User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

Desigo™ CC V4.1

Novigo/Cerberus PACE Cybersecurity Guidelines

A6V11917731_en_b_41

Smart Infrastructure

2020-06-26

Summary of content (27 pages)

PAGE 1
Desigo™ CC V4.
PAGE 2
Table of Contents About This Document ................................................................................. 3 Applicable Documents ...........................................................................................4 Download Center ...................................................................................................4 Technical Terms and Abbreviations .......................................................................5 Acknowledgements ...................................
PAGE 3
About This Document Applicable Documents About This Document Purpose These guidelines are designed to provide guidance and conditions for connecting to fire detection systems. They describe all the permitted applications for the intended operational environments. This document is intended to be transferred from installation personnel to system owner. For security-related information for the system owner for maintaining security in the life cycle of the system, see Operation/Maintenance [➙ 17].
PAGE 4
About This Document Applicable Documents Applicable Documents Title Document ID/Reference Operation of electrical installations – Part 1: General requirements EN 50110-1:2013 Industrial communication networks – Network and system security' 'Part 1-1: Terminology, concepts and models IEC/TS 62443-1-1 Industrial communication networks – Network and system security' 'Part 2-1: Establishing an industrial automation and control system security program IEC 62443-2-1 Information technology – Security tech
PAGE 5
About This Document Technical Terms and Abbreviations Technical Terms and Abbreviations Term Description Autotrunking Autotrunking is a function that enables one or more switch ports in a Cisco system of virtual local area networks (VLANs) to carry traffic for any or all of the VLANs accessible through a particular switch. ... In Cisco's Dynamic Trunking Protocol (DTP), a port can be set to autotrunking by default (DTP auto).
PAGE 6
About This Document Technical Terms and Abbreviations ISA-99/IEC 62443 Security Level ANSI/ISA 62443 is a series of standards, technical reports, and related information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). This guidance applies to end-users (for example, asset owner), system integrators, security practitioners, and control systems manufacturers responsible for manufacturing, implementing, or managing IACS.
PAGE 7
About This Document Technical Terms and Abbreviations A6V11917731_en_b_41 Standalone station Standalone station with local connection for the computer. Trusted network The term trusted network refers to users or devices of an area which is considered particularly secure or protected. Typically, this area is a private section of a network. This private section of the network must be protected from attacks by hackers and other security-related threats.
PAGE 8
About This Document Acknowledgements Acknowledgements Responsibility of the System Owner The information technology (IT) used on site is the responsibility of the system owner. Standards, Regulations, and Legislation Follow the policies of your company as well as any national regulations or international standards, such as ISO/IEC 27002 and IEC62443. The Federal Office for Information Security (BSI) provides information on basic Cybersecurity for Germany in both German and English.
PAGE 9
About This Document Document Revision History Document Revision History Document Identification The document ID is structured as follows: ID_Language(COUNTRY)_ModificationIndex_ProductVersionIndex Example: A6Vnnnnnnnn_en_a_02 Document Revision History Modification Index Edition Date Brief Description a 2019-11-30 First edition b 2020-06-26 Harmonized system name as Novigo/Cerberus PACE A6V11917731_en_b_41 9 | 27
PAGE 10
1 Cybersecurity Guidelines Reference 1 Cybersecurity Guidelines Reference For the following topics, refer to the relevant sections in the document Desigo CC V4.
PAGE 11
System Security Protected System Configuration 2 2 System Security The Novigo/Cerberus PACE voice evacuation system consists of multiple components, including audio network modules, intercoms, keypads, and amplifiers. Loudspeaker lines can be connected at each audio network module. Novigo/Cerberus PACE is an Ethernet-based digital audio network. Signals from audio frequency (AF) sources are digitized and fed into the network.
PAGE 12
2 System Security Protected System Configuration The integration between Novigo/Cerberus PACE digital audio network and Desigo CC is achieved through the Net Design Software distributed by Novigo itself. This integration is achieved through DNA – Driver iNdependent Architecture layer, which enables a fast and efficient commissioning. Figure 2: Driver iNdependent Architecture Layer 2.
PAGE 13
System Security 2 Protected System Configuration Temp Connection Fiber MM Fiber SM Ethernet RJ45 100 V ZBP PACE- Zone A B A PACE- PC Switch 1 x 8/2 PN2005 Switch 1 x 8/2 PN2005 Desk Call Station PT2001 1 2 3 4 EOL Audio Matrix PC200X A Switch 1 x 8/2 PN2005 B Switch 1 x 8/2 PN2005 Fire Brigade Call Station PT2002 A A A A 1 2 3 4 1 2 EOL Audio Matrix PC200X EOL 15 Audio Matrix PC200X 2 3 4 1 Audio Matrix PC200X 2 EOL 16 1 EOL Audio Matrix PC200X Figure 3: PACE zone A6V1
PAGE 14
2 System Security Protected System Configuration 2.1.2 Access Through Untrusted Networks Communication over untrusted networks between remote clients and the PACE zone must be protected with a highly secure communication channel. ● The PACE zone must always be protected by a firewall. ● Use VPN technology for the communication channel. VPN technology does not require to be integrated with every component.
PAGE 15
System Security Installation/Commissioning 2 2.2 Installation/Commissioning 2.2.1 Security Measures Physical Security ● ● ● ● The Desigo CC server machine must be locked in a restricted access control room. The Novigo/Cerberus PACE control unit must be installed in the same protected room as Desigo CC or in a dedicated protected room.
PAGE 16
2 System Security Installation/Commissioning 2.2.2 Port Settings To communicate with in a Novigo/Cerberus PACE system, a PACE PC must be used, with the PACE-Design software activated. The computer connected to the Novigo/Cerberus PACE system must use a standard remote maintenance tool.
PAGE 17
System Security Operation/Maintenance 2 2.3 Operation/Maintenance 2.3.1 Maintenance of IT Components The preservation of IT security is an ongoing process for which the corresponding tasks must be repeated continuously. Therefore, every security measure must be examined whether their one-time implementation is sufficient, or a periodic maintenance is required, such as regularly updating the antivirus software. ● Log all the maintenance actions performed. ● Install security updates regularly.
PAGE 18
3 Intended Operation Environment (Including Deployment Options) Definition of Intended Operational Environment 3 Intended Operation Environment (Including Deployment Options) 3.1 Definition of Intended Operational Environment The DNA (Driver iNdependent Architecture layer) software enables the integration between Desigo CC and Novigo/Cerberus PACE VA/PA systems, thus providing bidirectional communication, and alarm monitoring and management of Novigo/Cerberus PACE in Desigo CC.
PAGE 19
Intended Operation Environment (Including Deployment Options) Isolated Network Deployment 3 Zone Boundary Protection ● ● ● ● ● The Desigo CC isolated network is a security zone physically protected (for example, locked in a rack in the server room). It uses separated networks that only permit restricted access to its components. An exception can be made for a temporary connection open for maintenance remote access to be closed immediately after the operation has been completed.
PAGE 20
3 Intended Operation Environment (Including Deployment Options) Isolated Network Deployment MMS Single-homed Local Access Local access to a Novigo/Cerberus PACE system with a single-homed management station (MMS): Fiber MM, SM or Ethernet RJ45 Ethernet RJ45 PACE- Zone PACE- PC A Switch 1 x 8/2 PN2005 B Switch 1 x 8/2 PN2005 A MMS Desk Call Station PT2001 Audio Matrix PC200X A B Switch 1 x 8/2 PN2005 Switch 1 x 8/2 PN2005 Fire Brigade Call Station PT2002 A Audio Matrix PC200X A Audio Matrix
PAGE 21
Intended Operation Environment (Including Deployment Options) Tunneled Network Deployment 3 3.3 Tunneled Network Deployment VPN (https://en.wikipedia.org/wiki/Virtual_private_network) is a solution for making a virtual network. A technique called tunneling is used in the VPN and enables users to create a virtual network between two remote points on an existing public IP network and communicate freely.
PAGE 22
Intended Operation Environment (Including Deployment Options) 3 Tunneled Network Deployment Multi-homed Local Access Multi-homed local access to a Novigo/Cerberus PACE installation with the remote maintenance tool: Temp Connection UTNW VPN Fiber MM, SM, or Ethernet RJ45 PC Ethernet RJ45 ZBP + VPN-EP PACE- Zone A Switch 1 x 8/2 PN2005 B PACE- PC Switch 1 x 8/2 PN2005 A Desk Call Station PT2001 Audio Matrix PC200X A B Switch 1 x 8/2 PN2005 Switch 1 x 8/2 PN2005 Fire Brigade Call Station PT2
PAGE 23
Intended Operation Environment (Including Deployment Options) 3 Tunneled Network Deployment ● ● Use firewall to protect the PACE zone. A direct connection is established between the PACE zone with a dedicated cable. Novigo/Cerberus PACE – Plant ● Physically separated network or standalone station. ● Forms a PACE zone. ● Access to the PACE zone only through an external firewall. ● Configure the computer with PACE-Design as access point to the Cerberus PACE – Plant.
PAGE 24
3 Intended Operation Environment (Including Deployment Options) Tunneled Network Deployment UTNW Untrusted network ZBP Zone Boundary Protection. It is VPN endpoint. VPN-EP VPN endpoint MMS Management station PACE PC Computer with PACE-Design Unauthorized Access and Manipulation of the Security-relevant PACE Zone In case of alarm, limited or no evacuation and personal injury due to corrupted system.
PAGE 25
Intended Operation Environment (Including Deployment Options) 3 Tunneled Network Deployment Access MMS Through the Customer’s Network Remote access to a Novigo/Cerberus PACE system with MMS through the customer’s network: MMS VPN Fiber MM, SM, or Ethernet RJ45 CNW Ethernet RJ45 Router + FW + VPN-EP PACE- Zone A Switch 1 x 8/2 PN2005 B PACE- PC Switch 1 x 8/2 PN2005 A Desk Call Station PT2001 Audio Matrix PC200X A B Switch 1 x 8/2 PN2005 Switch 1 x 8/2 PN2005 Fire Brigade Call Station PT2002
PAGE 26
3 Intended Operation Environment (Including Deployment Options) Tunneled Network Deployment Unauthorized Access and Manipulation of the Security-relevant PACE Zone In case of alarm, limited or no evacuation and personal injury due to corrupted system. ● Create the communication from the MMS to the Cerberus PACE installation using a secure network connection, for example with VPN. The following requirements must be met for the components: MMS ● It must not be part of the PACE zone.
PAGE 27
Issued by Siemens Switzerland Ltd Smart Infrastructure Global Headquarters Theilerstrasse 1a CH-6300 Zug +41 58 724 2424 www.siemens.com/buildingtechnologies A6V11917731_en_b_41 © Siemens Switzerland Ltd, 2020 Technical specifications and availability subject to change without notice.