User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

Connect Device - On-Premise Gateway Security

10 | 19

A6V11852371_en_e

● To verify the authenticity of the gateway, each Connect Device is required to

Activation key before it can be used for normal operation.

● Software applications that are hosted on the Connect Device are stored in

registered private containers. Access to containers is granted only via

authenticated tokens to authorized users.

● As a part of initial setup, a login to the

Connect web application

is required

where:

– User is forced to change default

admin

(administrator) password when

logging in for the first time.

– Strong password is required with at least 8 characters, upper-case and

lower-case letters, numbers, special characters.

● As a part of the initial setup, a login to the

Building Operator Discovery

web

application

is required where:

– User is forced to change default

admin

(administrator) password when

logging in for the first time

– Strong password is required with at least 9 characters, upper-case and

lower-case letters, numbers, special characters.

– In addition to

admin

user, Building Operator Discovery employs

user.

– Deactivating or changing passwords on the user accounts for

will lead

to misconfiguration of Connect Device resulting in loss of connectivity to the

Building Operator.

–

admin

user can backup and/or restore any Building Operator Discovery

project.

– To set up remote access endpoints, user is required to login to the

Connect

web application

Network Security

Initial setup of Connect Device with the first login will prompt the user to choose

between single or separate network mode. Understanding the two modes and

choosing the correct option for your building is important step in mitigating cyber

risk and ensuring a secure network.

Separate network mode (Recommended) is for installations where IT and OT are

separate independent networks. This means that the Building Automation has a

LAN network independent of the IT network. In separate network mode, Connect

Device utilizes the built-in firewall feature, separating the IT network traffic (WAN)

from OT network traffic (LAN) of the building automation. See figure 3. Customer

must use this option when the OT network is not protected by a customer provided

corporate firewall, and customer is responsible for property configuring the firewall

to secure their network.

Figure 3: Separate Network Mode

Single network mode is for installations with a converged IT/OT corporate network.

Converged IT/OT network means that the Building Automation network shares the

same WAN as the IT network. In this mode, the system relies on a customer

provided corporate firewall to protect the IT/OT network. See figure 4. Choosing

this mode requires the customer to secure their network as Single Network mode

does not utilize the Connect Device’s built-in firewall, instead connects to the IT/OT

network as a normal IT device.