User Guide
Table Of Contents
Intended Operation Environment
Definition of Intended Operational Environment
4
18 | 26
A6V11979532_en_b
● I
2
C bus
● 3 digital inputs; 1 relay output
● USB port supporting mass storage devices for logging storage of selectable
data flow (upstream and/or downstream)
USB port file system: FAT32; 2-64 GB
The communication between Cerberus DMS and NK823x is based on BACnet/IP,
which is an unprotected protocol on TCP/IP.
This requires that the connection between Cerberus DMS (and third-party Modbus
hosts) and the NK823x Ethernet port must be protected from attacks and
unauthorized access.
Cerberus DMS and NK823x must be operated in a protected environment. The
following secure deployments are possible:
● Isolated network [➙ 19]
● Tunneled network [➙ 21]
The components in Cerberus DMS must not be connected to other networks (for
example, intranet or the Internet), except for any temporary connections created for
maintenance purposes.
The following sections describe the permitted use cases in detail. Any other
possible applications other than the following use cases are not permitted.
BACnet Security
BACnet is a public protocol and no encryption is currently supported by
management stations and control units.
This threat requires a serious evaluation when planning a BACnet network for
danger management, and appropriate security measures should be considered
carefully. Among various technical solutions, we recommend the implementation of
a VPN (Virtual Private Network), a private data network that makes use of a public
telecommunication infrastructure, maintaining privacy thanks to a tunneling
protocol and encryption techniques.
VPNs can therefore create a secure connection for BACnet communications
between management stations and control units.
The Cerberus DMS management stations based on a Windows computer can
directly handle VPN links with an appropriate configuration setting (refer to
Microsoft documentation or the numerous support sites). Field control units
typically require a network security device (such as Cisco ASA, Siemens Simatic
Scalance S) that can provide the necessary VPN functions.
NOTICE
Insecure Networks
Connections between computers at backbone level and insecure networks (like
the Internet or any other networks) can compromise the security of the system.
Zone Boundary Protection
● The NK823x isolated network is a security zone physically protected (for
example, locked in a rack in the server room). It uses separated networks that
only permit restricted access to its components.
● An exception can be made for a temporary connection open for maintenance
remote access to be closed immediately after the operation has been
completed.
● A separate VLAN alone does not meet the requirements for Zone Boundary
Protection. A firewall is also required.