User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

Checklist

86 | 88

A6V11646120_enUS_c_41

Controls

Status

Implement physical and environmental security controls (for non-SGD clients).

Implement network separation.

Implement protective firewall rules.

Implement operational security controls

Implement access control measures.

Disable the saving function for credentials in all browsers.

Implement user management controls.

Firewall

Assuming your firewall is deployed and filtering traffic as intended, keeping your

firewall’s operating systems patched and up-to-date is probably the most valuable

security precaution you can take.

● Configure Strong & Non-Default Passwords

Ensure that all default and blank passwords are changed to suitably strong values. At

a minimum we recommend 10 characters in length, containing a mix of lower and

uppercase letters, numbers and special characters.

See that passwords are not re-used between devices and where passwords appear

within configuration files, they are listed in encrypted and non-reversible form.

● Enforce Local Account Lockouts

Enforcing account lockouts protects the accounts against password guessing and

brute-force attacks. In combination with enforcing password complexity, this reduces

the likelihood of an account being compromised using these techniques.

● Restrict Access to Administrative Ports

Restricting access to administrative ports reduces the attack surface exposed by the

device. Access to administrative ports should be Unrestricted to trusted interfaces

and/or IP addresses. By amending firewall rules it is possible to restrict access to the

web console of both the gateway and the management systems.

● Disable Plain Text Protocols for Administrative Ports

Communication sent using plain text protocols could be sniffed by attackers. Check

Point allows a secure, encrypted alternative to every plain text protocol, such as SSH

instead of Telnet. Disabling plain text protocols is a quick win in terms of improving

security.

● Configure Suitable Remote Management Access

The likelihood is that only authorized personnel in your IT department require to log on

and remotely manage devices. For this reason, many firewalls allow configuration to

restrict management access to specific interfaces, network ranges, and even IP

addresses.

Use protocols that utilize suitable authentication and encryption. Unencrypted

management protocols such as Telnet, TFTP, FTP, SNMP prior to version 3, and

HTTP should not be used.

Using HTTPS or SSH for management is highly recommended, preferably configured

to use strong ciphers.

Predefined Security Zones

These are the predefined security zones and their intended purposes: