User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

siemens.com/desigocc

Desigo CC | Cybersecurity Meets Building Management Systems

“Security by Default”

The concept of Security by Default is closely related to

Security by Design. It calls for all protective measures to be

automatically activated and in force by default at the time

of product delivery, installation, or initial commissioning.

Security by Default is applied more frequently today to

counteract the fact that many developers used to ship

software with wide-open settings because they assumed

users would configure the security at setup. Unfortunately,

the majority of users never even consider security once the

software is running. For security to work effectively, it must

be built in and active from day one. Furthermore, security

that’s added later is difficult to patch or retrofit when new

methods of attack are identified.

While Security by Default is gaining ground, there are no

uniform regulations currently governing this approach.

As a result, appropriate security settings are often not

defined in advance, resulting in the need for users to adjust

them after the product is installed. Siemens, on the other

hand, designs and preconfigures its systems to use the

most secure settings at installation by default and as a

standard. To eliminate potential vulnerabilities, we

prioritize the creation of strong authentication and authori-

zation steps and use encryption to protect data and make

communications more secure. We then adopt the highest

appropriate level of security and data protection for each

software layer and incorporate it into the design of the

product, functionalities, processes, and operations. Finally,

we make sure that the imbedded security is activated

immediately once the system is put into use.

Making security by default successful involves examining

the issue of how products can provide optimum security

once they leave the factory. Well-known examples of

vulnerabilities in real-life settings show how many

businesses were easy targets for malicious actors. In one

of the most unusual incidents, cybercriminals hacked a

casino through an Internet-connected thermometer in an

aquarium in its lobby.

This foothold gave the hackers

access to the casino’s network and then its database of

high-roller gamblers, which they uploaded to the cloud.

Some solutions are easier than others. To maintain a

reasonable level of security on site, it makes sense to

demand creation of a new password when the user

initially logs in. But what further security measures need

to be considered and what trade-offs may arise in the

interest of user-friendliness? There have been no

simple, universal answers to date, let alone specific

recommendations for action. Instead, the actions are

developed by the responsible product team. The signal

is clear, however: cybersecurity is no longer optional.

It’s now a mandatory requirement.

For more information, see https://www.forbes.com/sites/leemathews/2017/07/27/criminals-hacked-a-fish-tank-to-steal-data-from-a-casino/.