User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

siemens.com/desigocc

Desigo CC | Cybersecurity Meets Building Management Systems

Applying Security by Design to Desigo CC

Desigo CC is a robust, open integrated building management

platform that helps create comfortable, safe and sustainable

facilities. It enables operation and monitoring of a building.

Our Desigo CC design experts adhere to our company-wide

cybersecurity initiative as illustrated in Figure 2. They follow

the mandatory internal security policy that provides

measures for ongoing development of Desigo CC products

in accordance with the appropriate security level. Desigo CC

products are developed according to ISO/IEC62443.

These measures help ensure that coding leads to secure

product architecture as well as more secure implementation

of software components. The software is designed to be

secure by default when installed. This includes that certain

features and functions are secure at the default level.

And because we continuously enhance and evolve our

products, solutions, and services, Desigo CC will be kept up

to date as new security threats unfold. Below is an example

of “Security by Design” elements integrated into Desigo CC:

• End-to-end encryption, from client to server

• End-to-end encryption between servers

• Encrypted communication to other devices

• Certificate-based data exchange

• Encrypted backups

• Seamless integration of certificates within customer

IT infrastructure

• Microsoft’s active directory-based authentication

• Using “least privilege” principle to limit data and

application access

• User/workstation groups/roles control access to

the system – designating appropriate tasks and

responsibilities

• 4-eye principle – Second authentication

• Re-authentication

• User group management via LDAP

• Cybersecurity audit trail

• Support of antivirus and malware protection software

• Support of hardware and software firewalls

• Use of network infrastructure that supports physical

network or VLAN segmentation

• Segregation of networks into zones

• Controlled access to servers, clients, and applications

• Placing the web server in a “demilitarized zone” (DMZ)

• Use of verified third-party components

Figure 2 – Siemens Cybersecurity Initiative Highlights

Employee

know-how

Customer

security

objectives &

requirements

Specialist cybersecurity

skills & consultancy

Company-wide cybersecurity initiative Provide solid product foundation

Security design measures

aligned to IEC62443

Continuous vulnerability & threat monitoring

Established incident handling process:

Siemens ProductCERT

Secure

product

architecture

& design

Pre-

deployment

assessment

Security

testing

Deployment

& maintenance

Incident

& vulnerability

management

Product security veriﬁcation & validation

Regular manual penetration testing

Automated testing tools & methods

Product security veriﬁcation & validation

Derive customer protection goals

Focus on intended operational environment

Threat & risk assessment

Anticipate & mitigate

foreseeable cyber threats

Product hardening

Secure installation & commissioning

Software maintenance program