User Manual
2
Cyber Security Basics
14
Siemens Application Note
Smart Infrastructure
2.3 System Security
As explained in the introduction, every modern building automation system must
ensure an adequate level of Cyber Security protection. It is, however, impossible to
reach a complete level of security, so that there is always a residual risk. The cost
of a counter measure must not exceed the potential damage it can provide. In any
case, the system owner must understand the residual risk and decide if it is
acceptable for the business.
It is important to adopt a systematic view of the security requirements, so that the
effectiveness of the controls is evaluated as a whole, rather than addressing every
component separately. In particular, compensatory counter measures can be
employed to mitigate the vulnerabilities of given sub-systems so that the overall
desired security level is achieved.
It is also important that the different players involved contribute to the system
(manufacturers, system integrators and operators) according to their specific roles.
The responsibility of the manufacturers is to deliver security-capable products, up
to the level specified in their product documentation. The integrators are
responsible to design and deploy the solution according to the security
specifications of the operator and to respect the intended operational environments
of used products. Finally, the system operators are responsible for ensuring that
the security is kept up-to-date within the lifetime of the solution.
Maintaining the security of the solution requires establishing a continuous security
program framework that periodically assesses the desired target security level, the
risks of the system, the status and effectiveness of deployed controls and
implements corrective measures.
The guidelines detailed in this document support a continuing process to achieve
Cyber Security at system level.