The News Room The News Room The News Room
HVAC/R Feb 01, 2023

RC-WebView: The accountable BUI

Energy bills. Capital expenses. Operating costs. Sustainability initiatives. Downtime. Operational readiness. Mission efficacy. Human health and welfare. Occupancy. Lease rates. Test results. Legislation. Arbitration.

Organizations depend on complex mechanical and electrical systems in their facilities every day to care for people and property in pursuit of their mission. Beyond merely maintaining an acceptable indoor environment, these dynamic systems exert significant influence on business and mission-oriented key performance indicators. Many built environment professionals and executives are responsible for contributing to organizational efficacy. A few are even accountable for metrics above and beyond, accountable to their organizations, tenants, patients, students, shareholders, consumers, and sometimes even the public. What is the difference between being responsible and being accountable?

A responsible individual, organization, or process might have an obligation to act, control over someone or something, authority to make decisions, responsibility for important duties, a specific role on a team, or influence over a result. An accountable individual, organization, or process, however, is answerable for all the above. Being accountable is the obligation to understand the process and justify the result.

A related article describes the importance of accountability in modern operational technology (OT) systems. The article also identifies an opportunity for accountable building automation to support modern organizations with accountable business automation. Technology empowers people. Sustainable OT cannot realistically be isolated from the human element, a threat to accountability. People are an integral component to mission readiness and OT systems. Accountable user interaction with an OT system imparts a level of trust in the human element. This is easily achievable in a traditional operator workstation environment. To benefit from the greater usability and availability offered by a browser user interface (BUI), contemporary facility executives and operators expect the flexibility of true IT/OT integration. RC-WebView® 3.13 is designed specifically to satisfy this expectation as an accountable component of OT automation and operation in critical environments. Consider a few features that are indispensable to simple, flexible, and sustainable BUI accountability.


User and credential accountability

The internet, browsers, and networking make information available and easily accessible to many distributed users. This attribute is in opposition to accountable automation, however. An accountable BUI needs to strictly control access to the system and manipulation of the data. Effective authentication is an important means to achieve this control. Authentication establishes the genuine identity of a person or process and the authority to interact with a system or its information. Ensuring that a system and its information cannot be accessed, modified, or destroyed by an untrusted source provides a degree of data accuracy and integrity assurance.

Effective deployment and management of user credentials is the cornerstone of a layered approach to reducing vulnerability and improving accountability. Each transaction with the BUI should be properly authenticated. To facilitate this basic control, each user should be provided with unique credentials, including the specific rights and permissions appropriate for their individual role and responsibilities. Unique credentials improve accountability by increasing assurance that only specific and trusted individuals or processes are permitted to interact with the system. When these trusted entities are active in the system, unique credentials allow their actions to be accurately logged.

RC-WebView has always featured flexible, multilayered user account credentials and permission management for BUI operator authentication. In 20181 this management was dramatically simplified through the introduction of user roles that empower administrators to leverage role-based access. This basic security mechanism establishes a separation of duties based on responsibility rather than identity: what the user needs to achieve rather than who they are.


Password reset: Keeping a secret

Basic authentication establishes a user identity with reasonable assurance through a memorized secret authenticator such as a personal identification number or password. Logically, for the memorized secret to be effective, it should be known only to the authentic user. This means passwords should be kept a secret even from BUI administrators responsible for creating and maintaining user accounts.

In the RC-WebView user account Login Info dialog box, the Password reset required check box (Figure 1) requires a user to change their account password the next time they log on. Requiring the password reset provides user accountability by allowing an administrator to create new account credentials while obfuscating the final password. It can also be used at any time by administrators to manually initiate password reset as a part of a standard security policy, threat mitigation, or recovery/continuation plan.

Figure 1: Password Reset Required check box in the Login Info page in RC-WebView.


Obfuscating the password from administrators ensures that only the authentic user knows it. This provides assurance that users are who they purport to be, empowering accountability by accurately monitoring and recording who is active in the system and what they are doing.


Password lockout: Brute force defense

Passwords are analogous to a physical key for the front door of a facility. If a physical key is carelessly lost or copied, then an unauthorized person might gain access to a secured area. The same is true of passwords, except passwords can be compromised though guesswork. Vulnerable credentials place the accountability of the entire OT system at risk. RC-WebView provides mechanisms for sustainable password defense and management as well.

A brute force attack is a trial-and-error method used to guess authentication mechanisms such as passwords through exhaustive effort by simply attempting solution combinations. This approach can be low or high tech and is surprisingly effective. To defend from a brute force attack on a user account, and thereby prevent authenticated access by an untrusted person, RC-WebView includes an optional password lockout. This configurable feature automatically locks out a user account if an incorrect password is entered multiple times. The user account lockout settings are configured in the Enterprise Website Settings page (Figure 2).

Figure 2: Lockout Settings area on the Enterprise Website Settings page in RC-WebView.


An administrator can configure the number of permitted unsuccessful logon attempts before the user account is locked out. Once the number of permitted unsuccessful logon attempts is exceeded, the administrator can select the 15 Minute Lockout check box to keep the user account locked out for 15 minutes. Alternatively, the user account can be locked out indefinitely. In this latter configuration, the administrator selects the Requires Administrator to Unlock check box. (The administrator can unlock the account in the user’s Login Info page.)

With the ability to lock out a password in RC-WebView, accountable built environment executives benefit by intrinsically making user accounts less vulnerable and more resistant to compromise. Improved authentication assurance contributes to peace of mind from improved data and system integrity.


Password expiry: Dynamic protection

To mitigate the risk posed by stolen passwords, many organizations include password expiry in their password management policy. Password expiry requires that users periodically change their password. If a password has been unknowingly exposed to an unauthorized party, the threat is automatically resolved when the user updates their authenticator. In RC-WebView, password expiry is configured in the Enterprise Website Settings page.

Selecting the Enforce Password Expiry check box automatically requires users to change their password at the interval configured in the Password expires every < > days box (Figure 3). For example, users could be forced to change their password every 90 or 180 days.

Figure 3: Password Expiry area in the Enterprise Website Settings page.


Accountable built environment executives with RC-WebView benefit from password expiry by proactively mitigating the risk of lost or compromised passwords and by being able to naturally integrate the OT into their existing IT security controls and policies.


Administration accountability

Administrators wield great power in a system, often with limited traceability for individual actions. An accountable BUI holds each user accountable for their actions, including administrators. RC-WebView improves administrator accountability in two ways.


Audit trail: Administration activity

Accountability requires knowledge. In the case of a BUI, this knowledge includes identifying what actions have been taken and by who. RC-WebView tracks the activities of all users, including administrators, and logs these records in the audit trail. This log can become understandably verbose. Beginning with the official release of RC-WebView 3.13, the audit trail automatically filters entries relative to the context of the active view. If an auditor wants to review or audit any changes made to user accounts and permissions, they can navigate to the User List page and open the Audit Log worksheet. All changes made to user accounts by any users, including administrators, are displayed. Similarly, to audit changes made to the Enterprise Website, such as security settings, an administrator can simply navigate to the Enterprise Website Settings page and open the Audit Trail worksheet, and all changes made to the website configuration by any users, including administrators, are displayed (Figure 4).

Figure 4: RC-WebView Audit Trail worksheet, automatically filtered to display user list and site settings activity.


To review all user activity, an auditor can simply click the Clear All Filters icon, and the comprehensive audit trail is displayed. With RC-WebView, built environment executives are empowered to easily find and audit operator actions, making accountability simple, flexible, and sustainable.


Audit trail: Dual approval

An administrator with the ability to create and modify user accounts and permissions or even pose as a user could theoretically act with impunity. Administrative control of security settings could allow a malicious user with adequate access to temporarily suspend security mechanisms, placing the entire OT system at risk. To improve administrative accountability, users of RC-WebView 3.13 can reduce the surface of vulnerability exposed to any individual by requiring dual approval. When change approval is enabled, RC-WebView requires a second administrator to approve changes to website security settings as well as logon and approval passwords. When a security change is saved, a second administrator is prompted to provide an approval password (Figure 5).

Figure 5: RC-WebView Secondary Authentication Required dialog box.


Dual approval benefits accountable built environment executives by requiring two users with administrative authority to mutually authorize security changes. This reduces the surface of vulnerability by mitigating the potential for any one person to control OT security from the BUI.


Operational accountability

Some critical environments, such as those that must comply with Title 21 CFR Part 11, require a two-step process to authenticate changes to the OT system, its data, and records. Users who are authorized to manipulate the system are required to provide two passwords: one is entered to log on to the system, and a second, different password must be entered to commit any changes. This fail-safe means a malicious user is required to compromise two unique passwords to effect change in the OT system.

In RC-WebView 3.13, this two-step change approval process is configured in the Enterprise Website Settings page (Figure 6). If the Enforce Change Approval check box is selected, a valid approval password and reason must be entered any time a change is made to the OT system using the BUI (see Figure 7).

Figure 6: Enterprise Website Settings page (left); Login Info page (right).


Figure 7: Authentication Required dialog box for secondary change approval in RC-WebView.


By default, when the Enforce Change Approval check box is selected, the Approval Password box displays in the Login Info page for each user account (Figure 6), and by default the Approval password reset required check box is automatically selected. The next time a user with the authority to manipulate the system logs on, they are prompted to enter an approval password. As with user account passwords, administrators can also configure the approval password directly and initiate a manual reset as required.

In the change approval configuration, an administrator can also define a grace period for making changes. The Approval password required for system changes every < > minutes box defines the amount of time a user can make changes following successful change authentication using the approval password. Where authentication is not required for every change, this feature simplifies the user experience by allowing several changes to be executed with a single authorization within a configurable brief interval.

This two-step change approval process provides an extra layer of protection for accountable built environment executives by providing supplemental authentication to manipulate the system and its data as well as an easily auditable log of the reasons for making changes. In this way it is easier to understand and answer with assurance who has influenced end results and why.


Data integrity accountability

Being answerable for results often hinges on access to data and confidence that it is accurate. For a BUI to be accountable, it must provide a degree of data integrity assurance. RC-WebView 3.13 contributes to this assurance in many ways.


Digital validation

By using a digital signature certificate, RC-WebView validates that log data has not been manipulated outside of the service. RC-WebView automatically creates a default signature certificate to simplify the validation process and supports the ability for OT administrators or organizations to provide their own certificate. Digital signature certificates are managed in the Enterprise Website Settings page (Figure 8).

Figure 8: Signature Certificate area in the Enterprise Website Settings page.


Data validation is visible in two ways. The Validated column in the Audit Trail worksheet displays a check mark for all validated records of operator activity. The signature certificate is also used to digitally sign Excel exports of audit trail and historical logs. A signed Excel workbook contains a data sheet, including the information from the log, and a signature sheet that provides details about the digital validation. Using the information contained in the signature certificate, an auditor can validate the authenticity of the entries. If the signed workbook is edited, the signatures become invalid.



Digital images can be manipulated almost perfectly with increasing ease. This can place at risk confidence and assurance that a BUI is trustworthy and that its data integrity is sound. In the RC-WebView Enterprise Website Settings page (Figure 9), when the Watermark check box is selected, an image is superimposed as a watermark over all files printed directly from the BUI using Options > Print (Figure 10). Applying a watermark to an image is a security mechanism designed to make it more difficult to graphically manipulate digital files without detection.

Figure 9: Watermark area in the Enterprise Website Settings page.


Figure 10: File printed from RC-WebView with a watermark to mitigate image manipulation.


To make this mechanism as simple as possible to deploy, RC-WebView provides a default image to be used as a watermark once enabled. The Watermark box on the Enterprise Website Settings page provides administrators and executives with the ability to choose a custom image. The image is automatically resized and repeated across the page at an angle. Image transparency is adjusted to ensure the printed content remains visible.

The validation delivered by the digital signature certificate and watermark provides assurance to built environment executives that the audit trail in the BUI, and the data exported from the BUI, are trustworthy.

For more information regarding the confidentiality, integrity, and availability of system data complementary to an accountable OT system, please refer to the Reliable Controls Hardening Guide. The subsequent insight installment in this series will discuss specific requirements for accountable OT systems that must be validated according to the requirements of the U.S. Food and Drug Administration Title 21 Code of Federal Regulations Part 11.


Lead the way

Being accountable is the obligation to understand and justify results. For built environment professionals and executives, this means being answerable for dynamic systems that exert significant influence on business and mission-oriented key performance indicators for their organizations. The features introduced in RC-WebView 3.13 provide an accountable BUI for OT systems that is simple, flexible, and sustainable.

When someone must answer the hard questions about the built environment, RC-WebView can provide understanding, assurance, and confidence that the data is available and accurate. By together delivering this accountability to our customers, we can continue to be people and technology they can rely on.

1 RC-WebView 3.12.0, released December 17, 2018.