User Manual

ManualsBrandsSiemens ManualsBuilding automationBuilding Operator Engineering Guide

Connect Device - On-Premise Gateway Security

A6V11852371_en_h

11 | 19

Fig. 4: Single Network Mode

Other consideration in mitigating cybersecurity

● Communication between Connect Device and Building Operator is via the

internet where connection is always outbound traffic, initiated by the Connect

Device on premise, utilizing HTTPS.

● All data communication via the internet is encrypted using Transport Layer

Security (TLS) 1.2 and utilizes TCP port 443. Utilizing HTTPS and MQTTS

ensures data transferred is highly resistant to eavesdropping and interception

No other port is used for outbound (to the internet) data communication.

● All data communication between the Cloud servers’ endpoints and the Connect

Device is also secured by means of X509-certificate-based authentication and

authorization.

● All inbound ports on Connect Devices “LAN” and “WAN” interfaces are disabled

by default except port 80 and 443. User must explicitly define permitted

inbound ports to enable data communication from the building automation

network.

● Inbound traffic for BACnet UDP communication must be explicitly permitted

and is limited to port ranges between 47808 - 47823 (0xBAC0 - 0xBACF). Only

the port used in the building automation network should be permitted, while

keeping all other ports closed.

● Inbound traffic for Modbus TCP communication must be explicitly enabled is

limited to port 502.

● Connect Device supports anonymous proxy; however, a DNS server is

required on customer network.

● Connect device leverages containerized architecture where published

software/firmware images are certified and renewed. This verifies the container

image is built from an official image source and running as intended. All

operating system updates are signed, and the signature is verified before

applying the software/firmware update.

An example of inbound port configuration is listed below.

Description

Protocol

Source

port

Destination

Interface

Target

Modbus

devices

tcp

502

lan0

BACnet IP

devices

udp

47808

lan0

Building

Operator

Discovery

Web-client

tcp

8085

lan0

Default

all

RETURN

Table 1: Separate network mode