Cerberus® DMS NK823x Cybersecurity Guidelines A6V11979532_en_b 2021-02-28
Table of Contents About This Document .........................................................................................3 Applicable Documents ...........................................................................................4 Download Center ...................................................................................................4 Technical Terms and Abbreviations .......................................................................5 Document Revision History....................
About This Document Applicable Documents About This Document Purpose These guidelines are designed to provide guidance and conditions for connecting to legacy fire and intrusion detection systems over NK823x devices to the Cerberus DMS system. They describe all the permitted applications for the intended operational environment. For security-related information for the system owner for maintaining security in the life cycle of the system, see Operation/Maintenance [➙ 16].
About This Document Applicable Documents Applicable Documents Title Document ID/Reference Operation of electrical installations – Part 1: General requirements EN 50110-1:2013 Industrial communication networks – Network and system security' 'Part 1-1: Terminology, concepts and models IEC/TS 62443-1-1 Industrial communication networks – Network and system security' 'Part 2-1: Establishing an industrial automation and control system security program IEC 62443-2-1 Information technology – Security tech
About This Document Technical Terms and Abbreviations Technical Terms and Abbreviations Term Description Autotrunking Autotrunking is a function that enables one or more switch ports in a Cisco system of virtual local area networks (VLANs) to carry traffic for any or all the VLANs accessible through a particular switch. ... In Cisco's Dynamic Trunking Protocol (DTP), a port can be set to autotrunking by default (DTP auto).
About This Document Technical Terms and Abbreviations Security Level information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). This guidance applies to end-users (for example, asset owner), system integrators, security practitioners, and control systems manufacturers responsible for manufacturing, implementing, or managing IACS.
About This Document Technical Terms and Abbreviations TNW Acronym for trusted network. Untrusted network The term untrusted network refers to users or devices of an area which is considered not secure or not protected. Typically, this area is a network outside the trusted network. UTNW Acronym for untrusted network. VLAN Virtual LAN. Any broadcast domain that is partitioned and isolated in a computer network at the data link layer (OSI layer 2).
About This Document Document Revision History Document Revision History Document Identification The document ID is structured as follows: ID_Language(COUNTRY)_ModificationIndex_ProductVersionIndex Example: A6Vnnnnnnnn_en_a_02 Document Revision History Modification Index Edition Date a 2020-02-29 First edition b 2021-02-28 Minor corrections and update for Cerberus DMS V5.
IT Security Notices 1 1 IT Security Notices Responsibility of the System Owner The information technology (IT) used on site is the responsibility of the system owner. Standards, Regulations, and Legislation Follow the policies of your company as well as any national regulations or international standards, such as ISO/IEC 27002 and IEC62443. The Federal Office for Information Security (BSI) provides information on basic Cybersecurity for Germany in both German and English.
2 Cybersecurity Guidelines Reference 2 Cybersecurity Guidelines Reference For the following topics, refer to the relevant sections in the Cerberus DMS Cybersecurity Guidelines document (see Applicable Documents [➙ 4]).
System Security Guidelines 3 Current Software and Firmware Version Status 3 System Security Guidelines The NK823x Ethernet port is a BACnet gateway that can integrate legacy fire and intrusion detection systems over serial connections and provide Cerberus DMS with a BACnet/IP connectivity over local and remote networks. NK823x units can also support onboard I/O lines and local DF8000 I/O modules.
3 System Security Guidelines Current Software and Firmware Version Status 3.1 Current Software and Firmware Version Status Contact your local Siemens service organization to verify if the latest software and firmware versions are installed in your NK823x units. Latest available versions at creation of this document: NK823x firmware for Desigo CC/Cerberus DMS: 06/05/20 5.0.2 NK823x kernel for: ● NKM8001-A1 hardware version: "Linux 2.6.32.41 #216 Thu Dec 12 08:11:34 CET 2013 ppc - 4.
System Security Guidelines Protected System Configuration 3 3.2.1 Zone Boundary Protection NK823x system is a safety-related system that must be protected from attacks and unauthorized access from untrusted networks, for example, the Internet. The plant operator is responsible for network planning and design, including the zone boundary protection. NK823x system is a physically separated network that forms a Protected Zone.
3 System Security Guidelines Protected System Configuration 3.2.2 Access Through Untrusted Networks Communication over untrusted networks between remote clients and the Protected Zone must be protected with a highly secure communication channel. ● The Protected Zone must always be protected by a firewall. ● Use VPN technology for the communication channel. VPN technology does not require to be integrated with every component.
System Security Guidelines Installation/Commissioning 3 3.3 Installation/Commissioning 3.3.1 Security Measures Physical Security ● ● ● ● ● ● The NK823x must be installed inside the housing of a control unit or inside a dedicated cabinet (NE8001). The Cerberus DMS server machine must be locked in a restricted access control room. The NK823x Ethernet port and housing must be installed in the same protected room as Cerberus DMS or in a dedicated protected room.
3 System Security Guidelines Operation/Maintenance 3.3.
Intended Operation Environment Definition of Intended Operational Environment 4 4 Intended Operation Environment (Including Deployment Options) 4.1 Definition of Intended Operational Environment The NK823x Ethernet port system is an automation device that connects control units for fire and intrusion with the Cerberus DMS management station.
4 Intended Operation Environment Definition of Intended Operational Environment ● ● ● I2C bus 3 digital inputs; 1 relay output USB port supporting mass storage devices for logging storage of selectable data flow (upstream and/or downstream) USB port file system: FAT32; 2-64 GB The communication between Cerberus DMS and NK823x is based on BACnet/IP, which is an unprotected protocol on TCP/IP.
Intended Operation Environment Isolated Network Deployment ● ● 4 In case one of the allowed components is remote, a physically protected and secured communication is also required through tunneling that enables the users to create a virtual network between two remote points on an existing public IP network and communicate through a VPN.
4 Intended Operation Environment Isolated Network Deployment Protected Zone Physically separated, private network. MMS Management station Component requirements MMS ● Is part of the Protected Zone. ● Has no connection to other networks or systems. NK823x device ● Is part of the Protected Zone. ● Has no connection to other networks or systems. ● A direct connection is established between the Protected Zone and the component in the protection zone.
Intended Operation Environment Tunneled Network Deployment 4 4.3 Tunneled Network Deployment VPN (https://en.wikipedia.org/wiki/Virtual_private_network) is a solution for making a virtual network. A technique called tunneling is used in the VPN and enables users to create a virtual network between two remote points on an existing public IP network and communicate freely.
4 Intended Operation Environment Tunneled Network Deployment Remote Access LAN/WAN connectivity is possible through NK823x Ethernet ports. Communication to components in the Internet must be secured by the customer or a trust center provided certificates. Also, it must be protected by professional hardware firewalls/DMZ.
Intended Operation Environment Tunneled Network Deployment 4 Component requirements MMS ● Is not part of the NK823x Protected Zone. ● Is at the same time connected with an untrusted network (for example, a WAN). ● A direct connection with a dedicated cable is done with the router of the untrusted network. ● Initiates a VPN connection to the NK823x zone border protection component. Zone Boundary Protection ● Use firewall to protect the Protected Zone.
4 Intended Operation Environment Tunneled Network Deployment Access MMS Through the Customer’s Network In case the MMS is installed in the customer network and connected remotely to NK823x, a secure connection through VPN is required. The following figure below presents a Remote access to a NK823x system with MMS through the customer’s network. MMS CNW Router + FW + VPN-EP Protected Zone FS20 CS11 STT11/20 SI410 AlgoRex Sintony DF8000 Fig.
Intended Operation Environment Tunneled Network Deployment 4 ● ● Protected Zone is accessed only through an external firewall. The computer with MMS must be configured as access point to the NK823x device ● A single route to the MMS must be configured using the computer with MMS in all the Ethernet subscribers of NK823x device for one extended network. Direct means that both devices and their cable connection are visible at the same time and thus a potential manipulation might be recognizable.
Issued by Siemens Switzerland Ltd Smart Infrastructure Global Headquarters Theilerstrasse 1a CH-6300 Zug +41 58 724 2424 www.siemens.com/buildingtechnologies © Siemens Switzerland Ltd, 2021 Technical specifications and availability subject to change without notice.
