Desigo™ CC V4.
Table of Contents About This Document .................................................................................................. 5 Applicable Documents .................................................................................................... 6 Technical Terms and Abbreviations ............................................................................... 6 Acknowledgements ......................................................................................................
4 A6V11646120_enUS_b_40 3.13.2 D2: Stand-alone Desktop Application ................................................. 72 3.13.3 D3: Client/Server Application in Office Environment .......................... 73 3.13.4 D4: Client/Server Application in a Secured Location/Control Room .. 75 3.13.5 D5: Client/Server Application in a Professional IT Environment ........ 77 Checklist ...........................................................................................................
About This Document Applicable Documents About This Document Purpose These guidelines are designed to provide the system owner with information security guidelines and controls for Desigo CC system. It describes all the permitted applications for the intended operational environment as well as security-related information for the system owner for maintaining security in the life cycle of the system. Scope This document applies to Desigo CC V4.0.
About This Document Applicable Documents Applicable Documents Title Document ID/Reference Security for industrial process measurement and control – Network and system security IEC 62443-3 Information technology — Security techniques — Code of practice for information security controls ISO IEC 27002:2017 Technical Terms and Abbreviations Term Description AES The Advanced Encryption Standard is a specification for the encryption of electronic data established by the U.S.
About This Document Technical Terms and Abbreviations DMZ DMZ or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted network, usually a larger network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN): an external network node can access only what is exposed in the DMZ, while the rest of the organization's network is firewalled.
About This Document Technical Terms and Abbreviations ISA-99/IEC 62443 Security Level ANSI/ISA 62443 is a series of standards, technical reports, and related information that define procedures for implementing electronically secure Industrial Automation and Control Systems (IACS). This guidance applies to end-users (for example, asset owner), system integrators, security practitioners, and control systems manufacturers responsible for manufacturing, implementing, or managing IACS.
About This Document Technical Terms and Abbreviations Personal Store The Local Machine Personal store contains certificates used either by applications as client/server certificates and belong to this computer only; whereas the Current User Personal store contains certificates not bound to any particular machine (for example, you may have a certificate you use to digitally sign documents on several different machines).
About This Document Technical Terms and Abbreviations RSA RSA (Rivest–Shamir–Adleman) is one of the first public-key cryptosystems and is widely used for secure data transmission. In such a cryptosystem, the encryption key is public, and it is different from the decryption key which is kept secret (private). In RSA, this asymmetry is based on the practical difficulty of the factorization of the product of two large prime numbers, the factoring problem.
About This Document Technical Terms and Abbreviations A6V11646120_enUS_b_40 VPN Virtual Private Network. It extends a private network across a public network, and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. XBAP XAML Browser Applications (XBAP, pronounced ex-bap) are Windows Presentation Foundation (.
About This Document Acknowledgements Acknowledgements Responsibility of the System Owner The information technology (IT) used on site is the responsibility of the system owner. Standards, Regulations and Legislation Follow the policies of your company as well as any national regulations or international standards, such as ISO/IEC 27002 and IEC62443. The Federal Office for Information Security (BSI) provides information on basic Cybersecurity for Germany in both German and English, for example.
About This Document Document Revision History Document Revision History Document Identification The document ID is structured as follows: ID_Language(COUNTRY)_ModificationIndex_ProductVersionIndex Example: A6Vnnnnnnnn_en_a_02 Document Revision History Modification Index Edition Date Brief Description c b 2019-06-30 Second edition, corresponding with Desigo CC V4.0 a 2019-03-30 First edition, corresponding with Desigo CC V3.
1 Cybersecurity Basics Introduction 1 Cybersecurity Basics 1.
Cybersecurity Basics 1 System Security changed during the engineering phase, the system is at high risk, because the hacker can use it to install malicious software with administrator privileges. A control or countermeasure is put in place to mitigate the risk and can include HW or SW procedures, for example, a system with default passwords can be isolated from the rest of the system to reduce the likelihood of being accessed by an attacker. Figure 1: Threat and Risk Terminology 1.
1 Cybersecurity Basics SSL Certificates The guidelines detailed in this document support a continuing process to achieve Cybersecurity at system level. 1.4 SSL Certificates SSL stands for Secure Sockets Layer, a global standard security technology that enables encrypted communication between a web browser and a web server.
Cybersecurity Basics 1 SSL Certificates How to know if a website is secure The presence of an SSL certificate helps in determining whether or not a website is secured. Websites secured with an SSL certificate have a green address bar, a green padlock symbol near the URL and also have HTTPS as the prefix to their URL. All these indicators help in determining whether or not a website is enough secure.
1 Cybersecurity Basics SSL Certificates Types of SSL Certificates There are different types of SSL certificates available today based on the validation level and the number of domains they secure. The encryption levels remain the same for all types of certificates, but the validation levels and appearance are different.
1 Cybersecurity Basics SSL Certificates Supported Cryptographic algorithms in Desigo CC Desigo CC supports RSA-2048 SHA-256 Certificates. Basically, CAPI certificates are required. The Web Server also supports CNG Certificates. Components Crypto API Certificates CNG Certificates WinCC OA Communication RSA 2048 with SHA256 encryption Certificates supported; Certificate revocation not supported. Not supported.
1 Cybersecurity Basics SSL Certificates Types of SSL Certificates based on the Number of Domains they Secure The following certificates are based on the number of domains needs to be se-cured. Single Domain Certificate The single domain certificate secures one fully qualified domain name. For example, a single domain certificate for www.example.com will not secure the communication for mail.example.com.
1 Cybersecurity Basics SSL Certificates How many domain names can be secured Most SSL server certificates will only secure a single domain name or subdomain. For example, a certificate could secure www.yourdomain.com or mail.yourdomain.com but not both. The certificate will still work on a different domain name, but the web browser will give an error anytime it sees that the address in the address bar does not match the domain name (called a common name) in the certificate.
1 Cybersecurity Basics SSL Certificates Buy an SSL Certificate You can buy an SSL certificate from CA or their reseller. The prices vary depending on the CA and type of the SSL certificate. The following are the overall steps for buying SSL certificates from a CA: 1. Choose a Certificate Authority (CA): You can choose your CA from where you want to buy an SSL certificate. There are many CAs such as Comodo, DigiCert, RapidSSL, GeoTrust, Thawte, Certum, and so on.
Cybersecurity Basics 1 SSL Certificates The following is a sample CSR: -----BEGIN NEW CERTIFICATE REQUEST----MIIERzCCAy8CAQAwZzELMAkGA1UEBhMCVVMxCzAJBgNVBAgMAk5ZMREwDwYDVQQ H DAhuZXcgeW9yazEPMA0GA1UECgwGbXkgb3JnMQswCQYDVQQLDAJJVDEaMBgGA1U E AwwRd3d3Lm15d2Vic2l0ZS5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggE K AoIBAQCfvbkuJwMiwOwgvRAV1XS/HZFGH0I6/p2NyOn7onb8uEV3cMFf4iCzBN6 Z KJD92qVtmZSBpH9IQrYiEohTxkgJ2c/dyX06eDVS7nE53etPOZCM8VvJOq/7PDo + 7Kvy6jhQVU7Rb1mQrFcrU0GVOQWWqqtpHwbeKPfJ3mRlPNzygmXAUXkv0XdstQP m b5sV
1 Cybersecurity Basics SSL Certificates SSL Certificate Format PEM Format Most CAs (Certificate Authority) provide certificates in PEM format in Base64 ASCII encoded files. The certificate file types can be .pem, .crt, .cer, or .key. The .pem file can include the server certificate, the intermediate certificate and the private key in a single file. The server certificate and intermediate certificate can also be in a separate .crt or .cer file. The private key can be in a .key file.
Cybersecurity Basics 1 SSL Certificates 1 — Gather the necessary files In order to install an SSL certificate on your web server and bind it to your domain, you must have the following files: 1. SSL Certificate for your domain 2. Intermediate certificates or CA bundle (optional) 3. Private key You must obtain a certificate file for your domain and intermediate certificate files from the CA where you submitted the CSR.
2 Network Security Controls Protected System Configuration Concept 2 Network Security Controls The following sections detail the concept of a protected system configuration as well as specific use cases. The network security-related controls aim at mitigating the risk of exploitation of possible Desigo CC vulnerabilities. To enhance security, follow the policies of your company as well as any national legislations or international standards, such as ISO/IEC 27002 and IEC62443. 2.
Network Security Controls 2 Protected System Configuration Concept 2.1.1 Zone Boundary Protection ● ● ● ● ● The Desigo CC backbone level and DMZ level are security zones that are physically protected (for example, locked in rack in server room) and use separated networks that only permit Restricted access to its components. A separate VLAN alone does not meet the requirements for zone boundary protection. A firewall is required too.
2 Network Security Controls Protected System Configuration Concept 2.1.2 System Components As illustrated below, the Desigo CC software can be installed on a single server or broken up in the following main functional blocks: ● Management System Server: Monitors and commands the field networks, executes automatic actions and interacts with users through clients. ● Database Server: Manages the Historical data collected by Desigo CC. ● MNS ● Video ● Web Server: provides connectivity for web clients.
2 Network Security Controls Protected System Configuration Concept 2.1.3 Firewall Rules The firewall rules table shows a list of required ports and services needed to allow the communication between different network zones of a protected system configuration. In general, all the protective controls for data connections/network traffic at zone boundaries must be configured as follows: ● Deny by default. ● Allow only ports/services that are required to operate Desigo CC.
2 Network Security Controls Protected System Configuration Concept Server Communication Port usage across machine boundaries for client-server and server-server communication Core Services on Main Server Providing Component Remote Consumer Intended Operat. Environm. Component, Executable Default Port Port Config.
2 Network Security Controls Protected System Configuration Concept Providing Component Remote Consumer Intended Operat. Environm. Component, Executable Default Port Port Config. Protocol Port exposure to other machines in the network Connects to this port Refer to SSL Proxy Manager TCP: 5678 SMC WinCC OA Communic ation (SSL encrypted) Exposed if project is set to "Secure" in SMC Installed Client (Secure)7) n/a UDP: 5678 WCCILproxy.
2 Network Security Controls Protected System Configuration Concept Providing Component Remote Consumer Intended Operat. Environm. Connects to this port Refer to Component, Executable Default Port Port Config. Protocol Port exposure to other machines in the network Microsoft IIS TCP: 443 SMC HTTPS always exposed Remote Client 2.2.1 [➙ 39] Web Client 2.2.3 [➙ 45] 2.2.5 [➙ 53] 2.2.6 [➙ 55] 2.2.
2 Network Security Controls Protected System Configuration Concept Providing Component Component, Executable Default Port Port Config. Protocol File and Printer Sharing (Server Message Block transmission and reception via Named Pipes) TCP: 445 n/a TCP Port exposure to other machines in the network Remote Consumer Intended Operat. Environm. Connects to this port Refer to Installed Client (Secure) 2.2.2 [➙ 42] Installed Client (Non secure) FEP (Secure) 2.2.3 [➙ 45] 2.2.4 [➙ 48] 2.2.
2 Network Security Controls Protected System Configuration Concept Deployment Variants: Remote IIS and Remote SQL Server Providing Component Component, Executable Default Port Port Config.
Network Security Controls 2 Protected System Configuration Concept Optional Services on the Main Server Component, Executable Default Port Port Config. Protocol Port Exposure Rem. Cons. Web Service Interface TCP: 8080 HTTP(S) – REST Web Service always exposed Separate Web Server WCCOAWsi.exe2) SMC OPC DA TCP: 135 Siemens.Gms.OPCServer.
2 Network Security Controls Protected System Configuration Concept Directories of the host processes: 1) Located in C:/Siemens/Automation/WinCC_OA/3.15/bin/ 2) Located in [Installation Directory]/GMSMainProject/bin/ Variable ports: 3) The port of an SQL server named instance is by default variable; Refer to SQL server documentation on how to configure a fixed port for a named instance. Consumer: 5) SMC 6) Executables on the client installation [Installation Directory]/GMSMainProject/bin/Siemens.
2 Network Security Controls Protected System Configuration Concept Subsystem Connectivity Outbound connections (ports used by the host to connect to automation systems) Field System Hosts Component / Process Port Port Configuration Comment APOGEE P2 Main Server, APOGEE P2 driver TCP: 3001 FEP WCCOAApogee Drv.exe2) APOGEE Network SnapIn Required for APOGEE Ethernet Microserver (AEM) Main Server, APOGEE P2 driver UDP: 5033 FEP WCCOAApogee Drv.
2 Network Security Controls Protected System Configuration Concept 1) File located in C:/Siemens/WinCC_OA/3.13/bin/ A Modbus subsystem uses the underlying Modbus Driver from WinCC OA. It uses Modbus protocol over TCP. During import, the field engineer has to specify the IP Address and the port number for communicating with the device. If the port number field is left empty, then the Modbus Importer applies the default value: 502.
Network Security Controls 2 Intended Operational Environments 2.2 Intended Operational Environments 2.2.1 All-In-One (One-Seat) System Intended Use Case This is the configuration choice in all cases where only one client is required, and system size is limited. The Desigo CC server, database service and one installed client are deployed on the same hardware platform, which can be physical or virtual. The field networks are connected directly to the Desigo CC server.
2 Network Security Controls Intended Operational Environments A single dedicated workstation that runs both the Desigo CC server and the Desigo CC client application, typically communicating with a field system in a networked environment.
Network Security Controls 2 Intended Operational Environments ● ● IPv4 No IT firewalls (to other network segments or to the Internet) Security ● ● ● Simple setup Effort for security configuration is medium A stand-alone system with a local web server must be protected against attacks from other machines in the network. Follow the configuration guidelines to limit outside communication by firewall settings, virus scanner, and so forth to secure the system.
2 Network Security Controls Intended Operational Environments Deployment Diagram Figure 7: Stand-alone System with a Local Web Server Settings Reference For reference, see Setting up the Web/Windows App Clients in the Desigo CC online help. 2.2.2 Client/Server in the Customer Network Intended Use Case This is the configuration choice for the cases where multiple installed clients, connected through a dedicated or shared local area network (LAN) are required. Web connectivity is not required.
Network Security Controls 2 Intended Operational Environments Figure 9: Local Network The Desigo CC server, database service and the first installed client are deployed on the same hardware platform, which can be physical or virtual. If Windows App clients are required, the web server can also be installed on the same platform. Field networks are connected directly to the Desigo CC server.
2 Network Security Controls Intended Operational Environments ● Microsoft SQL Server installed/remote customer Microsoft SQL Server ● Own network segment ● IPv4/IPv6 ● IT firewalls must allow communication between server and client Client Station A dedicated workstation with the following features: ● Desigo CC client/FEP ● Own administration ● IPv4/IPv6 ● Internal firewalls Security ● Secure client/server deployments require medium configuration setup.
2 Network Security Controls Intended Operational Environments Deployment Diagram 1. Root Certificate (.cer) file 2. Client/FEP Host Certificte (.pfx) file Client/Server Communication Mode = Secured Root Certificate (.cer file) in TRCA Client/FEP Host Certificate In Personal Rights on the Host Certificate to the Client/ FEP logged-in operating system user Root Certificate (.cer file) in TRCA Server Host Certificate (.pfx file) in Personal Client/FEP Host Certificate (.pfx + .
2 Network Security Controls Intended Operational Environments Figure 11: Server and Remote Web Server Figure 12: Server and Remote Web Server 46 | 85 A6V11646120_enUS_b_40
Network Security Controls 2 Intended Operational Environments Server Station A single dedicated workstation with the following features: ● Desigo CC server is installed. ● Microsoft SQL Server is installed on the Desigo CC server. ● The server project folder is shared. ● The required certificates (SMC-created or commercial) are imported into the Windows Certificate store: – The root certificate is imported into the Trusted Root Certification Authorities store.
2 Network Security Controls Intended Operational Environments Deployment Diagram 1. Root Certificate (.cer) file 2. Client/FEP Host Certificte (.pfx) file Client/Server Communication Mode = Secured Root Certificate (.cer file) in TRCA Client/FEP Host Certificate In Personal Rights on the Host Certificate to the Client/ FEP logged-in operating system user Root Certificate (.cer file) in TRCA Server Host Certificate (.pfx file) in Personal Client/FEP Host Certificate (.pfx + .
Network Security Controls 2 Intended Operational Environments For systems with key components in the Internet additional network and IT security measures are required to run Desigo CC properly: ● Only web and Windows App clients are hosted outside the customer network. ● Communication between all key components is required to be secured by standard IT security mechanisms, like virtual private network (VPN) and/or certificates.
2 Network Security Controls Intended Operational Environments Figure 15: Intranet-Extranet Server and a Remote Web Server (IIS) in a DMZ Network A DMZ (demilitarized zone) refers to an area of a network, usually between two firewalls, where users from the Internet are permitted limited access over a defined set of network ports and to predefined servers or hosts. A DMZ is used as a boundary between the Internet and your company's internal network.
Network Security Controls 2 Intended Operational Environments ● ● ● ● Desigo CC server is installed. Microsoft SQL Server is installed on the Desigo CC server. The server project folder is shared. The required certificates are imported into the Windows Certificate store: – The root certificate is imported into the Trusted Root Certification Authorities store. – The host certificate is imported into the Personal store.
2 Network Security Controls Intended Operational Environments Deployment Diagram Internet Root Certificate (.cer) file in TRCA Web comm. over Ccom Secured Server Root Certificate (.cer file) in TRCA Self-signed Certificate (.pfx file) in TRCA + Personal Client/FEP with Installed Client and Web Server (IIS) in DMZ Root Certificate (.cer file) in TRCA Server Host Certificate (.
2 Network Security Controls Intended Operational Environments 2.2.5 Large, Distributed Client/Server with Internet Access Intended Use Case This is the configuration choice for cases where system size or specific customer indications require the deployment of key Desigo CC components on different hardware platforms, which can be physical or virtual. Communication between the key components is required to be secured by standard IT security mechanisms like certificates.
2 Network Security Controls Intended Operational Environments Figure 18: Large, Distributed Client/Server 54 | 85 A6V11646120_enUS_b_40
Network Security Controls 2 Intended Operational Environments 2.2.6 Distributed System Configurations Intended Use Case The distributed system configuration allows interconnecting several projects that run independently, either on one or several physical machines. The interconnection of the projects allows transparent engineering and operation through them seeing them as one and only one system.
2 Network Security Controls Intended Operational Environments Figure 20: Multiserver Architecture for Discipline Segmentation or Redundancy 2.2.7 Virtualization Intended Use Case Virtualization has become a widely preferred and suggested environment for IT infrastructure by IT administrators: ● Server (hardware) virtualization is a proven software technology that makes it possible to run multiple operating systems on the same server at the same time, sharing the available hardware resources.
Network Security Controls 2 Intended Operational Environments ● ● ● ● ● A6V11646120_enUS_b_40 Desigo CC Server Video Management Service Microsoft SQL Server Microsoft IIS Server Desigo CC FEP 57 | 85
3 Cybersecurity Concepts – How to Secure the System Intended Operational Environments 3 Cybersecurity Concepts – How to Secure the System Protection against Casual or Coincidental Violation Desigo CC complies with the ISA-99/IEC 62443 Security Level: SL1 as long as the recommendations described in this document are implemented in full. Security Categories Security in Desigo CC is divided into the following categories: ● Protection Protection of Desigo CC against unauthorized and malicious use.
Cybersecurity Concepts – How to Secure the System 3 User Management 3.1 User Management User Account Management NOTICE Desigo CC users can be configured to use local passwords or to use Windows authentication (for example, Active Directory). Use Windows authentication wherever possible to enhance security, control, and management of passwords.
3 Cybersecurity Concepts – How to Secure the System IT Security 3.2 IT Security NOTICE The owner of the Desigo CC system is responsible for establishing and maintaining appropriate IT security, in particular by applying virus scanners, deactivating unneeded services and network ports, and by regular patching and updating the operating system and all installed applications. 3.3 Communication Security The communication between web clients and the web server (IIS) is always encrypted.
Cybersecurity Concepts – How to Secure the System 3 License Security 3.4 License Security Licensing is important to guarantee the operation of the system within the agreed system limits. Only the system is allowed to change license data. If a license becomes temporarily unavailable (for example, dongle unplug) the system continues running fully operational for a demo period of 30 minutes.
3 Cybersecurity Concepts – How to Secure the System Main Server Folder Shares for Client and FEP Installations 3.6 Main Server Folder Shares for Client and FEP Installations When installing additional installed clients for Desigo CC version 4.x, FEPs or a remote web server, the project directory is no longer shared, with the only exception of the individual folders that need to be accessed remotely.
Cybersecurity Concepts – How to Secure the System 3 Server Services ● ● Shared Provide read access on all files and subfolders to the web server account and all Windows client accounts. All other folders Provide read/write access to the [System Account] only ([System Account] is configured in SMC). Do not provide access on these folders to any other account. 3.
3 Cybersecurity Concepts – How to Secure the System Server Services UA Local Discovery Server Belongs to the Desigo CC OPC server. Allow the UA Local Discovery Server to start Automatically. Configure your Firewall to permit TCP port 4840. UA COM Server Wrapper Belongs to the Desigo CC OPC server. The OPC UA wrapper enables a UA client to connect to a COM-based OPC DA2/DA3 server. Internally the wrapper is a small UA server that obtains data from its internal COM DA2/DA3 client.
Cybersecurity Concepts – How to Secure the System 3 Server Services 5. In the User name field, enter exactly the following string: [BASIC]\BasicStreamingUser. 6. In the Password field, enter the password you used for creating the VideoAPIStreamingUser, above. The credentials of the BasicStreamingUser are added to the vault of the Desigo CC computer. 7. Restart the Desigo CC application. VMS Service (Embedded Siveillance VMS200) Installed separately by users, not by the Video extension module.
3 Cybersecurity Concepts – How to Secure the System LMS – License Management System Install VMS Server on a Computer Different from the Desigo CC Server ● Install the VMS server following its separate installation instructions. In the VMS software setup, you can select the Single-Server (recommended) or the Custom installation variant. NOTE: Do not use the Distributed-Servers variant. This is referred to architectures with multiple VMS servers. 3.
Cybersecurity Concepts – How to Secure the System 3 Windows Hardening 3.11 Windows Hardening First of all, let's define hardening. When you harden a system, you are attempting to reduce its surface of vulnerability. Ideally, you want to be able to leave it exposed to the general public on the Internet without any other form of protection. This is not a system you will use for a wide variety of services.
3 Cybersecurity Concepts – How to Secure the System Web Browser Security 3.12 Web Browser Security When using any web browser to run a Desigo CC client, a special attention is required for the security settings of the web browser. Make sure the saving function for credentials is disabled in the web browser setting. Update to TLS 1.
Cybersecurity Concepts – How to Secure the System 3 Web Browser Security In the end what must be done is to enable TLS 1.2 on the machines running the XBAP browser client in the registry (on Windows 10 only the last two entries are needed): HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityPro viders\SCHANNEL\Protocols\TLS 1.2\Client DisabledByDefault (type = DWORD, Value = 0 hexadecimal) Enabled (type = DWORD, Value = 1 hexadecimal) HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NetFramework\v4.0.
3 Cybersecurity Concepts – How to Secure the System Web Browser Security locations, helps keep your patch management efforts up to date. It is therefore important to inventory your network on a regular basis. ● Perform application patching Many limitations of OS platform support and discovery services lie in accounting for only applications from a specific OS and ignoring third-party software.
Cybersecurity Concepts – How to Secure the System 3 Hardening Guidelines 3.13 Hardening Guidelines This section defines the minimal hardening measures that must be applied for each of the reference deployments in order to comply with Desigo CC requirements and therefore meet Security Level 1 (SL1). 3.13.1 D1: Unsecured Desktop IT Security Level 1 for Desigo CC cannot be achieved at this level of hardening. Therefore, do not use it without an express written waiver of responsibility by the customer.
3 Cybersecurity Concepts – How to Secure the System Hardening Guidelines 3.13.2 D2: Stand-alone Desktop Application Applicability Location of the physical server On the desktop of one of the users in a controlled office environment (not in a publicly accessible area). Physical/virtual server exclusivity Non-exclusive: a computer also used for regular office tasks. Topic Required Hardening Physical server protective measures Unplug and theft protection.
Cybersecurity Concepts – How to Secure the System 3 Hardening Guidelines 3.13.3 Connection to other services (for example, OPC servers and clients) Directly, through VLAN or customer networks: customer is responsible for securing it. The assumption is that the customer’s IT secures field device connectivity. Client Windows login No autologon or professional KIOSK mode. Desigo CC users Use Windows authentication only.
3 Cybersecurity Concepts – How to Secure the System Hardening Guidelines Client protective measures (Software) Disable interfaces with memory access (FireWire, USB 3.1). Continuously maintained and strong antivirus protection. Continuously maintained desktop firewalls. Firewalls rules not on auto allowance. Secure certificate store. Set up all applications running on the client. Do not store passwords locally. Connection for clients inside the customer network Secured communication configured.
Cybersecurity Concepts – How to Secure the System 3 Hardening Guidelines 3.13.4 D4: Client/Server Application in a Secured Location/Control Room Applicability Suitable and supported for IT security If Desigo CC security prescriptions are applied. Location of the physical server Supervised control room desk and enclosure. Topic Required Hardening Physical/virtual server exclusivity Non-exclusive: a computer also used for regular office tasks.
3 Cybersecurity Concepts – How to Secure the System Hardening Guidelines Connection for clients inside the customer network Secured communication configured. Segmented network. Network firewalls configured and continuously maintained. Connection for clients outside the customer network (Remote access) Secured communication configured. Segmented network. Network firewalls configured and continuously maintained. DMZ configured.
Cybersecurity Concepts – How to Secure the System 3 Hardening Guidelines 3.13.5 D5: Client/Server Application in a Professional IT Environment Applicability Location of the physical server Unrestricted server room Physical/virtual server exclusivity Exclusive: Server only hosts Desigo CC applications. Topic Required Hardening Physical server protective measures Server machine locked in cabinet. Unplug and theft protection.
3 Cybersecurity Concepts – How to Secure the System Hardening Guidelines Client protective measures (Software) Disable interfaces with memory access (FireWire, USB 3.1). Continuously maintained and strong antivirus protection. Continuously maintained desktop firewalls. Firewalls rules not on auto allowance. Secure certificate store. Set up all applications running on the client. Do not store passwords locally. Connection for clients inside the customer network Secured communication configured.
Checklist 4 4 Checklist The following checklist should be used to perform security controls for the Desigo CC system components. The checklist must be completed for each instance of any component. Desigo CC Server Hardening Checklist ● User Configuration Make sure that the password for the local Administrator account is reset to something secure. Furthermore, disable the local administrator whenever possible.
4 Checklist be available over a VPN connection, ensuring that unauthorized people cannot exploit the port at will from the net. The Windows firewall is a built-in software firewall that allows configuration of portbased traffic from within the OS. On a standalone server, or any server without a hardware firewall in front of it, the Windows firewall will provide some protection against network-based attacks by limiting the attack surface to the allowed ports.
4 Checklist Check the maximum size of your logs and scope them to an appropriate size. Log defaults are almost always far too small to monitor complex production applications. As such, disk space should be allocated during server builds for logging, especially for applications like Microsoft Exchange. Logs should be backed up according to your organization’s retention policies and then cleared to make room for more current events. Controls Status Implement physical and environmental security controls.
4 Checklist Obfuscate Local Administrator Accounts More often, malicious programs and hackers will target default local administrator accounts as low hanging fruit for exploitation. A simple renaming of an administrator account adds a simple but effective layer of defense against brute-force attacks. Choosing a less common name makes the account less susceptible to hacking attempts—though in later versions of Windows, local administrator accounts are disabled by default.
4 Checklist Controls Status Implement physical and environmental security controls (for non-SGD clients). Implement network separation. Implement protective firewall rules. Implement operational security controls Implement access control measures. Disable the saving function for credentials in all browsers. Implement user management controls.
4 Checklist ● ● ● ● WirelessZone – Networks that can be accessed by users and applications with a wireless connection. ExternalZone – Networks that are not secure, such as the Internet and other external networks. DMZZone – A DMZ (demilitarized zone) is sometimes referred to as a perimeter network. It contains company servers that can be accessed from external sources.
Issued by Siemens Industry, Inc. Smart Infrastructure 1000 Deerfield Pkwy Buffalo Grove IL 60089 +1 847-215-1000 A6V11646120_enUS_b_40 © Siemens Industry, Inc., 2019 Technical specifications and availability subject to change without notice.
