.
- Denial of Service (DDoS) protection: we implement network filtering through our cloud provider to prevent spoofed traffic and restrict incoming and outgoing traffic to trusted platform components. This includes the use of load balancers and traffic filters to control the flow of external traffic to cloud components. In addition, automated controls detect internally initiated DDoS attacks.
- API rate limiting: all API endpoints enforce rate limits at the load balancer layer to protect against brute force attacks. Only authenticated requests can communicate with the API endpoints.
- Monitoring: continuous monitoring of our networks and systems is performed by both our cloud provider and third-party solutions, and they escalate notifications when under attack.
- Multi-Factor Authentication (MFA): employees and contractors who administer the infrastructure are authenticated with multi-factor authentication.
- Separation of duties: access to infrastructure is controlled by roles and responsibilities. For example, developers do not have access to the production environment.
Ingestion Pipeline Security
Various tiers of security appliances are implemented to ensure secure communications for every inbound request into our system:
- Firewall, IDS, and IPS tier: in our perimeter tier we deploy an industry leading third-party all-in-one solution that combines advanced networking, Intrusion Detection (IDS), Intrusion Prevention (IPS), web application firewall (WAF), as well as user and application controls. This firewall tier is designed to help protect our cloud-based workloads against advanced threats.
- TLS termination tier: to help ensure the best possible performance, our cloud service and infrastructure uses a dedicated tier, where the sole purpose is to handle TLS/SSL termination. This provides a layered approach to centrally manage TLS certificates and optimize requests for better performance in a secure manner.
- Web Application Firewall (WAF) tier: the WAF tier protects applications against sophisticated layer 7 attacks that might otherwise lead to systems being taken over by attackers, loss of sensitive data, and downtime. This includes the detection and denial of attacks such as SQL Injection (SQLi), Cross-Site Scripting (XSS), Local File Include (LFI), Cross-Site Request Forgery (CSRF), Remote Code Execution (RCE), HTTP Protocol violations, IP blocking using reputation data from the Project Honey database.
Reverse proxy tier: the reverse proxy tier provides TCP and UDP load balancing, Layer 7 request routing, active health checks on API endpoints, service discovery using DNS, JWT authentication for APIs and OpenId Connect for Single Sign-On (SSO), request/connection limiting.
Security for Digital Vaults that use Azure subscriptions
All employees and contractors who manage our subscriptions and access our infrastructure are required to use our JCI Azure Active Directory (AAD) instance. This provides several advantages:
- When employees leave the company, the deactivation of their company account removes access to all Azure resources.
- MFA: all accounts that have access to our subscription also have MFA configured as an additional security measure to prevent unauthorized access.
- Employees accessing and managing our subscriptions are assigned specific roles and permissions so that information is viewed and modified only by appropriate people.
Johnson Controls has procedures in place to prepare for the rare event of a security incident or breach. Incident reporting can originate with automated tools, through internal discovery, through a service provider, or through notification from an external source. A tiered escalation process is followed that includes initial triage, severity determination, and customer notification.
All the employees within the company receive frequent training to ensure that they are educated in cybersecurity: what to be aware of, and what steps they need to take in case they come across a vulnerability. Each training is customized to the function they perform within the company. Continued emphasis on training is the primary way we arm our developers against bad practices that create risk.