Basic Documentation

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

Siemens Switzerland Ltd

Building Technologies Division

International Headquarters

Head: Matthias Rebellius

Theilerstrasse 1a

6300 Zug

Switzerland

www.siemens.com/buildingtechnologies

SCF 10/2014 V13.06 Page 1 of 5

Siemens Switzerland Ltd, Theilerstrasse 1a, 6300 Zug

To whom it may concern

Desigo CC 5.0 product family

Cyber-Security Penetration Tests

Dear Sir or Madam,

Being a founding member of the charter-of-trust-com, Siemens has committed to a high level of dependability when

it comes to matters of cyber security. As a manufacturer and system integrator, we honor this commitment by taking

adequate measures in development, planning, execution and service.

From its early days, cyber security has been of great importance for the products of the Desigo CC product family.

From the design stage onwards, the demand for a high level of cyber security has been followed. In collaboration

with independent IT security experts, the resulting architecture has been analyzed for potential cyber threats and

identified risks have been addressed with additional security measures. We follow the best practice of Secure Coding,

Secure by Default and Least Privileges to reduce the risk of security-relevant development errors. At the end of the

development process, independent security experts verify the robustness of our products when facing cyber-attacks.

These steps are part of our standard development routine and are employed for each new version of the Desigo CC

product family.

An isolated focus on the product itself is insufficient, however, when it comes to secure solutions using products of

the Desigo CC product family. A sufficient level of security can only be achieved when considering the deployment

scenario in a holistic manner. Only you as an operating company can define the importance of data and processes,

what requirements you have in terms of protection and what an adequate security concept should look like. Please

follow the Cybersecurity Guideline of the Desigo CC 5.0 product family and contact your local Siemens office should

you need support in creating this security concept.

We have decided to create more transparency when it comes to the cyber-security of the Desigo CC product family.

The Open Web Application Security Project (OWASP) is a globally renowned non-profit organization, independent

of Siemens, with the aim of improving cyber security of applications and services. OWASP issues a standard for

security testing - the Application Security Verification Standard (ASVS). Based on this standard, we have had a

security analysis performed by a testing lab approved by the German Federal Office for Information Security. Please

refer to Annex 1 and 2 for the credentials of the testing lab.

The security analysis performed was based on the OWASP Application Security Verification Standard for systems

with sensitive data (OWASP ASVS Level 2). Level 2 is the second-highest level of testing depth and comprises of a

penetration test, an analysis of the development process and of the application design.

The complete OWASP testing catalog is available under:

https://www.owasp.org/index.php/Category: OWASP_Application_Security_Verification_Standard_Project

Summary of content (5 pages)

PAGE 1
Siemens Switzerland Ltd, Theilerstrasse 1a, 6300 Zug To whom it may concern _ Desigo CC 5.0 product family Cyber-Security Penetration Tests Dear Sir or Madam, Being a founding member of the charter-of-trust-com, Siemens has committed to a high level of dependability when it comes to matters of cyber security. As a manufacturer and system integrator, we honor this commitment by taking adequate measures in development, planning, execution and service.
PAGE 2
The Desigo CC 5.0 product family and its Web Clients had positive results when tested against the abovementioned standard. Please find a summary of the test results in the Overview by Categories hereto. If you have further questions regarding the security of the Desigo CC product family, please do not hesitate to get in touch with your Siemens regional representative.
PAGE 3
Overview by Categories _ Vulnerability Criticality none Information Gathering Configuration and Deployment Management low Configuration and Deployment Management information Identity Management none Authentication information Authorization none Session Management medium Input Validation none Error Handling none Weak Cryptography information Business Logic medium Client SCF 10/2014 V13.
PAGE 4
Annex 1 BSI Zertification Statement https://www.bsi.bund.de/DE/Themen/ZertifizierungundAnerkennung/Stellen/IS_REV_PEN/IS_REV_Dienstleister/IS _REV_Dienstleister_node.html;jsessionid=49DD28185D442633793965483C25C05F.2_cid341 _ SCF 10/2014 V13.
PAGE 5
Annex 2 _ SCF 10/2014 V13.