User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

Cyber Security Concepts -

How to Secure the System

Cyber Security Concepts

Siemens Application Note

Smart Infrastructure

4 Cyber Security Concepts -

How to Secure the System

Protection against Casual or Coincidental Violation

Desigo CC complies with the ISA-99/IEC 62443 Security Level: SL1 .as long as

the recommendations described in this document are implemented in full.

Security Categories

Security in Desigo CC is divided into the following categories:

 Protection

Protection of Desigo CC against unauthorized and malicious use. This

includes provision of secure communication that prevents any manipulation

of messages as well as validation of users (authentication) to prevent

access by unknown users to the system.

 Authorization

Provision of a fine-grained but easy-to-configure authorization model:

provides access to any system resource and functionality in a way that the

access rights of users correspond with their capabilities, such as acting as

system administrator or personnel manager, and the current operating

conditions, such as organization mode and/or the user location.

The features related to Protection can be summarized as follows:

 All communication paths between clients and the server provide encryption

and protect against replay attacks as well as data manipulation. The

communication between the Web Server (IIS) and the Web Clients is

always encrypted.

 Communications between the system server and a FEP can be encrypted

by Desigo CC.

 Communications between the system server and SQL Server can be

encrypted by Desigo CC.

 The runtime data transfer between the system server and IIS can be

encrypted by Desigo CC.

 Passwords are handled securely:

- Encrypted storage and transmission

 Use of public domain algorithms for cryptographic functions, including:

- AES, DiffieHellmann, RSA, SHA-2, etc.

- No self-coded algorithms

 Key strengths are defined as general security baselines, for example:

- Symmetrical encryption uses 256 bit AES or stronger

- Asymmetrical encryption uses 2048 bit or stronger

The features related to Authorization can be summarized as follows:

 The Authorization Model allows controlling access, view, and commanding

privileges of users and user groups on a very granular level based on

resources/groups. These resources/groups can be workstations, features,

applications, system objects, system object properties, and logical groups

of any kind for these resources.

 Access to the system is treated intuitively – the UI displays only elements

such as menus, buttons, list items, tree nodes, and so on where the user

has at least read access.