Cloud control room for Smart City

A joint project by Kaspersky and Russia’s Orenburg region

Kaspersky has signed an information security cooperation agreement with the Orenburg regional government, which includes implementation of the Smart City project. The Smart City project for the digitalization of the urban economy is being carried out by the Ministry of Construction, Housing and Utilities of the Russian Federation within the framework of the Housing and Urban Environment, and Digital Economy national projects. The Smart City project is aimed at making Russian cities more competitive by creating an effective urban management system combined with safe and comfortable living conditions for residents.

The goal of the project in Orenburg is to build a housing control system with cloud console for urban management.

The housing control system will handle a number of tasks:

  1. Remote monitoring of residential buildings and engineering systems;
  2. Optimization of engineering system maintenance costs;
  3. Reduction of resource consumption;
  4. Improved response times to accidents and incidents;
  5. Control over the quality of housing and utilities services.

To develop the solution, the Department of Information Technologies (DIT) of the Orenburg region identified three facilities with different social purposes:

  1. Residential complex (155/6 Pobeda Avenue)
  2. Polyclinic of Orenburg Regional Clinical Hospital №2 (24 Nevelskaya Street)
  3. Orenburg College of Economics and Informatics (11 Chkalova Street)

Installation work was carried out at each facility to implement the internet of things (IoT) concept, in particular, the installation of a multi-level system including sensors and controllers and means to transmit and visualize collected data.

Data related to the following parameters is collected at each facility:

  1. Power supply: phase voltage; current frequency; current strength.
  2. Water supply: domestic hot/cold water consumption; hot water temperature; water pressure.
  3. Heat supply: temperature of the heat transfer fluid up to the automatic control unit (ACU); temperature of the heat transfer fluid before it reaches the consumer; temperature of the heat transfer fluid after the consumer and ACU; heat energy consumed.
  4. Entrance hall environment: temperature, lighting, humidity, СО2 level, noise level.
  5. Operation of elevators, the opening of shaft doors.
  6. Operation of intercom systems.
  7. Operation of fire alarm systems.
  8. Operation of access control systems.

These parameters are displayed on the operator dashboards of the housing control system with cloud console.

Figure 1. Operator desktop for the housing control system with cloud console

The housing control system with cloud console displays the values of all the indicators received from sensors installed at each facility. It also displays deviations from acceptable values and notifies the operator accordingly. Continuous control and monitoring of the facilities is carried out from the operator’s personal account. This ensures the fastest possible response in an emergency.

Figure 2. Event log

Kaspersky conducted a series of studies, drew up a list of threats specific to IoT solutions, and built a threat model. Because the housing control system with cloud console is an IoT solution, the threat model is applicable to this project.

Figure 3. IoT architecture threat model

Taking into account all the identified threats, Kaspersky has developed a specific approach to IoT security. This solution protects all levels of the IoT architecture.

Figure 4. Kaspersky’s approach to IoT security

At the cloud level, protection is provided by Kaspersky Hybrid Cloud Security. This protection tool allows the following:

  1. Program control. Used to switch all workloads in the hybrid cloud to Default Deny mode to enhance system protection and specify where authorized programs can run and what is available to them.
  2. Device control. Used to configure which virtualized devices can access individual cloud workloads, while the Web Control feature protects the environment against online threats.
  3. Network segmentation. Enables transparent and automated protection of hybrid cloud infrastructure networks, with scanning of individual networks and ports.
  4. Vulnerability protection. Blocks advanced malware and zero-day threats from exploiting unpatched vulnerabilities.

The data channel from the controller (PLC) to the cloud is protected by Kaspersky IoT Secure Gateway. This gateway is a joint project between Advantech, which developed the hardware platform, and Kaspersky, which developed the secure operating system KasperskyOS. At the heart of the OS is a microkernel that only permits a specific predefined way of communicating between all system components, thus the OS remains resistant to any vulnerabilities and errors in the code. The Advantech UTX-3117 gateway model was chosen as the hardware platform.

Kaspersky IoT Secure Gateway is able to detect and classify all devices in the network. The gateway also has firewall and IDS/IPS functionality. It provides the means to receive, scan, and distribute sensor messages received via the MQTT protocol.

A web GUI was developed for Kaspersky IoT Secure Gateway to view reports on security events logged in the system and network (push and syslog).

Figure 6. Web GUI

A controller developed by Information Systems and Strategies with KasperskyOS preinstalled was used as the PLC. This solution employs the SEM Pro 5 universal controller model (environmental management system). This controller provides monitoring and control of engineering infrastructure. It collects and transfers data from engineering systems to the cloud system, and performs local control tasks. This controller model is EAC certified. The preinstalled operating system KasperskyOS validates data, guards against spoofing, ensures safe downloading of firmware updates, and protects certificates and controller policies.

Figure 7. SEM Pro controller

Below is a schematic of the solution implemented at facilities within the scope of the Smart City project in Orenburg.

Figure 8. Solution architecture

The list of sensors to be monitored was specified for each facility. The bulk of sensors transmit data via the Modbus RTU protocol with an RS-485 interface. Some of the sensors installed in the residential complex, in particular those for hot/cold water supply, transmit data via the LoRa wireless protocol. Data from the access control system (ACS) sensors is transmitted to the controller through a digital input/output (DI/DO) module.

After the data is collected by the controller, Kaspersky IoT Secure Gateway provides secure data transfer to the InSpark cloud over a GSM channel.

Kaspersky IoT Secure Gateway is managed through Kaspersky Security Center. Kaspersky Security Center provides simple and convenient security administration for all gateways in the network.

Kaspersky together with its partners developed a solution that protects all levels of IoT architecture. The solution is suitable for use in other projects where IoT protection is required.

Implementation of the Smart City concept makes the urban environment more comfortable and optimizes the use of resources. The solution improves the energy performance of facilities, reduces energy costs, and minimizes the risk of emergency situations.