This post continues a series about a particular large system at UNC

As described in the last post, Building System protocols suffer from a number of problems. They are unstable. The protocols are not standards compliant. They have poor security characteristics. So we decided to put them in a sandbox.

Each buildings system was to be isolated within that building. No protocols not easily recognized by Network Support Technicians would be allowed on the backbone; BACnet, LON, et al., were all gone, even their IP versions. All network traffic for control systems would come from protocol stacks that were written for mainstream use. Systems would be secured using our standard network security

All connections to building systems be sessionless. This one needs some explanation. When a program on your computer connects to a database, you log in, and establish a session. That connection is maintained by regular hand shaking. The remote server remembers things about you, so you can continue the conversation. This is efficient, but it does not scale well.

When you contact a web server, you connect, get your page, and then the web server forgets all about you. This allows one web server to service thousands of clients. The standard for sessionless program to program communications is web services. You use web services whenever Gmail types ahead to finish an address for you. We opted to use web services for all routine communication.

We defined two ways to connect to the sand box. It was necessary that we choose names that were not tied to any particular brand, so we made up our own. All communications between the EBMS and the control system are through the Enterprise Building Local Gateway (EBLG). All maintenance of the building system is through the Local Control Station (LCS). Both access points are secured by network security.

We defined a Local Control Station (LCS) to support the needs of each individual system. The LCS runs all the proprietary software that is used to configure the control system. All of them run Windows XP and are members of a windows domain. Users do not have administrative rights on an LCS. All access to LCS’s would be defined by security policy.

The Enterprise Building Local Gateway (EBLG) was created as the gateway and translator. All operational access to the building system is through the EBLG and is exclusively by web services. Maintenance or reconfiguration is performed on the LCS instead.

The Enterprise Building Management System (EBMS) was conceived of as a central harvester of all information from all the web services on all the EBLGs. No software or hardware to work with traditional control protocols would be installed on the EBMS. No traditional controls enter or leave the EBMS.

Using web servers to access the information on the EBMS, operators can see everything in all systems, no matter what the brand or the protocol. This provides a web based point for operating all the buildings. We carefully defined a distinction between Operations and Maintenance/Configuration. You can think of it as the difference between driving a car and performing service on a car.

This article begins a series of articles about a particular large system at UNC

We had a big problem at UNC. Our energy management control room was filled with different so-called enterprise systems. Our buildings were filled with every sort of low bid system that could be purchased under state rules. Where we had been able to impose a standard, internal incompatibilities, between systems from twenty years ago and from ten years ago supplied by the same vendor were as bad as those between product lines. The men in the control room were running a half dozen different incompatible monitoring systems, and all of them were fraught with problems.

As we built out the campus network, it was no longer acceptable to isolate the building systems onto separate webs of leased phone lines. As we moved the systems onto standard networks, the problems became worse. The first attempts by the building systems vendors worked only ion fully isolated networks. Many systems implemented quirky variants of TCP/IP that operated only with certain brands of router. No two chose the same brand of router, and none chose the brand of router selected by out enterprise networking group. With clever trickery, and great expense in time and labor, we were able to work around these problems.

It was surprising how badly the control protocols were written. Developed in isolated labs, by engineers who understood little about the challenges of sharing a network with unknown others, they were really quite bad. Not only were all aspects of these installation discoverable, but they were sensitive. I know one campus whose coal plant control system was taken off line each time an un-configured LaserJet was put on the campus network.

Enterprise control protocols of the day relied on security through obscurity. Anyone who could read BACnet, or LON could discover and operate the entire network. Proprietary protocols such as Metasys or Ultavist were no better. So again, through hard work, and no small expense in network equipment, and even greater expense in time and labor, we put in a complex network of VLANS operating inside the diverse business VLANS of the were able to work around these problems.

The real problems were much worse than I am letting on. Some systems would stop communicating if a router were switched out – until each system in the subnet and neighboring subnets had been simultaneously cold booted. Network stacks written by controls systems houses were abominable and there network interface cards were expensive. I remember tuning network ports down to 10MHz half duplex, to support a $1000 dollar Ethernet interface, while I was buying 100MHz full duplex network cards for $19.

With all the work, with all the effort, with all the off balance sheet costs, I knew the game had to change.