Siemens Desigo CC Product Family – Cybersecurity Whitepaper

Desigo CC Family Meets Building Systems live and work in an exciting era It one defined by Industry 4.0 the of business Digitalization provides numerous advantages greater convenience and increased efficiency It also presents challenges Cyber attacks are a constant and increasing threat due the across the board connectivity that makes digitalization possible today connected world the likelihood of a cyber attack is high do you confidently face and mitigate cyber threats You take a holistic to security measures across all aspects of your organization includes making sure the building management systems that manage facility infrastructure are well prepared Siemens Smart Infrastructure we believe security begins during product We adopted a security philosophy in the development our Desigo CC family of building management products solutions and This paper provides insight into how Siemens approaches cybersecurity during the Desigo CC product development and lifecycle processes discussing cybersecurity let define it For this document we define as the protection of life and company assets from harm caused digital attacks against the availability confidentiality integrity authenticity reliability of information in cyberspace Cyberspace is the complex system interaction between people software and services that is facilitated by technical means to connect them to the Intranet and Internet rights reserved Siemens Switzerland Ltd 2021siemens com desigoccfirealarmresources com also define what it means to take a holistic approach security Leading companies and institutions take into four key factors that impact security strength communication processes and technology general People need a broad and lasting awareness of the of security both physical security and Communication helps establish a culture of security it clear and concise Processes that are actively applied are as important as in protecting organizations from cyber threats Technology needs to be tested vetted and matched other suitable building blocks in order to secure organization assets security 1 Holistic Security Approach Key Factors spectrum of security challenges is broad While physical are more obvious and change less often cyber can be more nefarious due to an ever changing landscape When it comes to aligning security with needs and the inevitable move toward convenience put a focus on cybersecurity from the outset by Design Siemens Commitment to Security attacks are among the fastest growing criminal in the world today They range from insider threats attacks opportunist threats and hacktivism the way up to business espionage terrorism and cyber terrorism In order to be prepared to to a fast complex and constantly changing threat it essential that organizations like yours take holistic approach to security the responsibility to secure your environment lies your organization Siemens is committed to developing that enable you to take a holistic approach to This is true for our broad portfolio of building products solutions and services the focus this paper commitment is multifaceted First and foremost is by Design our end to end approach to product that builds in security from the beginning includes an ongoing cycle of testing enhancements evolution to keep our products and solutions at the In addition we are a founding member of the Charter of Trust 1 which calls for binding rules and to build trust in cybersecurity and further digitalization put we design with security in mind Our company wide provides a risk management program that actively comprehensive security methodology for all Siemens solutions and services It identifies best practices sets technical standards processes and policies that be met We also contribute to international standards strive to deliver products that meet security standards as ISA IEC 62443 UL2900 ISO IEC 27001 and OWASP by Design Expertise effectiveness of a product cybersecurity design is to the expertise of the development team part of our Security by Design methodology we invest only in technology developments for digital protection product security but also in the training required to high levels of employee cybersecurity expertise the lifecycle of the product our experts perform threat and risk assessments in order to address risk in the intended application of use This starts early on in the process and is repeated required to identify and mitigate risks appropriately addition regular product security testing is conducted external experts who use manual penetration tests alone in combination with automated machine security testing idea is to break the system in order to make it more This testing ensures that the selected product or service meets our security requirements The results are recorded and used to identify any necessary actions For more information go to www charteroftrust com rights reserved Siemens Switzerland Ltd 2021 Desigo CC Cybersecurity Meets Building Management Systemsfirealarmresources com by Default concept of Security by Default is closely related to by Design It calls for all protective measures to be activated and in force by default at the time product delivery installation or initial commissioning by Default is applied more frequently today to the fact that many developers used to ship with wide open settings because they assumed would configure the security at setup Unfortunately majority of users never even consider security once the is running For security to work effectively it must built in and active from day one Furthermore security added later is difficult to patch or retrofit when new of attack are identified Security by Default is gaining ground there are no regulations currently governing this approach a result appropriate security settings are often not in advance resulting in the need for users to adjust after the product is installed Siemens on the other designs and preconfigures its systems to use the secure settings at installation by default and as a To eliminate potential vulnerabilities we the creation of strong authentication and authori steps and use encryption to protect data and make more secure We then adopt the highest level of security and data protection for each layer and incorporate it into the design of the functionalities processes and operations Finally make sure that the imbedded security is activated once the system is put into use security by default successful involves examining issue of how products can provide optimum security they leave the factory Well known examples of in real life settings show how many were easy targets for malicious actors In one the most unusual incidents cybercriminals hacked a through an Internet connected thermometer in an in its lobby 2 This foothold gave the hackers to the casino network and then its database of gamblers which they uploaded to the cloud solutions are easier than others To maintain a level of security on site it makes sense to creation of a new password when the user logs in But what further security measures need be considered and what trade offs may arise in the of user friendliness There have been no universal answers to date let alone specific for action Instead the actions are by the responsible product team The signal clear however cybersecurity is no longer optional now a mandatory requirement For more information see https www forbes com sites leemathews 2017 07 27 criminals hacked a fish tank to steal data from a casino rights reserved Siemens Switzerland Ltd 2021 Desigo CC Cybersecurity Meets Building Management Systemsfirealarmresources com of Duties Principle IT security concept that closely related to the of Least Privilege is the Separation of Duties