BC80 Cybersecurity Guidelines Basic Documentation A6V11844210_enCN_a 2019-09-24 Smart Infrastructure
Table of Contents 1 About This Document....................................................................................... 3 1.1 Applicable Documents ......................................................................................... 4 1.2 Download center .................................................................................................. 4 1.3 Technical Terms and Abbreviations ..................................................................... 4 1.4 Acknowledgements ..............
1 About This Document Purpose This guideline is designed to provide the system owner with information security guidelines and controls for BC80 system. It describes all the permitted applications for the intended operational environment as well as security-related information for the system owner for maintaining security in the life cycle of the system. Scope This document applies to BC80 system.
Source Language and Reference Document ● ● The source/original language of this document is English (en). This document will be localized to Chinese (cn) if needed. The reference version of this document is the international version in English. The international version is not localized. Document identification The document ID is structured as follows: ID code Examples ID_ LanguageCOUNTRY_ModificationIndex -- = multilingual or international A6V11844210_enCN_a 1.
1.4 Acknowledgements Responsibility of the System Owner The system owner is responsible to delegate property engineer to work on site. They must monitor the fire system in fire control center and handle the events by policy requirement. Standards, Regulations and Legislation Follow the policies of your company as well as any national regulations or international standards, such as GB 50016-2012.
2 Safety 2.1 Safety instructions The safety notices must be observed in order to protect people and property. The safety notices in this document contain the following elements: ● Symbol for danger ● Signal word ● Nature and origin of the danger ● Consequences if the danger occurs ● Measures or prohibitions for danger avoidance Symbol for danger This is the symbol for danger. It warns of risks of injury. Follow all measures identified by this symbol to avoid injury or death.
0 How possible damage to property is presented Information about possible damage to property is shown as follows: 2.2 Safety regulations for the method of operation National standards, regulations and legislation Siemens products are developed and produced in compliance with the relevant national and international safety standards.
● Route mains connections to products separately and fuse them with their own, clearly marked fuse. ● Produce earthing as stated in local safety regulations. Mounting, installation, commissioning and maintenance ● If you require tools such as a ladder, these must be safe and must be intended for the work in hand. ● When starting the fire control panel ensure that unstable conditions cannot arise. ● Ensure that all points listed in the 'Testing the product operability' section below are observed.
0 malfunctioning and safety risks. Written confirmation must be obtained from Siemens and the corresponding safety bodies for modifications or additions. Modules and spare parts ● Components and spare parts must comply with the technical specifications defined by Siemens. Only use products specified or recommended by Siemens. ● Only use fuses with the specified fuse characteristics. ● Wrong battery types and improper battery changing lead to a risk of explosion.
2.4 Cybersecurity Disclaimer Siemens provides a portfolio of products, solutions, systems and services that includes security functions that support the secure operation of plants, systems, machines and networks. In the field of Building Technologies, this includes building automation and control, fire safety, security management as well as physical security systems.
0 3 Cybersecurity Basics 3.1 Introduction Cybersecurity includes all mechanisms for defending IT systems (such as computers, devices like primary controllers or web servers of a building automation system) against loss of system and information confidentiality, integrity and availability through unauthorized access, disruption, modification, destruction or retrieval of Unrestricted information as well as the usage of information gained without authorization through fraud and other criminal acts.
changed during the engineering phase, the system is at high risk, because the hacker can use it to install malicious software with administrator privileges. A control or countermeasure is put in place to mitigate the risk and can include HW or SW procedures, for example, a system with default passwords can be isolated from the rest of the system to reduce the likelihood of being accessed by an attacker. Figure 1: Threat and Risk Terminology 3.
0 The guidelines detailed in this document support a continuing process to achieve Cybersecurity at system level. 3.4 Network security All measures aligned toward securing the network must reduce the risk of potential security loopholes or vulnerabilities in BC80 from being exploited.
4 Protected System Configuration Concept The following sections detail the concept of a protected system configuration as well as specific use cases. The BC80 system is a fire alarm control application and must be protected from attacks and unauthorized access. The PC which FMS SW operated should be a dedicated one and should not be connected into public network, e.g. Internet. BC80 panel should be operated in a separated network (A_BUS). The network should not be connected to any other network.
5 Intended Operational Environments The figure below shows an overview of possible operational environment: Locate in fire control room with security guards A_BUS May located in the fire control room or other place with protection RS232 FMS SW USB F_BUS BF8001 F_BUS F_BUS Locate in all the buildings Figure 4–1: Example of an intended operational environment · · · · · A6V11844210_enCN_a The BC80 control panel shall be located in fire alarm room with security guards and physical access control,
· · · · · · 16 | 30 System failure message is indicated, e.g. buzzer, LED blaming, etc. Customer shall execute on-site risk scanning immediately according to fire alarm industry practices. In case system fails (hardware and software failure), customer shall contact Siemens VAP for maintenance immediately. According to standard operation procedure, manpower for fire incident checking shall be increased to ensure timely fire detection and treatment while BC80 control panel is under maintenance.
6 Cybersecurity Concepts – How to Secure the System Standards, guidelines, and legislation Comply with your company's guidelines as well as national legislation and international standards, e.g. GB 50016-2012. Security guidelines The security guidelines in this document offer the system operator additional specifications for operating the system in additional to the basic IT protection. These additional specifications are valid at the time of publication. 6.
6.3 Physical and Environmental Security In order to protect the BC80 system, the panel, the cabling, do the following: ● ● ● ● All the BC80 panels should be located in fire control room with restricted physical access control, e.g. 2 security guards, locked equipment cabinet, CCTV, etc. Cable between FMS SW and BC80 control panel should be physically protected and supervised properly, e.g. pipe protection.
6.5 Engineering PC Windows Hardening BC80 Engineering tool runs on a Windows PC, to provide a security environment of Engineering tool, you should maintain and configure the Windows Operation System. System Hardening Guidelines To harden a Windows Engineering PC, you must perform the following steps, at a bare minimum: ● Enable Windows Update. ● Always apply the manufacturer's up-to-date security patches. ● Enable Windows Defender or install anti-virus software. ● Disable all unnecessary services, (e.g.
Figure 6–1: Example of Multi-homed network panels with FMS Topic Required Hardening Physical protective measures Cable between FMS SW and BC80 control panel shall be physically protected and supervised properly, e.g. pipe protection, etc. (between FMS SW and BC80 control panel) Environment of engineering PC (BF8001) Deploy anti-virus software or alternative malware protection on engineering PC, and keep up to date.
A6V11844210_enCN_a Physical protective measures for A_BUS Make sure the cables between master and slaves which are deployed in different buildings are physically protected, e.g. with pipe protection, and ensure that it is difficult to get physical access to. Physical protective measures for F_BUS Make sure the cables between control panel and BDS devices which are deployed in different rooms are physically protected, e.g. with pipe protection, and ensure that it is difficult to get physical access to.
6.6.2 Multi-Homed Network Panels without FMS Intended Operational Environment n BC80 panels are located in different room (with security guards and physical protection) and connected via A_Bus n Local access to BC80 with BF8001 configuration tool Figure 6–2: Example of Multi-homed network panels without FMS Topic Required Hardening Environment of engineering PC (BF8001) Deploy anti-virus software or alternative malware protection on engineering PC, and keep up to date.
Physical protective measures for A_BUS Make sure the cables between master and slaves which are deployed in different buildings are physically protected, e.g. with pipe protection, and ensure that it is difficult to get physical access to. Physical protective measures for F_BUS Make sure the cables between control panel and BDS devices which are deployed in different rooms are physically protected, e.g. with pipe protection, and ensure that it is difficult to get physical access to. 6.6.
Topic Required Hardening Physical protective measures Cable between FMS SW and BC80 control panel shall be physically protected and supervised properly, e.g. pipe protection, etc. (between FMS SW and BC80 control panel) Environment of engineering PC (BF8001) Deploy anti-virus software or alternative malware protection on engineering PC, and keep up to date. Strengthen engineering PC management: - Suggest dedicated engineering PC without Internet connection - Control mobile device connection, e.g.
Figure 6–4: Example of single-homed network panels without FMS Topic Required Hardening Environment of engineering PC (BF8001) Deploy anti-virus software or alternative malware protection on engineering PC, and keep up to date. Strengthen engineering PC management: - Suggest dedicated engineering PC without Internet connection - Control mobile device connection, e.g. implement security scan prior to usage. - Patch engineering PC in project always to latest available OS.
6.6.5 Single Panel with FMS Intended Operational Environment n Single BC80 panel is located in fire control room (with security guards) n PC based FMS SW is located in the same fire control room with BC80 n Local access to BC80 with BF8001 configuration tool Figure 6–5: Example of single panels with FMS Topic Required Hardening Physical protective measures Cable between FMS SW and BC80 control panel shall be physically protected and supervised properly, e.g. pipe protection, etc.
Physical protective measures for F_BUS Make sure the cables between control panel and BDS devices which are deployed in different rooms are physically protected, e.g. with pipe protection, and ensure that it is difficult to get physical access to. 6.6.
Topic Required Hardening Environment of engineering PC (BF8001) Deploy anti-virus software or alternative malware protection on engineering PC, and keep up to date. Strengthen engineering PC management: - Suggest dedicated engineering PC without Internet connection - Control mobile device connection, e.g. implement security scan prior to usage. - Patch engineering PC in project always to latest available OS. - Suggest dedicated engineering PC without Internet connection.
A6V11844210_enCN_a 29 | 30
Issued by Beijing Siemens Cerberus Electronics Ltd. No.1, Fengzhi East Road, Xibeiwang Haidian District, 100094 BEIJING, China Tel. +86 10 64768806 www.siemens.com/buildingtechnologies A6V11844210_enCN_a © Beijing Siemens Cerberus Electronics Ltd., 2019 Technical specifications and availability subject to change without notice.
