User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

ChecklistCyber Security Concepts -

How to Secure the System

Siemens Application Note

Smart Infrastructure

every Windows machine using it also sports a supporting BIOS, and has the Trust-

ed Platform Module (TPM) chip enabled.

Obfuscate Local Administrator Accounts

More often, malicious programs and hackers will target default local administrator

accounts as low hanging fruit for exploitation. A simple renaming of an administra-

tor account adds a simple but effective layer of defense against brute force attacks.

Choosing a less common name makes the account less susceptible to hacking at-

tempts—though in later versions of Windows, local administrator accounts are dis-

abled by default.

Disable Guest/Anonymous Accounts

This applies to both Windows and Windows-related services—so guest and anon-

ymous accounts in use by Windows as well as other Windows related services

(e.g. MS SQL, Exchange) should be disabled. Be sure to account for all Windows-

related packages, including Sharepoint deployments and IIS instances.

Disable Windows Users

Windows accounts should be disabled. Only Desigo CC accounts should be al-

lowed.

Put LAN Manager in Check

The dated LM (LAN Manager) and NTLMv1 authentication protocols have vulnera-

bilities and should be disabled. LM hash storage should also be disabled, as LM

password hashes are easily converted back to plain text.

Institute Proper Password Management

In the Windows security realm, 12 characters is the bare minimum for a marginally

strong password. As an added precaution, requiring users to select passwords with

a 15-character minimum will suffice—with the usual symbol and case assortment

requirements.

Controls Status

Implement physical and environmental security controls

☐

Implement network separation

☐

Implement protective firewall rules

☐

Implement secure communication to the clients

☐

Implement user management controls

☐

Implement access control measures

☐

Implement operational security controls

☐

Clients

All clients that are attached to other networks must implement secure operation

including hardening and malware protection in order to reduce risk to Desigo CC.

Hardening is performed using mostly native Windows and Microsoft tools.

Malware and hackers attack by exploiting security vulnerabilities. The solution is to

reduce the attack surface so that we provide fewer opportunities for exploitation.

The main principle is Least Privilege. To implement the principle of least privilege is

to configure your system so that it only does what you normally do, and nothing

else. This minimizes the attack surface and removes services that listen on the

network 24/7 to anybody who wants to send it stuff (like an exploit).

Good security means deter, deny, delay and detect. Hardening covers the first

piece.

You must also disable the saving function for credentials for all browsers.