Hubbell NX AREA CONTROLLER User Manual

NX AREA CONTROLLER
IT ADMINISTRATOR’S NETWORK & SECURITY GUIDE
Copyright © 2021 Hubbell Control Solutions, a division of Hubbell Lighting, Inc. All rights reserved. All product and company names, logos and product
identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any
701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com
aliation with or endorsement by such respective owners.
Version 1.0.4
0120 21
NX Area Controller Platform
IT Administrator’s Network & Security Guide
Table of Contents
1. Introduction ................................................................................................................................................................................. 3
2. NX Area Controller Platform Overview .............................................................................................................................. 4
2.1 Area Controller ......................................................................................................................................................................... 4
2.2 NX Distributed Intelligence™ .............................................................................................................................................. 5
2.3 ControlHubb ............................................................................................................................................................................. 5
2.4 NX Wireless Network .............................................................................................................................................................. 6
2.5 System Topologies .................................................................................................................................................................. 6
3. Software & Firmware Management .................................................................................................................................... 7
4. IT Network .................................................................................................................................................................................... 7
4.1 WLAN/LAN ................................................................................................................................................................................. 7
4.2 Network Ports & Protocols ................................................................................................................................................... 7
4.3 IP Address Assignment .......................................................................................................................................................... 8
4.3.1 Manual ..................................................................................................................................................................................... 8
4.3.2 DHCP ........................................................................................................................................................................................ 8
4.3.3 DNS (Host Name Management) ..................................................................................................................................... 9
4.4 Setting Up On An Isolated Network (Not Connected To IT network) .................................................................10
5. Network Setup & Maintenance ...........................................................................................................................................11
5.1 System Login ...........................................................................................................................................................................11
5.2 System Setup ..........................................................................................................................................................................11
5.3 Backup & Restore ...................................................................................................................................................................12
5.4 Password Management ......................................................................................................................................................12
5.5 Third Party Integration (BACnet™) ...................................................................................................................................14
6. Administration & User Management ................................................................................................................................14
Add User ..........................................................................................................................................................................................15
Edit User ...........................................................................................................................................................................................16
Delete User .....................................................................................................................................................................................16
7. Additional Security Considerations ...................................................................................................................................16
7.1 TLS Encryption ........................................................................................................................................................................16
7.2 SSL Certicates (Installing A Signed Certicate) ........................................................................................................16
7.3 Remote Maintenance ...........................................................................................................................................................17
7.4 Remote Access (Firewall) ....................................................................................................................................................17
7.5 Web Authentication .............................................................................................................................................................18
Security Passwords & Recovery ...............................................................................................................................................19
7.6 Security Updates ...................................................................................................................................................................20
Security Package Management ..............................................................................................................................................20
Standard Operating Procedure ...............................................................................................................................................20
7.7 Remote Support ....................................................................................................................................................................21
Copyright © 2021 Hubbell Control Solutions, a division of Hubbell Lighting, Inc. All rights reserved. All product and company names, logos and product
identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any
aliation with or endorsement by such respective owners.
NX Area Controller
IT Administrator’s Network & Security Guide
1. Introduction
This IT Administrator’s Network & Security Guide will provide necessary guidance for IT Personnel or network administrators on integrating the NX Area Controller into their network successfully and securely. The guide will provide best practices for maintaining reliable connectivity, ensuring system security and integration into the overall building management through the NX Area Controller.
This guide does not provide instruction on conguration or individual device installation of the NX Distributed Intelligence Control system. These additional documents can be located on Hubbell Control Solutions website under “NX Distributed Intelligence™” and the respective product pages.
https://www.hubbell.com/hubbellcontrolsolutions/en/Products
Keywords
IT - Information Technology
LAN - Local Area Network
WAN - Wide Area Network
TLS - Transport Layer Security
IP - Internet Protocol
TCP - Transfer Control Protocol
SSL - Socket Security Layer
OS - Operating System
DHCP - Dynamic Host Conguration Protocol
DNS - Dynamic Name Server
IEEE - Institute of Electrical and Electronics Engineers
PC - Personal Computer
HTTP- Hyper Text Transfer Protocol
AES - Advanced Encryption Standard
UDP - User Datagram Protocol
SSH -Secure Shell
IE - Internet Explorer
HCS - Hubbell Control Solutions
CA - Certication Authority
OT - Operational Technology
NAC - Network Access Control
Copyright © 2021 Hubbell Control Solutions, a division of Hubbell Lighting, Inc. All rights reserved. All product and company names, logos and product
3
identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any
701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com
aliation with or endorsement by such respective owners.
NX Area Controller
IT Administrator’s Network & Security Guide
2. NX Area Controller Overview
The NX Area Controller is part of the NX lighting system from Hubbell Controls Solutions (HCS) that enables commercial buildings to meet energy codes, be energy ecient and allow building personnel to manage and control their entire lighting system from one single user interface. There are several key elements that make up the NX Lighting Control ecosystem.
2.1 Area Controller
In the NX Control System, the area controller serves as an on-premise server, an edge controller and a router that connects the NX network (described below) to internet and other external networks. It routes and manages the network trac to enable a secure methodology for controlling and managing the lights controlled by NX Distributed Intelligence™.
Area Controller: Key Summary Points
NX Area Controller hosts internal Lightpd Web server
NX Area Controller uses a Linux based OS, Ubuntu 18.04
Physical and Datalink layer using IEEE 802.3 Ethernet
Transport layer is TCP
IPv4 Address can be static or dynamic using DHCP
HTTPS communications using port 443 (must be enabled by the user)
Single password access
Password is hashed and salted
Built-in BACnet™ /IP Interface
• BACnet /IP Annex J
• Uses BACnet default IANA port 47808
• IANA port can be recongured
Copyright © 2021 Hubbell Control Solutions, a division of Hubbell Lighting, Inc. All rights reserved. All product and company names, logos and product
4
identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any
701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com
aliation with or endorsement by such respective owners.
NX Area Controller
IT Administrator’s Network & Security Guide
2.2 NX Distributed Intelligence
The NX Distributed Intelligence is the underlying technology within the NX Control and serves as a backbone for the entire system. It can stand on its own without being dependent on any edge device. Below are the 4 key attributes summarizing this control platform:
The Hubbell Control Solutions’ NX Distributed Intelligence lighting control platform is the rst of its kind to utilize a distributed network architecture (DNA) which provides users with unmatched system reliability, scalability and simplicity.
Truly Intelligent
NX provides occupants with nearly unlimited lighting control possibilities and is designed to self-congure, automatically meeting energy code requirements as devices are connected.
Simple
Scalable
Versatile
2.3 controlHUBB
NX is designed for buildings, rooms and luminaire-based applications with a comprehensive portfolio of panel, room-based and in-xture controllers, sensors and human interfaces as well as support for Building Automation Systems.
NX supports indoor and outdoor applications, wired, wireless and hybrid networked lighting control deployments, and enables emerging applications such as Hubbell Lighting’s SpectraSync™ color tuning technology.
The controlHUBB Mobile App provides Bluetooth® wireless setup and conguration of NX Room Control devices and luminaires equipped with an NX In-Fixture module with smart sensor. The controlHUBB Mobile App is available in Android and iOS versions for free download from Google Play™ or Apple® App Store.
Copyright © 2021 Hubbell Control Solutions, a division of Hubbell Lighting, Inc. All rights reserved. All product and company names, logos and product
5
identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any
701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com
aliation with or endorsement by such respective owners.
NX Area Controller
Hubbell NX Distributed Lighting System Network Diagram
IT Administrator’s Network & Security Guide
2.4 NX Wireless Network
NX Distributed Intelligence™ Platform uses two levels of wireless communication within the network.
1. Device to Device Communication
2. User to Device Communication
For device to device communication, NX Wireless ecosystem uses mesh technology based on Institute of Electrical and Electronics Engineers (IEEE) 802.15.4 standard and follows strict IEEE guidelines to ensure sustainability and reliability. It operates in the 2.4 GHz ISM band with 16 channels.
For the user to device communication, NX employs Bluetooth® technology (BLE) which is based on IEEE 802.15.2 standard and follows similarly strict guidelines to ensure maximum reliability & performance while minimizing any interference. This user wireless communication is encrypted using AES 128-bit encryption.
2.5 Internal System Network Topology and Protocols
The NX Lighting Control System is set to be a self-contained LAN. The network backbone called HubbNET™ is Ethernet based connecting the NX Area Controller (NXAC-120) to NX Network Bridges which serve as both a 2 port Layer 2 Ethernet switch for HubbNET connectivity and a bridge to proprietary TIA485 communication segments called SmartPORT™. SmartPORT segments serve as the communications backbone within a space or room linked together by the HubbNET backbone. All addressing within the HubbNET backbone is Link Local.
The NX Area Controller serves as the single portal device for communications outside the HubbNET LAN for Remote Access or a single setup PC. The single connection is also used for BACnet™ integration into BMS.
In-Fixture Lighting
2 port RS485
datalink CAT5
Floor X
In-Fixture Lighting
2 port RS485
datalink CAT5
Floor 2
HubbNET LAN Backbone
Physical and Data layer Ethernet IEEE 802.3 Cable CAT 5e or better IPv4 Link Local addressing (non routable) Default HubbNET port 20056 10BaseT communication speed Transport UDP
Building
Management
System
(BMS)
BACnet
NX Network
ROOM X1 ROOM X2
Bridge
IPv4
Address
(Link Local)
In-Fixture Lighting
Controller
Controller
Controller
2 port RS485
datalink CAT5
NX Network
ROOM X1
Bridge
IPv4
Address
(Link Local)
In-Fixture Lighting
Controller
2 port RS485
datalink CAT5
Proprietary RS485 SmartPort Subnet
ASHRAE SSPC135 BACnet /IP
NX Area
Controller
(single IPv4
address)
Daylight/
In-Fixture Lighting
In-Fixture Lighting
SmartPort Subnet
Occ Sensor
Controller
2 port RS485
datalink CAT5
Daylight/ Occ Sensor
Controller
2 port RS485
datalink CAT5
Proprietary Protocol
RS 485 datalink Standard TIA-568 network cables Cables CAT5 or better
Web server
HTTPS Port 443
IEEE 802.3 Ethernet HubbNET LAN
Layer 2
Managed
Network Switch
External Boundary
Internal Boundary
NX Room Lighting Controller
4 Port RS485 datalink
NX Room Lighting Controller
4 Port RS485 datalink
User Interface
NX Network
Bridge
IPv4
Address
(Link Local)
Daylight/ Occ Sensor
CAT5
Proprietary RS485 SmartPort SubnetProprietary RS485 SmartPort Subnet
NX Network
Bridge
IPv4
Address
(Link Local)
Daylight/ Occ Sensor
CAT5
Proprietary RS485 SmartPort Subnet
External Connection
Physical and Datalink layer Ethernet IEEE 802.3 Web Server
HTTPS port 443 Single access Password Password Hashed and Salted
NX Room Lighting Controller
ROOM X2
NX Room Lighting Controller
4 Port RS485 datalink
4 Port RS485 datalink
Firewall
Daylight/ Occ Sensor
CAT5
Daylight/ Occ Sensor
CAT5
Corporate Intranet or any remote
access capability (optional)
NX Room Lighting Controller
4 Port RS485 datalink
NX Room Lighting Controller
4 Port RS485 datalink
Integration to Other Systems
BMS integration using BACnet /IP
Port 47808 default (configurable)
ROOM X...
NX Network
Bridge
IPv4
Address
(Link Local)
Daylight/ Occ Sensor
CAT5
Proprietary RS485 SmartPort Subnet
NX Network
Bridge
IPv4
Address
(Link Local)
Daylight/ Occ Sensor
CAT5
Proprietary TRS485 SmartPort Subnet
NX Room Lighting Controller
ROOM X...
NX Room Lighting Controller
4 Port RS485 datalink
4 Port RS485 datalink
CABLE TYPES
Daylight/ Occ Sensor
CAT5
Daylight/ Occ Sensor
CAT5
Rev 2 – June 6, 2020
ETHERNET IEEE 802.3
Copper
Proprietary using
CAT5e or better
Type cables
Figure 1: NX Distributed Intelligence™ Lighting System Network
Copyright © 2021 Hubbell Control Solutions, a division of Hubbell Lighting, Inc. All rights reserved. All product and company names, logos and product
6
identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any
701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com
aliation with or endorsement by such respective owners.
NX Area Controller
IT Administrator’s Network & Security Guide
Internal NX Lighting Networks Summary
HubbNET
• Internal LAN Connection between NX Area Controller and NX Network Bridges
• Physical and Datalink layer using IEEE 802.3 Ethernet
• 10BaseT communication speed
• Cables are Cat5e or better
• Powered Ethernet from port 1 of the NX Area Controller does not adhere to IEEE 802.3 Clause 33. All other ports from the NX Area Controller are not powered.
• Layer 3 addressing is Link Local as per RFC 3927 for individual devices
• Transport layer is UDP
• Default port for internal Area controller communications to NX Network Bridges is 20056 but can be recongured.
• NX Network Bridge serves as a bridge between Ethernet based HubbNET to proprietary TIA485 Based SmartPORT™ segment.
• Addressing is Link Local as per RFC 3927
SmartPORT Segment
• SmartPORT wiring uses Cat5 or better for TIA485 proprietary communications.
• Spread spectrum modulation is DSSS
3. Software & Firmware Management
Hubbell has a release management process in place which releases quarterly rmware updates for lighting devices and software updates for the NX Area Controller Platform. However, in order to apply these updates to the existing installed network, an authorized person is required. Please contact Hubbell Tech Services to schedule your rmware update. See link below.
https://www.hubbell.com/hubbellcontrolsolutions/en/technical_support
4. IT Network
4.1 WLAN/LAN
In cases where building personnel such as facility managers need to access the NX Area Controller Platform Software in order to view/manage their lighting network from their oce on the premises, the area controller (see networked system topology) needs to be connected to the building LAN. The area controller has a built-in webserver which allows clients to request the web-based software access using LAN/WLAN.
4.2 Network Ports & Protocols
The system operates through the following ports:
Port # Protocol Public Description
22 SSH Yes Terminal. Used for maintenance. SSH Server
443 HTTPS Yes Web trac, apache service
5001 HTTP No Intra process communication
5002 HTTP No Intra process communication
5003 HTTP No Intra process communication
47808 UDP Yes BACnet™
20056 UDP No Second NIC used for internal proprietary trac
Table 1
Copyright © 2021 Hubbell Control Solutions, a division of Hubbell Lighting, Inc. All rights reserved. All product and company names, logos and product
7
identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any
701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com
aliation with or endorsement by such respective owners.
NX Area Controller
IT Administrator’s Network & Security Guide
4.3 IP Address Assignment
4.3.1 Manual
Manually set network settings allow precise control over the network’s conguration (Figure 2). We strongly recommend using the factory provided IP address and subnet mask when using the manual option. However, in case the user wants to provide their own IP address and subnet mask, it will be necessary to contact the Information Technology Department personnel to get that setup.
4.3.2 DHCP
The Dynamic Host Conguration Protocol (DHCP) is a router feature that dynamically allocates conguration parameters to connected devices such as IP, DNS, and default gateway addresses. Enabling DHCP on a router normally eliminates the need to manually congure network settings on connected devices. The implementation of DHCP on most routers allows a device to be assigned a xed IP address by associating a specic IP address to a device’s MAC address.
The area controller has ability to connect to the DHCP server to get IP address assigned dynamically and automatically to it (Figure
2). However, this option needs to be enabled (contact your IT administrator and for any additional support, contact Hubbell
Tech Services).
Now use the router’s DHCP setting to automatically connect devices to the network by negotiating the appropriate settings with the device. This option may not be applicable to all networks; for example, the network administrator does not want to use DHCP and has supplied information to manually congure the device’s IP interface.
Figure 2
Copyright © 2021 Hubbell Control Solutions, a division of Hubbell Lighting, Inc. All rights reserved. All product and company names, logos and product
8
identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any
701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com
aliation with or endorsement by such respective owners.
NX Area Controller
IT Administrator’s Network & Security Guide
4.3.3 DNS (Host Name Management)
When you want to connect to another computer or service on the Internet (to a Website for example), rarely would you want to use the IP address to make the connection as it would be a pain to remember the numeric IP address for each site you want to visit. The Domain Name System (DNS) was created to allow internet users to take advantage of a meaningful Uniform Resource Locator (URL) such as https://www.hubbellcontrolsolutions.com/ to connect to an IP address without having to know the server’s or computer’s numerical IP address. The DNS does this by looking up the URL and providing the numeric IP address to the requesting computer. Should the IP address of a computer/server be changed, the DNS server can be updated with its new IP address, thereby ensuring that other networked computers can still nd this computer/server through its URL.
Why should area controllers use a xed IP address or use Hostname Management? To program or to access an IP controller, you must be able to connect to it. Like a postal address, a xed IP address that is always assigned to the same device allows you to consistently connect to and work with the same device.
An alternative to using a xed IP address is to use the controller’s Hostname Management which allows a controller to be identied by a nickname such as My_Hubb instead of the controller’s IP address. The hostname can then be used in a web browser to request access to the Area Controller login page.
The Area Controller enables DNS conguration. However, the user will need to register on an appropriate domain server and procure their own host name if they do not want to type an IP address every time, they want to access the area controller web page. Figure 3 provides DNS settings provided on the area controller.
Figure 3
Copyright © 2021 Hubbell Control Solutions, a division of Hubbell Lighting, Inc. All rights reserved. All product and company names, logos and product
9
identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any
701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com
aliation with or endorsement by such respective owners.
NX Area Controller
IT Administrator’s Network & Security Guide
4.4 Setting up on an isolated network (not connected to IT network)
This is a use case in which the IT manager or user does not want to integrate their lighting network into their IT network and/or connect it to any WLAN/LAN. The area controller network in this case would be isolated from the rest of the IT infrastructure and building networks. In order to setup for this use case, following steps need to be followed:
1. Do not connect area controller to the building LAN/Router.
2. Do not activate DHCP and/or DNS servers on area controller.
3. Use static IP address only. (you can use factory default IP Address 192.168.1.1). The area controller supports the IPV4 addressing.
4. Connect your laptop directly to the area controller using a standard Cat5 cable. Bring your laptop into the same IP network as your laptop using the adapter settings. For example, if your area controller IP address is 192.168.1.1, you can assign your laptop a static IP address 192.168.1.5. The subnet would be 255.255.255.0 (same as your area controller) (Figure 4).
5. Now go to your web browser and type the area controller IP address. The login page of the area controller would show up (see section 5.1). You are now ready to go.
Figure 4
Copyright © 2021 Hubbell Control Solutions, a division of Hubbell Lighting, Inc. All rights reserved. All product and company names, logos and product
10
identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any
701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com
aliation with or endorsement by such respective owners.
NX Area Controller
IT Administrator’s Network & Security Guide
5. Network Setup & Maintenance
5.1 System Login
The default IP address of the shipped system is 192.168.1.1 with sub-mask 255.255.255.0.
After connecting the system to the LAN or an isolated network, you can log in by typing in its IP address in your browser’s URL eld. It is recommended to use Chrome, but it will work with Firefox and Edge too. It is not compatible with IE. The rst hit will cause the system to go through initialization but will display the following page after about 10 seconds (Figure 5). Take note of the version number at the bottom left section of the page. You may need this for tech support.
Figure 5
Important: For rst time users:
Default User Name: admin Password: Nextgen.1
As a responsible user, you are expected to change the password upon logging in the rst time. Save the new password in a safe and secure place. See Password Management Section for more details.
5.2 System Setup
Upon logging in, the user should go to the system setup and enter facility details (Figure 6) .
Figure 6
Copyright © 2021 Hubbell Control Solutions, a division of Hubbell Lighting, Inc. All rights reserved. All product and company names, logos and product
11
identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any
701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com
aliation with or endorsement by such respective owners.
NX Area Controller
IT Administrator’s Network & Security Guide
5.3 Backup & Restore
It is recommended that the user backup their area controller settings to avoid any loss of information that may occur during rmware updates, power outage or any other events.
The Data Management tab (Figure 7) allows you to fully backup and restore the area controller’s conguration settings that were created for the specic facility or areas within it. The backup le is in the form of a database which can be downloaded and stored locally on your workstation using the “Download Backup” option. It can then be restored from “Choose File” option followed by “Upload Database” function.
Figure 7
Through the Data management page admin can download encrypted database which can be stored as backup (Figure 7).
Only Encrypted database can be restored.
5.4 Password Management
From the User Settings page (Figure 7), admin can update passwords for all three user types/roles: Reader, User and Admin (Figure 8).
Figure 8
Copyright © 2021 Hubbell Control Solutions, a division of Hubbell Lighting, Inc. All rights reserved. All product and company names, logos and product
12
identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any
701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com
aliation with or endorsement by such respective owners.
NX Area Controller
IT Administrator’s Network & Security Guide
When a password change is initiated by another user other than the Active user, the Active user upon logging in, is prompted to update the password (Figure 9). User should be aware of the updated password in order to change the password.
Figure 9
After 10 unsuccessful password attempts user is locked out (Figure 10).
Figure 10
Admin user account has the capability to unlock locked user account by prompting password change for the locked user. If Admin account is locked, then reach out to HCS Tech support for further resolution.
Technical Service Center Phone Number: (800) 888-8006 Option 1 - Layout & Proposal of Agents Support Team Option 2 - Tech Support Option 3 - Warranty Support Option 4 - Field Commissioning Email Support: HCStech@hubbell.com
Copyright © 2021 Hubbell Control Solutions, a division of Hubbell Lighting, Inc. All rights reserved. All product and company names, logos and product
13
identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any
701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com
aliation with or endorsement by such respective owners.
NX Area Controller
IT Administrator’s Network & Security Guide
5.5 Third Party Integration (BACnet™)
The Area Controller acts as a BACnet/IP server and virtual BACnet router between BACnet clients and a NX Virtual BACnet Solution. BACnet Devices served by the Area Controller are Zones. Zones are virtual BACnet devices that represent a physical space within the building such as a conference room, open oce, or corridor. Each Zone will have a single state of occupancy and some quantity of Relays and or Dimmers. We recommend referencing our BACnet Protocol Implementation Conformance Statement (PICS) for complete details.
https://hubbellcdn.com/literature/BACnet_protocol_NXAC_120.pdf
Through the BACnet/IP, users can change the light levels for individual devices, zones and areas; and similarly, the user can read the value of the individual devices (occupancy sensors and daylight sensors) and individual space outputs (zone light levels, presets) from their BAS console.
6. Administration & User Management
The system is pre-congured with 3 user types/roles each with dierent rights. Roles can be described as:
User Role Description Restrictions
Reader Default & least privileged
User
A user who can read and congure the lighting aspects of the system.
Admin Unlimited system user
A user to perform read only actions. The system either locks elds or rejects the change after submission.
User cannot make system level changes except to lighting conguration.
This user can congure every aspect of the system, and very limited OS level conguration.
Table 2
The main screen, may also be referred to as page, is the landing page after a successful login. This is a snapshot of it:
Figure 11
The left pane allows user to browse the lighting network. The right pane displays details of any node selected on the left pane. The ‘System Setup’ is only accessible by a user having the administrator role. The system is designed to perform most administrative functions without requiring the NX network. For example, a user can change any editable eld on the screen and successfully save. A user with insucient rights will receive a message about not having rights to perform action.
The user settings page lists all the users congured in the system (Figure 12).
Copyright © 2021 Hubbell Control Solutions, a division of Hubbell Lighting, Inc. All rights reserved. All product and company names, logos and product
14
identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any
701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com
aliation with or endorsement by such respective owners.
IT Administrator’s Network & Security Guide
Figure 12
The following sections will guide on Adding, Editing and Deleting users.
Add User
The button on the User Settings main page, opens the screen below.
NX Area Controller
Figure 13
The following (Table 3) outlines a common password management process for dierent user types in the system.
Field Name Description Comments
Returns the following error when user name already exists
• User name for the new user.
User Name
• User name is case sensitive, admin and Admin are 2 dierent user names and are allowed in the system.
Role
Is Active
Select one of the 3 roles, Admin, Reader or User
User can be activated or inactivated. Only active users can login
Password Rules:
• Should be 6 – 20 characters long
• Should have at least 1 upper case letter
• Should have at least 1 lower case letter
Password
Specify new password as per the password rules
• Should have at least 1 number
The following error is displayed when the passwords don’t match
Conrm Password Repeat the same password
Table 3
Copyright © 2021 Hubbell Control Solutions, a division of Hubbell Lighting, Inc. All rights reserved. All product and company names, logos and product
15
identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any
701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com
aliation with or endorsement by such respective owners.
NX Area Controller
IT Administrator’s Network & Security Guide
Edit User
User details can be edited by clicking the button against the specic user on the User Settings page (Figure 12).
Delete User
User can be deleted by clicking the button against the specic user on the User Settings (Figure 12) page. The following conrmation dialog is displayed.
7. Additional Security Considerations
7.1 TLS Encryption
The TLS protocol aims primarily to provide privacy and data integrity between two or more communicating computer applications. When secured by TLS, connections between a client (e.g., a web browser) and a server (e.g. www.hubbell.com) is more reliable.
The area controller operating system supports TLS 1.2 and TLS 1.3 is the most updated version.
7.2 SSL Certicates (Installing a Signed Certicate)
One of the most common forms of cryptography today is public-key cryptography. Public-key cryptography utilizes a public key and a private key. The system works by encrypting information using the public key. The information can then only be decrypted using the private key.
A common use for public-key cryptography is encrypting application trac using a Secure Socket Layer (SSL) or Transport Layer Security (TLS) connection. One example: conguring Apache to provide HTTPS, the HTTP protocol over SSL. This allows a way to encrypt trac using a protocol that does not itself provide encryption.
A Certicate is a method used to distribute a public key and other information about a server and the organization who is responsible for it. Certicates can be digitally signed by a trusted Certication Authority, or CA. A CA is a trusted third party that has conrmed that the information contained in the certicate is accurate.
It is highly recommended to replace the self-signed certicate with a certicate that has been signed by a certicate authority.
Note: If your area controller has the SSL option disabled, it is strongly recommended that user enables it and imports a CA signed certicate on their own (See Figure 14).
To set up a secure server using public-key cryptography, in most cases, you send your certicate request (including your public key), proof of your company’s identity, and payment to a CA. The CA veries the certicate request and your identity, and then sends back a certicate for your secure server. Alternatively, you can create your own self-signed certicate.
Note: Self-signed certicates should not be used in most production environments.
Continuing the HTTPS example, a CA-signed certicate provides two important capabilities that a self-signed certicate does not:
1. Browsers (usually) automatically recognize the certicate and allow a secure connection to be made without prompting the user.
2. When a CA issues a signed certicate, it is guaranteeing the identity of the organization that is providing the web pages to the browser.
Most Web browsers, and computers, that support SSL have a list of CAs whose certicates they automatically accept. If a browser encounters a certicate whose authorizing CA is not in the list, the browser asks the user to either accept or decline the connection. Also, other applications may generate an error message when using a self-signed certicate.
Copyright © 2021 Hubbell Control Solutions, a division of Hubbell Lighting, Inc. All rights reserved. All product and company names, logos and product
16
identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any
701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com
aliation with or endorsement by such respective owners.
Figure 14
NX Area Controller
IT Administrator’s Network & Security Guide
The process of getting a certicate from a CA is easy. A quick overview is as follows:
a. Create a private and public encryption key pair. b. Create a certicate request based on the public key. The certicate request contains information about your server and the
company hosting it.
c. Send the certicate request, along with documents proving your identity, to a CA. We cannot tell you which certicate
authority to choose. Your decision may be based on your past experiences, or on the experiences of your friends or colleagues, or purely on monetary factors.
d. Once you have decided upon a CA, you need to follow the instructions they provide on how to obtain a certicate
from them. e. When the CA is satised that you are indeed who you claim to be, they send you a digital certicate. f. Install this certicate on your secure server and congure the appropriate applications to use the certicate.
Please contact Hubbell Tech Support for this step.
7.3 Remote Maintenance
The area controller server provides a tool called “OpenSSH” that can be enabled for maintenance purposes. Only authorized personnel shall have the access to this tool. If you or someone in your team requires access to it, you must contact Hubbell Tech Services for required authorization and support.
To ensure the recommended security settings for SSH, it is strongly recommended that at least one of the following methods is applied:
1. Regenerate new SSH server keys
2. Using SSH Keys
Using SSH Keys is the most secure option for SSH and is therefore recommended, but not required for your server to function.
7.4 Remote Access (Firewall)
In order to control the user access of the system from remote locations, the network administrator often must deploy a rewall. The implementation of this security feature would be the responsibility of the IT network architect and would not interfere with the standard operation of the lighting system as that is occurring on the OT network. However, if the administrator chooses to build an extra layer of rewall at the area controller level, primarily to limit access to it, only to very specic external users, then they can do so. The area controller supports the rewall feature. See Figure 15 for the multiple rewall scheme for reference. In order to setup the rewall on the area controller, you must contact Hubbell Tech Support for details and help with the setup.
Copyright © 2021 Hubbell Control Solutions, a division of Hubbell Lighting, Inc. All rights reserved. All product and company names, logos and product
17
identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any
701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com
aliation with or endorsement by such respective owners.
THE INTERNET
NX Area Controller
IT Administrator’s Network & Security Guide
FIREWALL
DESKTOPS
FIREWALL
AREA CONTROLLER
ROUTER LEVEL
LOCAL BUILDING NETWORK
AREA CONTROLLER LEVEL
Figure 15
7.5 Web Authentication
For a more secure connection to web via WLAN/LAN, the area controller supports the IEEE 802.1x authentication. IEEE 802.1X is an IEEE Standard for port-based Network Access Control (PNAC). It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN. It is often used to gain access to large networks with a variety of dierent users such as in a university network or large building campus network.
Area Controller supports IEEE 802.1x based web authentication. However, since most users may not prefer it to be enabled, the factor default has this option disabled. In order to enable it to for all web transactions, please contact Hubbell Tech Support.
Figure 16 shows how this scheme works.
AUTHENTICATOR
AUTHENTICATION
SERVER
DESKTOP
RADIUS
EAP
INTERNET/ LAN
Figure 16: Typical Scheme for IEEE 802.1X Authentication
Copyright © 2021 Hubbell Control Solutions, a division of Hubbell Lighting, Inc. All rights reserved. All product and company names, logos and product
18
identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any
701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com
aliation with or endorsement by such respective owners.
NX Area Controller
IT Administrator’s Network & Security Guide
Security Passwords & Recovery
Password Recovery
An admin user can enable “Show Forgot Password” on login screen from Security settings page (Figure 17).
Once “Forgot Password” is enabled, user upon login is directed to User Security prole (Figure 18) to set up security questions which can be used to reset forgotten passwords.
Once security questions are set, users can use “Forgot Password” link to recover password (Figure 19).
Figure 17
Figure 18
Copyright © 2021 Hubbell Control Solutions, a division of Hubbell Lighting, Inc. All rights reserved. All product and company names, logos and product
19
identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any
701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com
aliation with or endorsement by such respective owners.
NX Area Controller
IT Administrator’s Network & Security Guide
FORGOT PASSWORD?
Figure 19: Forgot Password Link on Login Page
7.6 Security Updates
Security Package Management
Hubbell IT reviews the security and advise what security patches are required for NXAC system as part of Security monitoring. This section describes the standard procedure to manage security packages.
Standard Operating Procedure
Figure 20 depicts standard operating procedure to apply security patches on NXAC.
NXAC Security Patch Management
HUBELL CYBER SECURITY
SEND SECURITY BULLETIN
ENGINEERING TEAM COULD ALSO
IDENTIFY SECURITY THREAT
PREPARE INSTALLATION GUIDE
ENGINEERING
SEND INSTALLATION GUIDE
CUSTOMERTECHNICAL SERVICES
SCHEDULE MAINTENANCE
PERFORM INSTALLATION
ACKNOWLEDGE COMPLETION
HUBELL CYBER SECURITY
ENGINEERING
CUSTOMERTECHNICAL SERVICES
Figure 20
Copyright © 2021 Hubbell Control Solutions, a division of Hubbell Lighting, Inc. All rights reserved. All product and company names, logos and product
20
identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any
701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com
aliation with or endorsement by such respective owners.
NX Area Controller
IT Administrator’s Network & Security Guide
Steps Action
1 Hubbell Cyber Security Council sends out security bulletin
2 Engineering identies the list of security patches that need to be installed
3 Engineering prepares the necessary installation instructions and sends it to Technical Services
4 Technical Services will schedule maintenance with the customers and perform the installation on-site or remote
5 Technical Services will get conrmation from customer that the system is running
6 Technical Services will notify Engineering that the job is complete
Table 4: SOP Actions
7.7 Remote Support
Hubbell Control Solutions’ Technical Services, per agreement with the customer, can remotely access a NX system in a secure manner requiring minimal to no local IT support or Local IT infrastructure. This will support Field Service initiatives such as in Startup, ongoing maintenance and troubleshooting from a single location diering from the systems physical proximity. Much of the troubleshooting and adjustments can be performed by HCS via a secure remote connection in one of three ways, per customer’s preference.
1. Remote access through the corporate intranet but the cybersecurity policies of most project sites may not allow for a connection like this. Exercising of this option is completely on the approval of the site’s local IT Department.
2. The second option is to have someone on-site to open a laptop and connect with a remote service such as team viewer with HCS internal team if the laptop is allowed by corporate IT policy or has a cellular connection like with a cell phone hotspot.
3. The third most secure and least disruptive option for the IT Department is to have HCS establish a remote cellular connection to the NX Lighting System independent of the IT Infrastructure. It is performed by mounting a cellular modem based remote device right next to the area controller.
When requiring remote support, the HCS Technical Support is available for your assistance. They can be contacted to discuss the above options in more detail and a suitable choice can be made by the IT Department accordingly.
End of Document
Copyright © 2021 Hubbell Control Solutions, a division of Hubbell Lighting, Inc. All rights reserved. All product and company names, logos and product
21
identiers are trademarks ™ or registered trademarks ® of Hubbell Lighting, Inc. or their respective owners. Use of them does not necessarily imply any
701 Millennium Blvd. | Greenville, SC 29607 | (864) 678-1000 | www.hubbellcontrolsolutions.com
aliation with or endorsement by such respective owners.
Loading...