Desigo™ CC Cyber Security Guidelines Basic Documentation Smart Infrastructure 2019-04-23
Imprint Imprint Data and design subject to change without notice. / Supply subject to availability. © Siemens Switzerland Ltd (2019) Desigo is a trademark of Siemens Schweiz AG. Other product or company names mentioned herein may be the trademarks of their respective owners. We reserve all rights in this document and in the subject thereof.
Table of Contents Table of Contents 1 About This Document ........................................................................................ 5 1.1 Applicable Documents .......................................................................................... 6 1.2 Technical terms and abbreviations ...................................................................... 6 1.3 Acknowledgements ............................................................................................ 10 1.
About This Document 1 1 About This Document Purpose This document must be handed over to the system owner. Retention and Availability NOTICE Damage Due to Misuse This document must be available in a usable format throughout the entire life cycle of the product. Keep the document for reference and ensure that it can be accessed by target groups. For additional information on building technology security and our offerings, contact your Siemens sales or project department.
1 About This Document Document Identification The document ID is structured as follows: ID code Examples ID_languageCOUNTRY_ modification index 011_A6V10415500_en_b_30 -- = multilingual or international 011_A6V10415500_de_c_30 Date Format The date format in the document corresponds to the recommendation of international standard ISO 8601 (format YYYY-MM-DD). 1.1 1.
About This Document Term ESPA 4.4.4 1 Explanation ESPA 4.4.4 is a protocol controlling wireless pagers. It uses ISO 1745, point-to-point on RS232 as data link layer. The AlphaCom can use this in two ways: Output: Sends a “start paging” message to a wireless pager transmitter either due to manual action by a user, or by automatic action such an activation of an input (alarm). Input: The AlphaCom can be set up to look like a pager transmitter.
1 About This Document Term Explanation OPC The OPC Foundation (OPC formally known as Object Linking and Embedding for Process Control) is an industry consortium that creates and maintains standards for open connectivity of industrial automation devices and systems, such as industrial control systems and process control generally.
About This Document 1 Term Explanation SI Smart Infrastructure – Siemens Division SMB Server Message Block is an application layer network protocol, mainly used for providing shared access to files. SMC The System Management Console is a stand-alone tool that initializes a new project, restores a project, and configures system-wide settings such as history database, system users and web server parameters.
1 About This Document 1.3 Acknowledgements Responsibility of the System Owner The information technology (IT) used on site is the responsibility of the system owner. Standards, Regulations and Legislation Follow the policies of your company as well as any national regulations or international standards, such as ISO/IEC 27002 and IEC62443. The Federal Office for Cyber Security (BSI) www.bsi.bund.de/EN provides information on basic Cyber Security for Germany in both German and English, for example.
About This Document 1.4 1 Revision history The reference document's version applies to all languages into which the reference document is translated. NOTE: The first edition of a language version or a country variant may, for example, be version 'd' instead of 'a' if the reference document is already this version.
2 Cyber Security Basics 2 Cyber Security Basics 2.
Cyber Security Basics 2.2 2 Threat and Risk Terminology Please find below a brief glossary of common terminology used in Cyber Security. An asset is a material or immaterial entity that must be protected. It is important to list the relevant assets and understand their values (for the business and potential attackers) in order to define the correct level of protection. A vulnerability is a weakness or lack of protection of a system that can be exploited.
2 Cyber Security Basics 2.3 System Security As explained in the introduction, every modern building automation system must ensure an adequate level of Cyber Security protection. It is, however, impossible to reach a complete level of security, so that there is always a residual risk. The cost of a counter measure must not exceed the potential damage it can provide. In any case, the system owner must understand the residual risk and decide if it is acceptable for the business.
Network Security Controls 3 3 Network Security Controls The following sections detail the concept of a protected system configuration as well as specific use cases. The network security-related controls aim at mitigating the risk of exploitation of possible Desigo CC vulnerabilities. To enhance security, follow the policies of your company as well as any national legislations or international standards, such as ISO/IEC 27002 and IEC62443. 3.
3 Network Security Controls 3.1.1 DCC Client HTML5 Zone Boundary Protection The Desigo CC Backbone Level and DMZ Level are security zones that are physically protected (e.g. locked in rack in server room) and that use separated networks that only permit Restricted access to its components. A separate VLAN alone does not meet the requirements for zone boundary protection. A firewall is required, too.
Network Security Controls 3.1.2 3 System Components As illustrated below, Desigo CC software can be installed on a single server or broken up in the following main functional blocks: Management System Server: Monitors and commands the field networks, executes automatic actions and interacts with users via clients.
3 Network Security Controls 3.1.3 Firewall Rules The firewall rules table shows a list of required ports and services that need to be allowed to communicate across different network zones of a protected system configuration.
3 Network Security Controls Server Communication Port usage across machine boundaries for client-server and server-server communication Core Services on Main Server WCCILdata.exe 1) Event Manager WCCILevent.
3 Network Security Controls Microsoft IIS on separate Web Server Microsoft IIS on separate Web Server 80 SMC or IIS HTTP X X TCP: 443 SMC or IIS HTTPS X X MS SQL Server Browser sqlbrowser.exe MS SQL Server DB instance (HDB) sqlserver.
3 Network Security Controls Separate Web Server Port exposure Component, Executable Web Service Interface WCCOAWsi.exe 2) OPC DA Siemens.Gms.OPCServer.exe Default Port Port Configuration TCP: 8080 SMC TCP: UDP: 135 135 3rd Party OPC Client outside Main Server Optional Services on the main server Protocol - Comment HTTP(S) - REST Web Service always exposed x RPC End Point Mapping X OPC UA: Local Discovery Server Siemens.Gms.OPCServer.
3 Network Security Controls Subsystem Connectivity Outbound Connections (ports used by the host to connect to automation systems) Field System APOGEE P2 Hosts Main Server, FEP Component / Process APOGEE P2 driver WCCOAApogeeDrv.exe 2) APOGEE P2 Main Server, FEP APOGEE P2 Driver WCCOAApogeeDrv.exe 2) APOGEE P2 Main Server, FEP APOGEE P2 Driver WCCOAApogeeDrv.exe 2) BACnet Main Server, FEP BACnet Driver WCCOAGmsBACnet.exe 2) Modbus OPC OPC MainServer, FEP Modbus Driver WCCOAmod.
Network Security Controls 3 Remote Notification Outbound Connections (ports used by the host to connect to remote notification systems) Hosts Main Server Component / Process ESPA driver WCCOAGmsCoHoMngr.exe 2) Main Server GSM driver WCCOActrl.exe Main Server Mail WCCOActrl.exe Main Server TAP driver Siemens.Gms.RENO.TAPDevMgr.
3 Network Security Controls DCC – Server Backbone – Protected Server Hardware DCC Client BIRT IIS DCC WSI Tomcat DCC Server MS SQL WinCC OA Firewall Firewall Firewall Firewall Firewall Firewall Firewall Desigo PX Sipass FS20 System One Cameras Cameras DCC – Desigo PX DCC – Sipass DCC – FS20 DCC – System One DCC – SPC Firewall DCC – Subsystem n VMS DCC – Subsystem m Figure 5: Single Machine Deployment.
Network Security Controls 3 Stand-Alone System with a Local Web Server (IIS) The following describes a typical deployment scenario for setting up a Desigo CC system with a local web server (IIS) on a single computer. What is a Local Web Server? The web client and Windows App client options require installing an optional web server component (IIS). When the web server (IIS) is installed on the same computer as the Desigo CC server, it is called the local web server (IIS).
3 Network Security Controls NOTICE Validity of Self-Signed Certificates Self-signed certificates allow local deployments without the overhead of obtaining commercial certificates. When using self-signed certificates, the owner of the Desigo CC system is responsible for maintaining their validity status, and for manually adding them to and removing them from the list of trusted certificates.
Network Security Controls 3.2.2 3 Client/Server inside the Customer Network Intended Use Case This is the configuration choice for the cases where multiple Installed Clients, connected via a dedicated or shared local area network (LAN) are required. Web connectivity is not required. Communication between the key components can be secured by standard IT security mechanisms like certificates. Figure 8: Client/Server inside the Customer Network.
3 Network Security Controls Installed and Windows App Clients are connected via the system LAN to the server. The size of the field system and the number of clients that can be supported by this configuration depend on the server hardware configuration. Client/Server A Desigo CC installation has only one server, but it can have multiple clients, running on different computers.
Network Security Controls 3 The communication certificates should be specific. Therefore, it is recommended to use different host certificates for client and server. The communication certificates are used by the Desigo CC client/FEP. Therefore, the logged-on user of the client/FEP operating system requires access to the private key of the host certificate stored in the Windows Certificate store. The owner of the Desigo CC system is responsible for distributing authorized certificates and keys.
3 Network Security Controls WWW Customer IT - Branchoffice DCC Client HTML5 DCC Client HTML5 Customer IT - Homeoffice DCC Client HTML5 DCC Client HTML5 Firewall Firewall Firewall DCC Client HTML5 DCC Client HTML5 DCC Client HTML5 DCC WSI Tomcat Customer IT – Local Office Firewall DCC – Server Backbone MS SQL Network M.
Network Security Controls 3 The required certificates (SMC created or commercial) are imported in the Windows Certificate store: – The root certificate of the host certificate provided for CCom port security is imported in the Trusted Root Certification Authorities store. – The communication between the web server and the web/Windows App clients is always secured. Hence, the web site and the web application creation certificates are mandatory.
3 Network Security Controls 3.2.4 Client/Server with Internet Access Intended Use Case This is the configuration choice for the cases where multiple Installed Clients, connected via a dedicated or shared LAN are required, but web connectivity is also required to allow remote access via a Desigo CC Web Client or provide remote connectivity to an external application via Web Services.
3 Network Security Controls WWW Customer IT - Branchoffice DCC Client HTML5 DCC Client HTML5 Customer IT - Homeoffice DCC Client HTML5 DCC Client HTML5 Firewall Firewall Firewall DCC Client HTML5 DCC Client HTML5 DCC Client HTML5 DCC WSI Tomcat Customer IT – Local Office Firewall DCC – Server Backbone MS SQL Network M.
3 Network Security Controls Server Station A single dedicated workstation with the following features: Desigo CC server is installed. Microsoft SQL is installed on the Desigo CC server. The server project folder is shared. The required certificates are imported in the Windows Certificate store: – The root certificate is imported in the Trusted Root Certification Authorities store. – The host certificate is imported in the Personal store.
Network Security Controls 3 Deployment Diagram Figure 16: Remote Web Server in a DMZ Scenario.
3 Network Security Controls 3.2.5 Large, Distributed Client/Server with Internet Access Intended Use Case This is the configuration choice for cases where system size or specific customer indications require the deployment of key Desigo CC components on different hardware platforms, which can be physical or virtual. Communication between the key components is required to be secured by standard IT security mechanisms like certificates.
3 Network Security Controls WWW Customer IT - Branchoffice DCC Client HTML5 DCC Client HTML5 Customer IT - Homeoffice DCC Client HTML5 DCC Client HTML5 Firewall Firewall Firewall DCC Client HTML5 DCC Client HTML5 DCC Client HTML5 DCC WSI Tomcat IIS Customer IT – Local Office Customer IT - DMZ Firewall Firewall BIRT MS SQL Firewall DCC – Server Backbone 2 DCC Client BIRT BIRT Firewall DCC Client HTML5 DCC Client MS SQL DCC WSI MS SQL DCC WSI DCC Server Tomcat DCC Server DCC FE
3 Network Security Controls Figure 19: Distributed System Configurations. STATIONARY Web Desigo CC Desigo CC web clients Decentralized servers Figure 20: Multiserver architecture for discipline segmentation or redundancy.
Network Security Controls 3.2.7 3 Virtualization Intended Use Case Virtualization has become a widely preferred and suggested environment for IT infrastructure by IT administrators: Server (Hardware) Virtualization is a proven software technology that makes it possible to run multiple operating systems on the same server at the same time, sharing the available hardware resources.
4 Cyber Security Concepts How to Secure the SystemCyber Security Concepts - 4 Cyber Security Concepts How to Secure the System Protection against Casual or Coincidental Violation Desigo CC complies with the ISA-99/IEC 62443 Security Level: SL1 .as long as the recommendations described in this document are implemented in full. Security Categories Security in Desigo CC is divided into the following categories: Protection Protection of Desigo CC against unauthorized and malicious use.
Cyber Security Concepts How to Secure the System 4.1 4 User Management User Account Management NOTE: Desigo CC users can be configured to use local passwords or to use Windows authentication (for example, Active Directory). Use Windows authentication wherever possible to enhance security, control, and management of passwords. Use only Desigo CC accounts, do not use Windows accounts.
4 Cyber Security Concepts How to Secure the SystemCyber Security Concepts - 4.2 IT Security NOTICE The owner of the Desigo CC system is responsible for establishing and maintaining appropriate IT security, in particular by applying virus scanners, deactivating unneeded services and network ports, and by regular patching and updating the operating system and all installed applications. 4.3 Communication Security The communication between Web Clients and the Web Server (IIS) is always encrypted.
Cyber Security Concepts How to Secure the System 4.4 4 License Security Licensing is important to guarantee the operation of the system within the agreed system limits. Only the system is allowed to change license data. If a license becomes temporarily unavailable (for example, dongle un-plug) the system continues running fully operational for a demo period of 30 minutes. The system continues to check for the license and shuts down at the end of the demo period, if the license checks are unsuccessful.
4 Cyber Security Concepts How to Secure the SystemCyber Security Concepts - 4.6 Main Server Folder Shares for Client and FEP Installations When installing additional Installed Clients for DCC version 3.x, FEPs or a remote Web Server, the project directory needs to be shared and the access rights to the folders must be configured. For DCC version 4.0 the project directory is no longer shared, but are shared only the individual folders that need to get accessed remotely.
Cyber Security Concepts How to Secure the System - 4.7 4 Profile Provide read access to all Windows client accounts, read/write access to the Web Server account. Shared Provide read access on all files and subfolders to the Web Server account and all Windows client accounts. All other folders Provide read/write access to the [System Account] only ([System Account] is configured in SMC).
4 Cyber Security Concepts How to Secure the SystemCyber Security Concepts - 4.9 Physical and Environmental Security In order to protect the Desigo CC Server, the cabling and the clients, do the following: Desigo CC Servers and all servers that are connected to Desigo CC should be in a data center or server room with restrictive access control.
Cyber Security Concepts How to Secure the System 4 The benefits of OS hardening a Windows server are that you will have fewer patches to apply, you'll be less likely to be vulnerable to the average exploit, and you'll have fewer records to review in the logs. You can focus your attention on what the server is doing, not on unnecessary services that may be running. On the other hand, it's very difficult to properly harden/configure a system and keep it running effectively.
4 Cyber Security Concepts How to Secure the SystemCyber Security Concepts - The ClickOnce client is not impacted. It runs automatically on TLS 1.2 when the protocol is available on the client. Windows SMBv1 Remote Code Execution Vulnerabilities Remote code execution vulnerabilities exist in the way that the Microsoft Server Message Block 1.0 (SMBv1) server handles certain requests. An attacker who successfully exploited the vulnerabilities could gain the ability to execute code on the target server.
Cyber Security Concepts How to Secure the System 4 influencers, but they could be wrong for you. Microsoft may keep to a predictable security patch release cycle, but most other vendors have unpredictable release schedules. NOTICE End of Life IT Components IT components have to be replaced as soon they pass their End of Life. EOL IT does not meet today’s needs for Cyber Security.
4 Cyber Security Concepts How to Secure the SystemCyber Security Concepts - IT skills of users Low IT skills of system administrators Low IT skills of network administrators Low IT skills of the installer (BT or VAP) Low Field devices connectivity Directly on the customer network Connection to other services (for example, OPC servers and clients) Directly on the customer network Client Windows login Administrative auto-logon Desigo CC users Desigo CC authentication Desigo CC client options
Cyber Security Concepts How to Secure the System 4 Topic Required Hardening Remote access Via remote desktop Printers connectivity Yes IT skills of users Low IT skills of system administrators Medium IT skills of network administrators Medium IT skills of the installer (BT or VAP) Medium Field devices connectivity Directly, via V-LAN or customer networks: customer is responsible for securing it. The assumption is that the customer’s IT secures field device connectivity.
4 Cyber Security Concepts How to Secure the SystemCyber Security Concepts - 52 Siemens Smart Infrastructure Topic Required Hardening Client OS version and set up Secure Windows OS installation. Set up and maintain Windows security Keep Windows OS continuously updated by security patches. Enforce strong password policy Restrict access to users and to Desigo CC applications Managed certificates and credential Client protective measures (Software) Disable interfaces with memory access (FireWire, USB 3.
Cyber Security Concepts How to Secure the System 4 4.13.4 D4: Client/Server Application in a Secured Location/Control Room Applicability Suitable and supported for IT security If Desigo CC security prescriptions are applied Siemens Smart Infrastructure Location of the physical server Supervised control room desk and enclosure Topic Required Hardening Physical/virtual server exclusivity Non-exclusive: a computer also used for regular office tasks.
4 Cyber Security Concepts How to Secure the SystemCyber Security Concepts - 54 Siemens Smart Infrastructure Topic Required Hardening Connection for clients outside the customer network (Remote access) Secured communication configured. Segmented Network. Network firewalls configured and continuously maintained. DMZ configured. Remote access Via remote desktop and VPN. Clients in Internet restricted to "need to know".
Cyber Security Concepts How to Secure the System 4 4.13.5 D5: Client/Server Application in a Professional IT Environment Applicability Siemens Smart Infrastructure Location of the physical server Restricted server room Physical/virtual server exclusivity Exclusive: Server only hosts Desigo CC applications Topic Required Hardening Physical server protective measures Server machine locked in cabinet. Unplug and theft protection.
4 Cyber Security Concepts How to Secure the SystemCyber Security Concepts - 56 Siemens Smart Infrastructure Topic Required Hardening Connection for clients outside the customer network (Remote access) Secured communication configured. Segmented Network. Network firewalls configured and continuously maintained. DMZ configured. Remote access Via remote desktop and VPN.
Checklist 5 5 Checklist The following checklist should be used to carry out security controls for the Desigo CC system components. The checklist has to be completed for each instance of any component. Desigo CC Server Hardening Checklist User Configuration Make sure the password for the local Administrator account is reset to something secure. Furthermore, disable the local administrator whenever possible.
5 ChecklistCyber Security Concepts How to Secure the System can talk to the server on other ports, that opens a huge and unnecessary security risk. If the server has other functions such as remote desktop (RDP) for management, they should only be available over a VPN connection, ensuring that unauthorized people can’t exploit the port at will from the net. The Windows firewall is a built-in software firewall that allows configuration of portbased traffic from within the OS.
5 Checklist domain. Domain logons are processed by domain controllers, and as such, they have the audit logs for that activity, not the local system. Standalone servers will have security audits available and can be configured to show passes and/or failures. Check the maximum size of your logs and scope them to an appropriate size. Log defaults are almost always far too small to monitor complex production applications.
5 ChecklistCyber Security Concepts How to Secure the System every Windows machine using it also sports a supporting BIOS, and has the Trusted Platform Module (TPM) chip enabled. Obfuscate Local Administrator Accounts More often, malicious programs and hackers will target default local administrator accounts as low hanging fruit for exploitation. A simple renaming of an administrator account adds a simple but effective layer of defense against brute force attacks.
Checklist Controls 5 Status Implement physical and environmental security controls (for non-SGD clients) ☐ Implement network separation ☐ Implement protective firewall rules ☐ Implement operational security controls ☐ Implement access control measures ☐ Disable in all browsers the saving function for credentials Implement user management controls Firewall Assuming your firewall is deployed, and filtering traffic as intended, keeping your firewall’s operating systems patched and up-to-date is p
ChecklistCyber Security Concepts How to Secure the System 5 Predefined Security Zones These are the predefined security zones and their intended purposes: WirelessZone - Networks that can be accessed by users and applications with a wireless connection. ExternalZone - Networks that are not secure, such as the Internet and other external networks. DMZZone - A DMZ (demilitarized zone) is sometimes referred to as a perimeter network.
Issued by Siemens Switzerland Ltd Smart Infrastructure International Headquarters Theilerstrasse 1a CH-6300 Zug Tel. +41 41-724 2424 www.siemens.com/buildingtechnologies Document ID A6V11646120 Edition 2019-04-23 © Siemens Switzerland Ltd, 2019 Technical specifications and availability subject to change without notice.
