User Guide

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

System Security Guidelines

Operation/Maintenance

16 | 26

A6V11979532_en_b

3.3.2 Port Settings

NK823x

Requirements

TCP/IP 10BaseT (100BaseT or 100BaseT (NK823x only)), 250

Kbit/sec bandwidth required

Ports

● TCP Ports 20 and 21 (FTP for the configuration download

to NK823x)

● TCP Port 22 (SSH Secure Shell)

● TCP Port 20500 (if secure configuration and firmware

download is enabled)

● TCP Port 4000 for service messages

● UDP Port 47808 (hex BAC0) is default for BACnet

connectivity, but is configurable

Bandwidth measures

Normal operations:

● 0.1 Kbit/sec per NK823x + 0.1 Kbit/sec per control unit.

Peaks (firmware and configuration downloads):

● 64 Kbit/sec (file transfer, around 5 sec) per NK823x

Web server

Webserver never enabled for NK823x for Cerberus DMS.

Other LAN/WAN Connections for Specific Control Units

Requirements

Depends on communication characteristics of the control unit.

For example, a serial link at 9600 bps with LAN adapter will

require 1 Kbps.

TCP ports

Depends on specific communication characteristics. Typically,

this is configurable in software.

Bandwidth measures

Depends on specific communication characteristics.

● In case of serial links with LAN adapter, it is

recommended to consider the entire serial baud rate as

maximum impact.

3.4 Operation/Maintenance

3.4.1 Maintenance of IT Components

The preservation of IT security is an ongoing process for which the corresponding

tasks must be repeated continuously. Therefore, every security measure must be

examined whether their one-time implementation is sufficient, or a periodic

maintenance is required, such as regularly updating the antivirus software.

● Log all the maintenance actions performed.

● Install security updates regularly.

● At regular intervals, carry out a risk analysis on the security features of the

software in use.

● Observe the guidance in section IT Security in the document Cerberus DMS

Cybersecurity Guidelines (see Applicable Documents [➙ 4]).

3.4.2 Phase out/End of Life

Every IT component involved in the access to the Protection Zone must be

replaced when it is no longer supplied by the manufacturer with security updates. If

this EOL-IT component cannot be replaced, the Protection Zone must be

immediately disconnected from connections with untrustworthy networks.