Building Operator Cybersecurity Guidelines A6V11852371_en_h 2021-03-31 Smart Infrastructure
Edition notice Edition notice Technical specifications and availability subject to change without notice. This document may not be reproduced, disseminated to third parties or processed and its contents may not be used or disclosed without express permission. Noncompliance shall result in compensation for damages. All rights, including those resulting from a successful patent application and registration of a utility model or design patent, are reserved.
Cybersecurity disclaimer Cybersecurity disclaimer Siemens provides a portfolio of products, solutions, systems and services that includes security functions that support the secure operation of plants, systems, machines and networks. In the field of Building Technologies, this includes building automation and control, fire safety, security management as well as physical security systems.
Table of Contents 4 | 19 1 Building Operator Solution ..........................................................................5 2 Overview.........................................................................................................6 3 Cloud Security: Provider and Cloud Hosted Application .........................7 4 Connect Device - On-Premise Gateway Security .......................................9 5 Acvatix Intelligent Valve Security ..............................................
Building Operator Solution 1 1 Building Operator Solution This document is intended for stakeholders of customer building network navigating cybersecurity risks to understand measures in place by Building Operator solution to keep their solution & network secure.
2 Overview 2 Overview The convergence of software, data and connected devices, commonly referred to as the Internet of Things (IoT), brings new opportunities to the building industry by unlocking new value like real time operations, optimization and prescriptive analytics. Building Operator is a SaaS (Software as a Service) solution that enables such new service opportunities for smart buildings.
Cloud Security: Provider and Cloud Hosted Application 3 3 Cloud Security: Provider and Cloud Hosted Application Infrastructure and Platform Services Building Operator utilizes AWS (Amazon Web Services) to host its application services, which along with Siemens Connect Device, provides an end to end solution to unlock new value for customers.
3 Cloud Security: Provider and Cloud Hosted Application both conform with the Federal Information Processing Standard (FIPS) 140-2 standards. Data Encryption-in-Transit - All Data in transit (e.g. communication to and from Building Operator cloud application) is encrypted via HTTPS/TLS1.2. Details on cryptography employed to secure Building Operator cloud data is found in Appendix A [➙ 16].
Connect Device - On-Premise Gateway Security 4 4 Connect Device - On-Premise Gateway Security Overview Connect Device is the edge connectivity device to gather building data on premise and securely provision it to the Siemens Digital Services, such as Building Operator. Connect Device is co-located on customer IT/OT network on site and connected to the building automation systems (BACnet/IP, Modbus/IP, or nHaystack compliant devices). An example of a Connect Device (Connect X300) is shown below. Fig.
4 Connect Device - On-Premise Gateway Security ● ● ● ● To verify the authenticity of the gateway, each Connect Device is required to register and authenticate with Building Operator using a 32-digit unique Activation key before it can be used for normal operation. Software applications that are hosted on the Connect Device are stored in registered private containers. Access to containers is granted only via authenticated tokens to authorized users.
4 Connect Device - On-Premise Gateway Security Fig. 4: Single Network Mode Other consideration in mitigating cybersecurity ● Communication between Connect Device and Building Operator is via the internet where connection is always outbound traffic, initiated by the Connect Device on premise, utilizing HTTPS. ● All data communication via the internet is encrypted using Transport Layer Security (TLS) 1.2 and utilizes TCP port 443.
4 Connect Device - On-Premise Gateway Security Description Protocol Source port Destination Interface Target BACnet IP devices udp 47808 wan0 accept Building Operator Discovery Web-client udp 8085 wan0 accept Default all RETURN Table 2: Single network mode 12 | 19 A6V11852371_en_h
Acvatix Intelligent Valve Security 5 5 Acvatix Intelligent Valve Security Overview The Intelligent Valve is a control valve with integrated energy data acquisition for ventilation and air conditioning plants as well as pre-control groups. Intelligent Valve is an Internet-of-Things (IoT) device and securely provision its data to Siemens Digital Services, such as Building Operator. Intelligent Valve is co-located on customer IT/OT network on site and connected to the building automation systems (BACnet/IP).
5 Acvatix Intelligent Valve Security Other Considerations in Mitigating Cybersecurity ● ● ● ● ● ● Communication between the Intelligent Valve and Siemens Digital Services is via the Internet where connection is always outbound traffic, initiated by Intelligent Valve on premise, utilizing HTTPS and MQTTS. All data communication via the Internet is encrypted using Transport Layer Security (TLS) 1.2 and utilizes TCP port 443.
6 Customer Operation Best Practices 6 Customer Operation Best Practices It is well known fact that most cybersecurity breaches originate due to internal employee/contractor in an organization doing something either they were not supposed to do or they fail to do something they are supposed to do, or both. Listed below are some of the best practices from a customer management and risk mitigation perspective to ensure cybersecurity risks are identified and mitigated.
7 Appendix A - Cryptography employed to secure Building Operator data 7 Appendix A - Cryptography employed to secure Building Operator data Encryption Block-Cipher AWS Standard Encryption 256-AES Hashicorp Vault 256-AES Encryption AES_128_GCM TLS 1.
8 Appendix B - Terms and Meaning 8 Appendix B - Terms and Meaning A6V11852371_en_h AWS Amazon Web Services Account Manager Cloud application to invite and manage users and subscriptions, based on the user role. Asset Manager Cloud application to manage site connectivity and Siemens cloud enabled devices. BACnet Building Automation Control network is a standard data communication protocol for building automation systems.
8 Appendix B - Terms and Meaning access tokens used in authentication methods. 18 | 19 LAN Local Area Network is a network that extends within a limited area for the primary purpose of computer networking. Modbus Standard data communication protocol for building automation systems. MQTTS Message Queuing Telemetry Transport Secure is a network protocol in TCP/IP networks with TLS encryption. On-Premise Within a building or site.
Issued by Siemens Switzerland Ltd Smart Infrastructure Global Headquarters Theilerstrasse 1a CH-6300 Zug +41 58 724 2424 www.siemens.com/buildingtechnologies © Siemens Switzerland Ltd, 2019-2020 Technical specifications and availability subject to change without notice.
