User Manual

ManualsBrandsSiemens ManualsBuilding automationDesigo CC MP 5.0 BACnet Server, BACnet Protocol Implementation Conformance Statement (PICS), Basic Documentation

Cybersecurity Concepts – How to Secure the System

Intended Operational Environments

58 | 85

A6V11646120_enUS_b_40

3 Cybersecurity Concepts – How to Secure

the System

Protection against Casual or Coincidental Violation

Desigo CC complies with the ISA-99/IEC 62443 Security Level: SL1 as long as the

recommendations described in this document are implemented in full.

Security Categories

Security in Desigo CC is divided into the following categories:

● Protection

Protection of Desigo CC against unauthorized and malicious use. This includes

provision of secure communication that prevents any manipulation of messages as

well as validation of users (authentication) to block unknown users from accessing the

system.

● Authorization

Provision of a fine-grained but easy-to-configure authorization model. It provides

access to any system resource and functionality in a way that the access rights of

users correspond with their capabilities, such as acting as system administrator or

personnel manager and the current operating conditions, such as organization mode

and/or the user location.

The features related to Protection can be summarized as follows:

● All communication paths between clients and the server provide encryption and

protect against replay attacks as well as data manipulation. The communication

between the web server (IIS) and the web clients is always encrypted.

● Communications between the system server and a FEP can be encrypted by

Desigo CC.

● Communications between the system server and SQL Server can be encrypted by

Desigo CC.

● The runtime data transfer between the system server and IIS can be encrypted by

Desigo CC.

● Passwords are handled securely:

– Encrypted storage and transmission

● Use of public domain algorithms for cryptographic functions, including:

– AES, DiffieHellmann, RSA, SHA-2, and so on.

– No self-coded algorithms

● Key strengths are defined as general security baselines, for example:

– Symmetrical encryption uses 256 bit AES or stronger

– Asymmetrical encryption uses 2048 bit or stronger

The features related to Authorization can be summarized as follows:

● The Authorization Model allows controlling access, view, and commanding

privileges of users and user groups on a very granular level based on

resources/groups. These resources/groups can be workstations, features,

applications, system objects, system object properties, and logical groups of any

kind for these resources.

● Access to the system is treated intuitively – the UI displays only elements such as

menus, buttons, list items, tree nodes, and so on where the user has at least read

access.