Companies spend billions of dollars in projects and end-of-system security, but fail to protect the processes between systems. Buildings have many systems that speak different computer languages, in order for the systems to talk to each other, they require a gateway. The gateway receives messages from one system using a particular Protocol, convert the message to another and send it to another system. Although the end devices and systems can be very secure, messages sent throughout each system and in between systems present huge security risks. Devices can be programmed to send false messages, accidents can make devices malfunction or any other number of reasons that cause communication within a system act differently than it should. When this happens, multiple systems within an organization stop working effectively which can cause millions of dollars on damages. Our solution is to develop a protocol security gateway which sits in the network and prevents attacks or accidental failures within systems. In essence, the current market that exists for any device that uses the BACnet protocol will become the new market for BACnet Protocol Security Gateway. Currently, the reachable market for BACnet protocol devices in the industry is about 10 billion dollars at minimum. With the increase in security awareness everywhere, it is an easy sell to increase security within a system that could cause irreversible damage. We have various marketing strategies planned to target specific sections of the market. Already possessing expertise in the BACnet world, it is a simple step for our company to move to the security side of the industry. To put together the PSG and get a foothold in the market, we require financial resources just shy of 1.4 million dollars. With this investment, by the beginning of the third year from the start of the project, we estimate revenues upwards of 200 thousand per month and with operational costs of around 35 thousand dollars. The reason for this unusually large margin is that almost all administration costs, business operational costs and other legal costs can be shared with our existing company. We estimate, that within 29 months All investment costs would be balanced out and the operation would become a cash cow.

Industry and Company

The BACnet protocol industry has been around and growing for a long time and will continue to grow. Although there are many players in the market, the move to automation, data collection , Integration, Internet of Things (IoT), etc. is growing rapidly. Currently, due to increasing technologies, competition in the market is based on a cost minimization strategy. The industry is comprised of many devices that use the BACnet protocol to send and receive messages. With the increase in automation, there is also an equivalent increase in risk. The risk can come from hacking, employee accidents, natural disasters, and many other ways. Thus, there is a need for security. Currently, there are no products that satisfy this Protocol Security Gateway market. We plan to be the first in the BACnet security market. Chipkin Automation Systems Inc. (CAS) is a small but flexible and responsive organization located in Vancouver, Canada. CAS focuses on machine-to-machine data communications and remote monitoring. Its employees are building and industrial automation protocol experts which have written many protocols and thus know the industry to source code level. We sell, support, develop, install, and configure protocol converters (e.g. gateways), data loggers, remote monitoring and control applications. We live or die by the quality of our service and providing quality solutions at a fair price to our customers located all over the world.

What We Are Trying To Solve: Attacks on Non-Critical system components

Organizations spend billions of dollars putting together infrastructure projects to run huge operations. More so than ever, these operations are monitored and controlled by data communication messages which transmit information via a data communication protocol, such as BACnet/IP. Most of these systems are rightly secured at the end process via passwords, physical locks, alarm systems, security guards etc, but throughout these systems, there are many vulnerabilities that are completely ignored. For example, we choose to install a security door that locks automatically when there is an alarm, but then leave the communication between the alarm system and the door open to attacks. The security is implemented at the end of a process and not throughout the process. If attacked, these non-critical components can cause massive harm.

How Can Attacks Cause Harm - What are we Protecting?

Depending on the type of attack and the equipment being controlled, an attack can have catastrophic consequences or cause permanent and critical damage. It often cost millions of dollars to resolve the issue. Although we concentrate on the vulnerabilities of BACnet explorer, other protocols have similar vulnerabilities and similar risk profiles. Where do the vulnerabilities occur? Most systems speak different computer languages (protocols) and thus require a device that allows one system to speak to another, a gateway. There are many different protocols. To name a few of the more popular ones, we have BACnet MSTP/IP, Modbus RTU/TCP, Metasys N2, LonWorks, Ethernet IP, DNP3, SNMP and many, many more. A system often has many protocols and gateways are used to convert protocols so that systems can speak to each other. For example, a BACnet-based sensor system needs to speak to a Modbus base controller. Using a gateway, the sensors transmit data via BACnet, the gateway receives the BACnet messages and converts them to Modbus. Then it sends these Modbus messages to the controller. The controller can then send Modbus commands to the gateway, where the gateway converts the commands to BACnet and passes them to the sensors. This commands sent from the Modbus controller may be for the sensors to react a particular way. E.g. there is no fire -> deactivate alarm communication. At this point of conversion, there exists a vulnerability. These gateways can be made to send false information, they can be programmed to work inappropriately and they can be jammed and made ineffective. So, what is the worst that can happen if your system is attacked? How easy is it to attack a component of your system? How easy is it to stop an attack? Cyber attacks can cause harm. The harm can be extreme such as when permanent damage is caused to equipment or when they cause a cascading effect - to the electrical grid for instance. They have even been used to stop Iran from completing its nuclear program - that attack was known as the Stuxnet Virus. The next terrorist attacks will occur in cyberspace (Cyber terrorism), and we can expect them to attack important institutions and infrastructures. Thus, the need for PSG is very urgent.

Why BACnet IP? BACnet IP Vulnerabilities

Our proposal is to create a BACnet-based Protocol Security Gateway. Why BACnet? Not only is BACnet one of the most widely used protocols in the world, especially in North America, it is also a protocol which we have worked extensively with. We have developed from scratch a BACnet stack to make BACnet native for third party devices. We have also developed BACnet discovery software which is used by large corporations like Honeywell and JCI. We know BACnet and so we know how vulnerable it is.

Our Solution: The Protocol Security Gateway (PSG)

Similar to all gateways, the PSG acts as a converter between two systems. The only difference is that the PSG has security embedded within the gateways to prevent many of the vulnerabilities that exist within a given protocol. In essence, the PAG can stop intruders in their tracks by preventing unauthorized 'read' requests and 'write' commands passing from one side of the gateway, (e.g. Modbus commands) to the other (sensors). Authorization is done via multiple security levels such as limiting who can read or write what data during which time period. Not only does the PSG control who has access to the network and when, it also provides full Audit Trails of all messages sent and received and reports/logs intruder attacks/unauthorized messages. The audit reports the PSG provides contains such information as who tried to change what values, when was the attempt made, what devices was used as the means. It can also email designated personnel when attempts are made to make unauthorized changes.

Untitled

PSG - A Functional Description

Devices (controllers of a process or of a physical unit such as a generator, sensor, lighting system, motors etc) are monitored and controlled by other systems and devices, often in remote locations, using a protocol for data communication. The widely used BACnet/IP Protocol has a number of significant vulnerabilities that open a path for devices and systems to be attacked.

A PSG protects a currently installed and in-service device from being attacked using the vulnerabilities of the data communication protocol used to monitor and control the device. It does this by securely

Controlling access to the device's data and operational state

Reporting attacks

Providing audit trails of communication

It also has the following key features:

Supports connection to two independent physical networks. Thus separating the security communications function from operational communications

Allows for a system of secure updates so that in service devices can be protected from new threats

Allows for integration into a work order system

How does a PSG control access?

Devices that send messages have identifiers, e.g. IP Addresses, MAC addresses, Serial Numbers, Device ID Numbers, Other Device identification parameters. Access can be controlled based on the identification of the message source.

Access to particular data objects and particular properties of those objects can be controlled and time limited.

The transmission of certain BACnet service requests or commands can be limited. For example , the reinitialization service.

Preventing the use of unauthorized ethernet ports/ or protocols to send messages to the device.

Any combination of these controls can be used as an authorization system.

How does a PSG report Attacks?

The Security Department needs to know of attempts to perform unauthorized actions so that their response protocols can be followed i.e: threat identification, risk identification, countermeasures etc. The PSG keeps logs of all incoming communications. When unauthorized messages are received, it logs them and has the power to notify pre-decided personnel via a text message. It will log information such as sending device IP and MAC address, timestamp, the message contents etc.

How does the PSG provide Audit trails?

The same way system bugs are found. The PSG keeps records of who, when and where an action occurred, e.g. Who turned the lights off ? By keeping this records of particular actions, diagnostics can be performed and responsibility allocated.

Market Analysis

To get a fair representation of the Market value for this product, we have decided to analyze the market via two approaches. One which analyzes BACnet revenue from BACnet vendors and the second which considers BACnet users in the overall market.

Market Size By BACnet Vendors

Using BACnet vendor revenue, we can estimate the amount of sales made by vendors in a given time. In total, there are 883 registered BACnet vendors of which 311 are in the USA. Broken down, there are about 379 vendors in North America and about 504 outside North America. As a small company, CAS collected about $800 thousand worth of BACnet related sales in 2015 of which 75% of those was in the USA (600 thousand). In the BACnet world, we are a very small player in the market share of BACnet. So if we take our BACnet sales and multiply them by the number of vendors, we get a total market value of 883 * $800k = $706.5 million worldwide in 2015 or 311*600k = $186.6 million in the USA. This, of course, is a gross underestimation of the actual market value as the average vendor would have substantially higher BACnet related sales. That being said, if we take a 50% market penetration ratio, we get a market value of $93.3 million.

Market Size By BACnet Users

Another way to estimate the market value is by BACnet device users. Each BACnet device on the field is at risk and could be a potential client. Now, estimating the total number of BACnet users is somewhat impossible, but, for certain types of organisations is relatively easy. Take Airports, Hydro Electric Dams, Hospitals and publicly owned treatment works. These four segments allow us to estimate the following: Looking at major Airports in the United States, there are 358 primary Airports. On average, primary airports have about 2 major buildings. Experience teaches us that each primary Airport has the following at-risk BACnet-operated systems: Untitled

Putting the numbers together we get an estimate 12,172 BACnet devices at risk per Airport (7+1+1+1+1+2+2+1+1=17*2*358=12172). At CAS we believe that this is a conservative estimate. There are 2,540 Hydro Electric dams in the US. Each with a power transfer, control and monitoring, critical monitoring (e.g. seismic etc) and security systems. So that means, 2,540*3 = 7,620 BACnet devices at risk. There are 16,000 Publicly owned water treatment works in the US. Each has a critical energy system and a critical monitoring/regulatory sensing system. So that means 16,000*2= 32,000 At risk BACnet devices. There are a total of 5,686 registered hospitals in the US. Each hospital has the following BACnet controlled systems: Untitled

This means there are about 68,232 at risk BACnet devices (5*1+7=12*5,686). Adding the at risk devices from these four market segments we get: 12,172+7,620+68,232+32,000 = ~120k devices at risk! The package for each unprotected device is a CAS protocol security gateway (995.00), support and configuration package (495). Thus, the total market worth of this 4 market segments is estimated at (995+495)*120k = 178 Million. If we assume a 50% penetration rate, this puts us at market value of 95 million dollars. Both methods show an estimate market value of 93 to 95 mill. The first method was a gross underestimation of the current market value and the second method only used four of the potential 40 targeted clients. Also, as mentioned earlier, at 600 thousand annual BACnet sales in USA, CAS is a relatively small company. On average, most BACnet vendor have about 10 times more revenue than CAS. Moreover, there are at least 10 times more BACnet users than the 4 analysed. Inflating this market value by 10, puts the targetable market value at roughly 9 to 10 billion dollars as a result.

Target Market

Please see below a list of the clients that we will be targeting. Marketing strategies for each type of client will be customized for maximum impact. For example, for Governmental and Energy companies the marketing strategy will be predominantly through fear marketing whereas for hospitals and universities it will be predominantly an educational marketing strategy.

Governmental Buildings: Federal Buildings and State Buildings.

Industrial: Factories, Mines, Chemical Plants.

Medical: Hospitals, Drug Manufacturing, Ambulance Centers/Emergency.

Energy: Energy Distribution Centers, Power Stations, Dams, Navigation Locks, The Electrical Grid.

Oil and Gas: Storage Facilities, Refineries, Pump Stations.

Communications: Telephone Exchanges, Data Centers.

Travel: Ports, Airports, Stations.

Public Safety: Military Bases, Coastguard Stations, Police Stations, Prisons, Emergency Management Centers

Education and Research: National Labs, State Labs, Universities/Colleges

Water: Pump Stations, Water Treatment Plants, Sewage Treatment

Commercial: Office Buildings, Hotels

Marketing Strategy

We would use several strategies to reach our markets. The strategies used would be customised for different market segments. The strategies are broken down to:

Fear Marketing: This strategy would be targeted to public bodies and large privately held organizations that are held accountable by the public. This bodies would be approach with a warning of a vulnerability of the system and use an "I told you so" approach mixed with lobbying to force the increase in security on BACnet operated devices within governmental bodies. This will include the use of journalists to write articles about BACnet security. Doing demos on BACnet vulnerabilities, pressuring cities and governments to implement responsible secure Security systems.

Educational Marketing: This strategy will target clients who are not accountable to the general public. The strategy is to hold seminars and other educational services to build a need for our product.

Meet US military spec. Although this is a drawn out and difficult process, if we can manage it, it will give us an exclusive market with deep pockets.

Institutional Adoption: This will be the use of lobbying to make PSG's mandatory to avoid a cyber terrorist attack. This will be a continuous strategy. When it becomes mandatory, PSGs will sell like hot cakes and competition will increase substantially.

First to Market: We will be the first on this market and therefore we will have pricing power. We can create barriers to entry by controlling prices. We will have premium margins initially. Lastly, once we are in the market, we will be known for the PSG and have a major advantage over newcomers.

Value Added: lastly, since we are already in the gateway market, we will be able to upsell a regular gateway for a security gateway and thus already have an established market.

Pricing

This model is based on current pricing for CAS gateway products. A current gateway sells for 995 for the device and 495 for configuration and support services. For the intents of the PSG, this price structure would be a natural fit.

Competition

There are currently no products in the market that are sold as a security gateway for BACnet. This BACnet industry gained popularity at such a rapid pace that security never caught up. It is only a matter of time until something happens that attention is brought to the vulnerabilities of system integration. BACnet as it stands, has no products in the market marketing themselves as security gateways. We would be the first in the market and would have first mover advantage. Since protocols are so complicated, there is a substantial barrier to entry. Getting access and knowing protocols at the source code is not only required to develop a product like this, it is also very complicated to achieve. It requires a long term education on the protocol, high development costs and a complicated certification system as well as an appropriate marketing campaign.

Project Scope

This project will require marketing, lobbying, training, research, development, testing, and acquiring appropriate certifications. We estimate a year of development to put the complete gateway together and a year of marketing to reach the appropriate clients. That will include training for our employees to acquire the security knowledge. There will be multiple phases to the project and funding is required on an ongoing basis. CAS proposes a phased approach using 4 phases

Untitled Phase 0 : Investor Safety Phase The purpose of this phase is to reach a point where a sales / marketing effort can test the market to validate the size and to ensure we provide a feature list that meets customer's actual needs. In achieving this goal we allow investors to commit the major resources appropriately.

Produce a minimal functional unit, docs and promotional material.

Use the output for sales / marketing purposes such as customer demos , customer evaluation as beta testers etc.

Begin recruitment but dont hire.

Phase 1 : Deliver a Saleable Product, begin marketing The output from this phase is 1) a product that can be sold and 2) developing market and institutional awareness through a Marketing Campaign. Team hire.

Step back and begin product design.

Make decisions on the division between phase 1 and 2. Essentially we are deciding what can be delayed for later release. The purpose of this decision is produce a functional product that can be sold as early as possible so that a revenue stream can begin.

Develop Marketing Material

Perform marketing activities which create market awareness, institutional awareness (eg govt, regulatory) and public awareness. Exploit fear.

Phase 2 : Sell, Market, Add features We differentiate between Phase 2 and the post project phase - phase 3. In phase 2, we add the planned features and end the engineering project. We expect that in this phase the design of the marketing campaign has been completed and marketing can be performed by a less expensive team. Phase 3 : Ongoing Phase 3 engineering consists of support and maintenance functions which requires few people and which can be performed by CAS. The marketing campaign scales down - bursting out every now and again when issue hits the mass news after an attack. Gantt Chart Looking at the Gantt Chart below (safety phase is not shown), the entire process should take about 13 months to complete with additional time as necessary for marketing and promoting (please see Appendix A for the list of activities associated with this chart). As can be seen, many activities in both Phase 0, 1 and 2 can be done in tandem as many parts of each phase can be started on a stand alone basis. By the end of Phase 0 and then 1, we will have a basic PSG that can be marketed for demo purposes and testing. It is important to note that the chart cannot be used to calculate a team size. Looking at the chart it may appear that a team of up to 9 people may be required. The ability to perform in more than one project activity and the skill set and experience of the hires will determine the team size. Untitled-1

Financial Plan

Funding requirements

Looking at Appendix A, estimated costs to put this product together are roughly 1.387 million dollars. Much of the costs will be associated with Engineering and Marketing activities. We expect that engineering expenditures will be around 675 thousand dollars and marketing around 564 thousand. The funding is required on stages. The first stage will be for Phase 1 which requires about 344 thousand for engineering development, 50 thousand for administration and overhead, and 100 thousand for marketing. For 494 thousand dollars the basic marketable PSG can be created and the groundwork our the marketing campaign initiated. This phase is estimated to finish within 8 months from the initiation of the project. The second stage will be to produce the finished product along with the marketing campaign. For this stage, we require 272 thousand dollars for engineering development, 148 thousand for administration and certification, and 464 thousand for marketing for a total 884 thousand dollars. During these final 2 phases, the product will be finished and there will have occurred enough marketing and promotion to begin the revenue stream. Breakeven Analysis Revenues are expected near the end of Phase 2. Through Phase 0 and 1, the product will be developed and tested. Furthermore, substantial promotion and marketing activities will allow us to get a foothold on the market. Phase 3 will be the ongoing marketing campaign and pressure selling. As estimated, the estimated cost of developing this product and laying the marketing groundwork will cost about 1.4 million dollars. Once the product is developed and the marketing groundwork has been paved, the ongoing operation will be very cheap to run. We estimate that with a team of 1 engineer, 1 support engineer, 1 senior salesperson and 1 junior salesperson, we could run a complete operation. The cost for this ongoing operation will be about 32 thousand dollars per month. To break even on this operation, we need sales of about 22 units per month. We estimate that when the operation is running effectively, we will be making sales of between 125 and 200 thousand per month; giving us room for strategic pricing decisions. Payback Period From the initiation of the project, we estimate that we will be able to generate in value the initial investment within 30 months of the start of the project. For the first 9 months of the project (phase 0 and 1), there will be no sales efforts as we will be developing the hardware and initiate the marketing campaign. On phase 2, we will begin selling a basic prototype and continue to add features. This phase will be marketing and selling intensive. We will be able to accurately judge how our product is being received and what type of marketing campaign works the best. Looking at Appendix B, we can see the schedule which shows the total payout period for this product. The payout period includes the initial investment and ongoing operational costs. The colour sections represent the Phases of the project. As can be seen, within 30 months, the total investment and operational costs will be balanced. Looking at our projections, at that time, we should have a company that earns between 150 to 200 thousand per month at an operational cost of about 32 thousand per month. The reason for such a large margin is that most of the administration costs and operational costs can be shared with CAS.