User Guide

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

System Security Guidelines

Installation/Commissioning

A6V11979532_en_b

15 | 26

3.3 Installation/Commissioning

3.3.1 Security Measures

Physical Security

● The NK823x must be installed inside the housing of a control unit or inside a

dedicated cabinet (NE8001).

● The Cerberus DMS server machine must be locked in a restricted access

control room.

● The NK823x Ethernet port and housing must be installed in the same protected

room as Cerberus DMS or in a dedicated protected room.

● Cerberus DMS and the NK823x ethernet port must be connected through a

dedicated Ethernet cable when Cerberus DMS and NK823x are installed in the

same room.

● The connection between NK823x and the field control units must be placed in

the same protected room.

● A network connection is allowed only through a tunneling VPN.

Network Protection

● The NK823x must be installed in a protected network, that is either a LAN

without an external access, or behind a Firewall in case of WAN network.

● The firewall shall be adequately configured.

● Cerberus DMS and its subsystems must be physically isolated (through a

dedicated network) from the customer’s network and the Internet. This also

includes RDP connections.

● The NK823x Ethernet port must be installed in a protected cabinet and

connected to Cerberus DMS through a dedicated network or a VPN.

● VPN must be used to protect the client/server communication through tunnel

communication.

● Disable FTP and use Secure download instead.

Measures to be Observed

● The communication between the Cerberus DMS server and the NK823x zone

must be encrypted (see Tunneled Network Deployment [➙ 21]).

● The NK823x-specific requirements for communication must be respected (see

Definition of Intended Operational Environment [➙ 17]).

● The communication channel must not be connected to external devices (see

Definition of Intended Operational Environment [➙ 17]).

● The communication channel must allow NK823x-related communication only

(see Definition of Intended Operational Environment [➙ 17]).

VLAN Configuration Requirements

The owner of the network or the plant operators are responsible for creating a

secure VLAN configuration. The following requirements must be met:

● Only static VLAN must be used.

● Any connection to other VLANs, such as through monitoring, is not allowed.

● Standard segments, such as VLAN1, must not be used.

● Unused ports must be disabled and an unused VLAN be assigned.

● The autotrunking function of the switch must be deactivated.