User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

Cyber Security Concepts -

How to Secure the System

Cyber Security Concepts

Siemens Application Note

Smart Infrastructure

The ClickOnce client is not impacted. It runs automatically on TLS 1.2 when the

protocol is available on the client.

 Windows SMBv1 Remote Code Execution Vulnerabilities

Remote code execution vulnerabilities exist in the way that the Microsoft Server

Message Block 1.0 (SMBv1) server handles certain requests. An attacker who

successfully exploited the vulnerabilities could gain the ability to execute code on

the target server.

To exploit the vulnerability, in most situations, an unauthenticated attacker could

send a specially crafted packet to a targeted SMBv1 server.

The EternalBlue exploit targets a vulnerability (addressed in Microsoft Security Bul-

letin MS17-010) in the SMBv1 protocol, via port 445. During an attack, black hats

scan the internet for exposed SMB ports, and if found, launch the exploit code. If

the target is vulnerable, the attacker will then run a payload of the attacker’s choice

on the target. This was the mechanism behind the effective distribution of

WannaCryptor.D ransomware across networks.

 Mitigating Factors: Disable SMBv1 in Windows and Windows Server

See the following references:

https://support.microsoft.com/en-sg/help/2696547/how-to-detect-enable-and-

disable-smbv1-smbv2-and-smbv3-in-windows-and

https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-

settings/microsoft-network-server-digitally-sign-communications-always

https://blogs.technet.microsoft.com/filecab/2012/05/03/smb-3-security-

enhancements-in-windows-server-2012/

Patching

All components (such as virtualization software, operating systems or anti-malware

software) should always be running with the latest security patches. It is not within

the control of Siemens to provide patches for components that are operated with

Desigo CC but do not originate from Siemens, such as Client operating systems.

 Use a proper discovery service

The only way to know if a breach or vulnerability exists is to employ broad

discovery capabilities. A proper discovery service entails a combination of active

and passive discovery features and the ability to identify physical, virtual and on

and off premise systems that access your network. Developing this current

inventory of production systems, including everything from IP addresses, OS types

and versions and physical locations, helps keep your patch management efforts up

to date. It is therefore important to inventory your network on a regular basis

 Perform application patching

Many limitations of OS platform support and discovery services lie in accounting for

only applications from a specific OS and ignoring third-party software. Much of

Windows software vulnerabilities come from non-Microsoft applications running on

Windows, which means you not only need comprehensive OS coverage, but also

comprehensive application coverage.

 Apply coverage on and off premise

Patching your OS and applications will be meaningless however, if not done for

every computer in every location. Users can work remotely without ever touching

the network, but the network needs to secure these users as if they were on prem-

ise. Patch management systems and other security controls should provide the

same level of coverage and control off premise as they do on premise.

 Patch frequently

As more end user systems can leave the network, patching frequency becomes

more important. You may be following the patching patterns of prominent tech