Zero-Trust Architecture
With zero-trust architecture, granular access controls and micro-segmentation is managed to reduce the attack surface and provides protection against unauthorized access, lateral movement and malware propagation.
Securing Your Building — and Keeping It Safe
As part of OpenBlue — and built on our deep experience and customer focus — our products and solutions help you manage cybersecurity risks for your smart buildings.
Here’s how Cybersecurity from Johnson Controls can help you secure your systems and data:
Safeguards
Johnson Controls products are developed using a secure-by-design approach. Security features for each solution are selected based on the application and environment they are targeted for.
Here are just a few examples of the advanced safeguards and assurances you can find within our solutions:
Zero-Trust Micro-segmentation
Remote Access/Software Defined Perimeter (SDP):
- Segment and protect critical assets: Create and manage virtual air gap encryption end-to-end.
- Reduce Attack Surface: We reduce the entry points where unauthorized users can enter by hardening and cloaking our devices. This makes them invisible.
- Prevent Lateral Movement: Contain malware and ransomware attacks, while preventing insiders from gaining unauthorized access.
- Cyber Health Dashboard
Health Dashboards
ISASecure Component Security Assurance (CSA) Certification
Conformance with IEC/ISA 62443-4-2 ensures that product and solutions have sufficient safeguards within the software applications and embedded devices have sufficient safeguards according to appropriate security levels.
Examples: York Chillers, ISASecure CSA for Chillers
FIPS 140-2 Compliance
Federal Information Processing Standard (140-2) specifies the security requirements that will be satisfied by a cryptographic module, providing for increasing, qualitative levels intended to cover a wide range of potential applications and environments.
Examples:
Metasys, iSTAR Door Controller
Key Elements of Our Security Programs
Standards and Compliance
Global Privacy Certifications
Johnson Controls creates solutions which respect global fair information practices and Privacy by Design.
- APEC PRP (Asia-Pacific Economic Cooperation Privacy Recognition for Processors)
- APEC CBPR (Cross-Border Privacy Rules)
- TRUSTe Enterprise Seal
- EU-US Privacy Shield Framework and Swiss-US Privacy Shield Framework
- Binding Corporate Rules (BCR)
Cloud Solutions – OpenBlue and others
OpenBlue is a complete suite of connected smart building solutions, from edge to cloud. OpenBlue and other cloud-based solutions from Johnson Controls hosted in Microsoft Azure, Google Cloud or Amazon Web Services are protected environments that conform to industry recognized standards, such as:
- ISO 27001 – Information Security
- ISO 27017 – Information Security for Cloud Services
- ISO 27018 – Code of Practice for Personal Data in the Cloud
- SOC 1, 2, 3 – Service Organization Controls – Safeguarding Confidentiality and Privacy of Information Stored and Processed in the Cloud
Additional security compliance information for these environments is available at:
- Google Cloud compliance website
- Microsoft Azure compliance website
- Amazon Web Services compliance website
Related Items
Practices
Our holistic, structured approach uses cyber-resilient products and services to maintain a robust security posture, information security, product security, and privacy for your smart building.
Response
A strong offense is just as important as a strong defense. As we proactively monitor the dynamic threat landscape and address risks, we’re ready for rapid response to security incidents.
Resources
We continuously enhance our products and security guidelines — and partner with you in managing cybersecurity risk by sharing valuable information and best practices.
Product Security Advisories
We track, identify, and address cybersecurity threats on a daily basis. As part of our commitment to transparency we keep you informed of security concerns and important Johnson Controls product updates.
How can we help you?
For everything from asking a question to raising an alarm, please use this form for a quick response from our Johnson Controls cybersecurity organization.
Report a potential vulnerability or cybersecurity concern | Ask about Products and Services | Learn about protecting your smart building
Cybersecurity testing may be conducted on Johnson Controls solutions. We recommend that tests are conducted in a non-production test environment to protect against disruption to operations.
A security test may produce field correctable findings if the steps outlined in the associated product Hardening Guide (Resources) are not followed.
Before conducting security tests, fully execute steps in the Hardening Guide (Resources). The following hardening steps, if not conducted, are known to result in addressable security findings:
- Update components to the most current supported release/version, and patch level that you are licensed to use, including:
- All Johnson Controls Applications
- All supporting software, not installed by Johnson Controls Applications, such as Windows, SQL Server, .NET and others
- Disable unused features, services, ports and software
- Install PKI certificates for applicable interfaces that are either:
- Provided by the local IT PKI administrator
- Acquired from a public Certificate Authority (CA)
- Before removing components not required by the Johnson Controls applications (e.g. old versions of Microsoft .NET, SQL and others):
- Ensure the software is not needed for any other function
- Ensure all data was properly migrated to the new Server instance
If a test tool detects potential issues with a Johnson Controls component, you may share the results with Johnson Controls or report other cybersecurity concerns at this link - https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories#ReportAVulnerability, you may also contact us at productsecurity@jci.com.
Please use our downloadable PGP key to secure communications.