User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

siemens.com/desigocc

Desigo CC | Cybersecurity Meets Building Management Systems

Applying Security by Design to Desigo CC

Desigo CC is a robust, open integrated building management

platform that helps create comfortable, safe, and sustainable

facilities. It enables operation and monitoring of a building.

Our Desigo CC design experts adhere to our company-wide

cybersecurity initiative as illustrated in Figure 2. They follow

the mandatory internal security policy that provides

measures for ongoing development of Desigo CC products

in accordance with the appropriate security level.

These measures help ensure that coding leads to secure

product architecture as well as more secure implementation

of software components. The software is designed to be

secure by default when installed. This includes that certain

features and functions are secure at the default level.

And because we continuously enhance and evolve our

products, solutions, and services, Desigo CC will be kept up

to date as new security threats unfold. Below is an example

of “Security by Design” elements integrated into Desigo CC:

• ISA/IEC 62443-3-3 SL2 compliant deployments

• Placing the web server in a “demilitarized zone” (DMZ)

• Use of verified third-party components

• Seamless integration of certificates within customer

IT infrastructure

• End-to-end encryption, from client to server

• End-to-end encryption between servers

• Encrypted communication to other devices and applications

• Certificate-based data exchange

• Encrypted backups

• User/workstation groups/roles control access to the system

• User group management via LDAP

• Controlled access to servers, clients, and applications

• Data access on need-to-know base

• Microsoft’s active directory-based authentication

• Support of Open ID Connect and OAuth

• Single sign-on with Open ID Connect

• 2-factor authentication with Open ID Connect

• 4-eye principle – second authentication

• Re-authentication

• Support of physical network or VLAN segmentation

• Segregation of networks into zones

• Multiple session entry points

• Session management mechanisms

• Customer adaptable system use notification

• Centrally managed audits

• Cybersecurity audit trail

• Engineering audit trail – validation

• Audit information protection

• Control system components inventory

• Support for secure functionality verification

• Support of antivirus and malware protection software

• Support for malicious code protection

• Support of hardware and software firewalls

Figure 2 – Siemens Cybersecurity Initiative Highlights

Employee

know-how

Customer

security

objectives &

requirements

Specialist cybersecurity

skills & consultancy

Company-wide cybersecurity initiative Provide solid product foundation

Security design measures

aligned to IEC62443

Continuous vulnerability & threat monitoring

Established incident handling process:

Siemens ProductCERT

Secure

product

architecture

& design

Pre-

deployment

assessment

Security

testing

Deployment

& maintenance

Incident

& vulnerability

management

Product security veriﬁcation & validation

Regular manual penetration testing

Automated testing tools & methods

Product security veriﬁcation & validation

Derive customer protection goals

Focus on intended operational environment

Threat & risk assessment

Anticipate & mitigate

foreseeable cyber threats

Product hardening

Secure installation & commissioning

Software maintenance program