Siemens Desigo CC 3 0 Product Family - Cybersecurity Whitepaper A4

Desigo CC 3.0 Family Meets Building Systems live and work in an exciting era It one defined by Industry 4.0 the of business Digitalization provides numerous advantages greater convenience and increased efficiency It also presents challenges Cyber attacks are a constant and increasing threat due the across the board connectivity that makes digitalization possible today connected world the likelihood of a cyber attack is high do you confidently face and mitigate cyber threats You take a holistic to security measures across all aspects of your organization includes making sure the building management systems that manage facility infrastructure are well prepared Siemens Building Technologies we believe security begins during product We adopted a security philosophy in the development our products including the Desigo CC 3.0 family of building management solutions and services This paper provides insight into how Siemens cybersecurity requirements during the Desigo CC 3.0 product and lifecycle management processes discussing cybersecurity let define it For this document we define as the protection of life and company assets from harm caused digital attacks against the availability confidentiality integrity authenticity reliability of information in cyberspace Cyberspace is the complex system interaction between people software and services that is facilitated by technical means to connect them to the Intranet and Internet rights reserved Siemens Switzerland Ltd 2019siemens com desigoccfirealarmresources com also define what it means to take a holistic approach security Leading companies and institutions take into four key factors that impact security strength communication processes and technology general People need a broad and lasting awareness of the of security both physical security and Communication helps establish a culture of security it is clear and concise Processes that actively applied are as important as in protecting organizations from cyber threats Technology needs to be tested vetted and matched other suitable building blocks in order to secure organization assets security 1 Holistic Security Approach Key Factors spectrum of security challenges is broad While physical are more obvious and change less often cyber can be more nefarious due to an ever changing landscape When it comes to aligning security with needs and the inevitable move toward convenience put a focus on cybersecurity from the outset by Design Siemens Commitment to Security attacks are among the fastest growing criminal in the world today They range from insider threats attacks opportunist threats and hacktivism the way up to business espionage terrorism and cyber terrorism In order to be prepared to to a fast complex and constantly changing threat it is essential that organizations like yours take holistic approach to security the responsibility to secure your environment lies your organization Siemens is committed to developing that enable you to take a holistic approach to This is true for our Desigo CC 3.0 family of building products solutions and services the focus this paper The Desigo CC 3.0 product family includes CC 3.0 Cerberus DMS 3.0 and Desigo CC Compact 3.0 commitment is multifaceted First and foremost is by Design our end to end approach to product that builds in security from the beginning includes an ongoing cycle of testing enhancements evolution to keep our products and solutions at the In addition we are a founding member of the Charter of Trust which calls for binding rules and to build trust in cybersecurity and further digitalization put we design with security in mind Our company wide provides a risk management program that actively comprehensive security methodology for all Siemens solutions and services It identifies best practices sets technical standards processes and policies that be met We also contribute to international standards strive to deliver products that meet security standards as ISA IEC 62443 UL2900 ISO IEC 27001 and OWASP by Design Expertise effectiveness of a product cybersecurity design is to the expertise of the development team As part our Security by Design methodology we invest not only technology developments for digital protection and security but also in the training required to maintain levels of employee cybersecurity expertise the lifecycle of the product our experts perform threat and risk assessments in order to address risk in the intended application of use This starts early on in the process and is repeated required to identify and mitigate risks appropriately addition regular product security testing is conducted external experts who use manual penetration tests alone in combination with automated machine security testing idea is to break the system in order to make it more This testing ensures that the selected product or service meets our security requirements The test are recorded and used to identify any necessary actions rights reserved Siemens Switzerland Ltd 2019 Desigo CC Cybersecurity Meets Building Management Systemsfirealarmresources com cybersecurity consultancy design measures to IEC62443 security veri validation manual penetration testing incident handling process ProductCERT cybersecurity initiative solid product foundation testing tools methods vulnerability threat monitoring design maintenance vulnerability security veri validation risk assessment hardening customer protection goals on intended operational environment mitigate cyber threats installation commissioning maintenance program 2 Siemens Cybersecurity Initiative Highlights Security by Design to Desigo CC CC is a robust open integrated building management that helps create comfortable safe and sustainable It enables operation and monitoring of a building Desigo CC design experts adhere to our company wide initiative as illustrated in Figure 2 They follow mandatory internal security policy that provides for ongoing development of Desigo CC products accordance with the appropriate security level Desigo CC are developed according to ISO IEC62443 measures help ensure that coding leads to secure architecture as well as more secure implementation software components The software is designed to be by default when installed This includes that certain and functions are secure at the default level because we continuously enhance and evolve our solutions and services Desigo CC will be kept up date as new security threats unfold Below is an example by Design elements integrated into Desigo CC End to end encryption from client to server End to end encryption between servers Encrypted communication to other devices Certificate based data exchange Seamless integration of certificates within customer infrastructure Microsoft active directory based authentication Using privilege principle to limit data and access User workstation groups roles control access to system designating appropriate tasks and Re authentication Cybersecurity audit trail Support of antivirus and malware protection software Support of hardware and software firewalls Use of network infrastructure that supports physical or VLAN segmentation Segregation of networks into zones Controlled access to servers clients and applications Placing the web server in a zone DMZ