CybersecurityGuidelines DESIGOCC V5x

Desigo CC V5.
0
Cybersecurity Guidelines
Application Guide
A6V11646120_en_d_50 Smart Infrastructure

15.02.2021
Table of Contents
1 About this document .................................................................................5

1.1 Applicable Documents .................................................................................7
1.2 Download center ..........................................................................................8
1.3 Revision History...........................................................................................8
2 Technical terms and abbreviations...........................................................9
3 IT Security Notices ..................................................................................11
3.1 End of the Life Cycle (EOL) .......................................................................11
4 Cybersecurity basics ...............................................................................12
4.1 Introduction to cybersecurity ......................................................................12
4.2 Security concepts and risk assessment process.........................................12
4.3 System security, roles, and responsibilities ................................................13
5 Cybersecurity throughout the life cycle of the system ..........................14
5.1 Installation and commissioning ..................................................................14
5.1.1 Responsibility for IT security........................................................14
5.1.2 Physical and environmental security............................................14
5.1.3 Implementing the required functionality .......................................15
5.1.4 Communication security ..............................................................15
5.1.5 Devices with access to the highly protected zone ........................15
5.1.6 Guidelines for PCs ......................................................................16
5.1.7 Guidelines for Smartphones ........................................................16
5.1.8 Password guidelines ...................................................................17
5.1.9 PIN guidelines.............................................................................17
5.2 Operation and maintenance .......................................................................17
5.2.1 Security of saved data.................................................................17
5.2.2 Regular patches and updates......................................................18
5.2.3 Handling incidents.......................................................................18
5.3 Disposal / phase-out / EOL ........................................................................18
5.3.1 Disposal procedures ...................................................................19
6 System security concept .........................................................................20
6.1 Definition of security zones ........................................................................20
6.2 Zone boundary protection ..........................................................................21
6.3 System components ..................................................................................22
6.4 Required Certificates .................................................................................23
6.5 Least functionality implementation .............................................................23
6.5.1 Main Server Folder Shares for Client and FEP Installations .........24
6.6 Firewall rules and system services .............................................................25
6.7 History database (HDB) users and roles ....................................................30
6.8 Notification (MNS) database roles and backup folder .................................32
7 IEC62443 Security Level 2 (SL2) .............................................................33
7.1 Introduction to IEC62443 SL2 standard ......................................................33
7.2 System components and network separation in SL2 deployments ..............34
7.3 IEC 62443 SL2 general requirements ........................................................34
2 | 58 Restricted A6V11646120_en_d_50
8 Intended operating environment and application options .................... 36
8.1 Single station in highly protected zone ...................................................... 36
8.1.1 SL2 requirements for single station deployment.......................... 37
8.2 Client/server with local intranet web server................................................ 38
8.2.1 SL2 requirements for local client/server deployment ................... 39
8.3 Client/server with remote intranet web server ............................................ 40
8.3.1 SL2 requirements for client/server deployment with remote intranet
web server ................................................................................. 41
8.4 Client/server with remote internet access using FlexClient ........................ 42
8.4.1 SL2 requirements for client/server deployment with remote internet
access using FlexClient.............................................................. 43
8.5 Client/server in distributed solutions .......................................................... 44
8.5.1 Distributed system configurations ............................................... 46
8.6 Virtual environment ................................................................................... 47
9 Recommended System Hardening ........................................................ 48
9.1 Hardening Windows server ....................................................................... 48
9.2 Hardening firewall ..................................................................................... 53
9.3 Hardening system server .......................................................................... 54
9.4 Hardening system client ............................................................................ 56
9.5 Hardening notification application .............................................................. 56
10 Maintenance of IT Components ............................................................. 57
A6V11646120_en_d_50 Restricted 3 | 58
About this document 1
Applicable Documents
1 About this document

This document must be transferred from the installation personnel to the system
operator.
Retention and availability
NOTICE
Missing information
Damage due to misuse
● This document must be available in a usable format throughout the entire life
cycle of the product. Keep the document for reference and ensure that it can
be accessed by target groups.
Should you require another copy of this document, please contact the Customer
Support Center, phone +49 89 9221-8000.
This document contains guidelines and conditions for Desigo CC and describes
permitted applications for the intended operational environment.
Security-related information for the system operator, relating to maintaining
security throughout the life cycle of the system, is found in Maintenance of IT
Components.
Scope
The information contained in this document is valid for Desigo CC V5.0.
Target groups
The information in this document is intended for the following target groups:
Target group Activity Qualification

System owner ● According to EN 50110-1, ● This person can be the owner,
nominated person with the overall employer, proprietor or a delegated
responsibility to ensure the safe person.
operation of the electrical ● Some of these duties can be
installation by setting rules and delegated to others as required. For
organization or framework. large or complex electrical
installations or networks, the duties
can be delegated for parts of the
installations or the network.
IT security officers ● Support companies when it comes ● Are technical experts in all aspects
to assessing the security of of IT security.
products, solutions, and services,
and defining and implementing
improvements.
Project Manager ● Coordinates the deployment of all ● Has obtained suitable specialist
persons and resources involved in training for the function and for the
the project according to schedule. products.
● Provides the information required to ● Has attended the training courses
run the project. for Project Managers.
Project engineer ● Sets parameters for product ● Has obtained suitable specialist
depending on specific national training for the function and for the
and/or customer requirements. products.
● Checks operability and approves ● Has attended the training courses
the product for commissioning at the for Product Engineer.
place of installation.
● Is responsible for troubleshooting.
Installation personnel ● Assembles and installs the product ● Has received specialist training in
components at the place of the area of building installation
installation. technology or electrical installations.
● Carries out a function check
following installation.
Commissioning personnel ● Configures the product at the place ● Has obtained suitable specialist
of installation according to training for the function and for the
customer-specific requirements. products.
● Checks the product operability and ● Has attended the training courses
releases the product for use by the for commissioning personnel.
operator.
● Searches for and corrects
malfunctions.
Source language and reference document

● The source/original language of this document is German (de).
● The reference version of this document is the international version in English.
The international version is not localized.
Document identification
The document ID is structured as follows:
ID code Examples
ID_languageCOUNTRY_ modification index A6V10215123_deDE_a
-- = multilingual or international A6V10215123_en--_a
A6V10315123_----_a
About this document 1
Date format
The date format in the document corresponds to the recommendation of
international standard ISO 8601 (format YYYY-MM-DD).
Presentation conventions
Text markups
Special text markups are used as follows in this document:
⊳ Prerequisite for an instruction telling you what to do
1. Instruction with at least two steps
2.
◈ Instruction with one step

– Variant, option, or detailed information on an instruction
⇒ Interim result of an instruction
⇒ Final result of an instruction
● Lists
[➙ X] Reference to a page number
'Text' Quote, exact match
<Button> Identification of buttons
> Indicates a link and identifies steps in a sequence, e.g., 'Menu bar' >
'Help' > 'Help topics'
↑ Text Identifies a glossary entry
Additional information and tips
The 'i' symbol identifies additional information and tips to simplify the procedure.
Layout and page breaks
The layout of the PDF version of this document was generated automatically. For
this reason, line breaks may occasionally occur within words, e.g., in text in
tables. Page breaks have been generated with rules but have not been optimized
in context.
1.1 Applicable Documents

Document ID Title
EN 50110-1 Operation of electrical installations – Part 1: General
requirements
IEC/TS 62443-1-1 Industrial communication networks – Network and system
security Part 1-1: Terminology, concepts and models'
IEC 62443-2-1 Industrial communication networks – Network and system
security Part 2-1: Establishing an industrial automation and
control system security program'
Download center
Document ID Title
IEC 62443-3-3 Industrial communication networks – Network and system
security Part 3-3: System security requirements and security
levels
ISO/IEC 27032 Information technology – Security techniques – Guidelines for
cybersecurity
ISO/IEC 27033 Information technology – Security techniques – Network
Part 1…6 security
ISO/IEC 27034 Information technology – Security techniques – Application
Part 1…6 security
1.2 Download center

You can download various types of documents, such as data sheets, mounting
instructions, and license texts via the following Internet address:
https://siemens.com/bt/download
◈ Enter the document ID in the Find by keyword input box.
You will also find information about search variants and links to mobile
applications (apps) for various systems on the home page.
1.3 Revision History

The table below shows this document's revision history.
Version Edition date Brief description

d 15 Feb 2021 Revised edition, corresponding with Desigo CC V5.0
c 30 Nov 2019 Third edition, corresponding with Desigo CC V4.1
b 30 June Second edition, corresponding with Desigo CC V4.0
2020
a 30 March First edition, corresponding with Desigo CC V3.0
2019
Technical terms and abbreviations 2
2 Technical terms and abbreviations

Term Explanation
CA Certificate Authority. CA is an entity that issues digital
certificates.
DMZ Demilitarized Zone. It refers to a computer network with
security-controlled access to the connected servers and
devices. A DMZ provides protection by isolating a system
from two or more networks by means of one or more
firewalls.
This separation makes it possible to grant access to publicly
accessible services while also protecting the internal system
in the DMZ from unauthorized external access.
The aim is to make system services available to both the
WAN (Internet) and the LAN (intranet) in as secure a
manner as possible.
EM Desigo CC Extension Module, which extends the
management platform with additional functions and/or
connectivity.
EOL End of Life. In the product life cycle, indicates the ending of
support on the product and/or version.
FEP Front-end Processor. A computer that extends and
distributes connectivity to field networks.
The purpose is to off-load from the host computer the work
of managing the peripheral devices, transmitting and
receiving messages, packet assembly and disassembly,
error detection, and error correction.
Highly protected Physically separated, private network.
Zone Network access to this zone from outside is only permissible
via a protective component (firewall) at the boundary to the
highly protected zone.
IACS Industrial Automation and Control Systems.
Least Privilege According to this principle, users should be authorized to
access the bare minimum set of resources required to
perform their tasks.
NIC Network Interface Card. In a computer, the NIC is a circuit
board or chip that provides the physical connection with a
network, typically a Local Area Network (LAN).
SSH Secure Shell. SSH is a cryptographic network protocol for
operating network services securely over an unsecured
network.
Station In Desigo CC, a computer workstation acting as server,
client, or FEP.
System Operator Responsible of the building management, IT infrastructure
and security. He/she is in charge of keeping the security
measures up to date during the service life of the technical
systems.
TCP Transmission Control Protocol. TCP is a standard that
defines how to establish and maintain a network
conversation through which application programs can
exchange data.
TLS Transport Layer Security. TLS protocol provides
communications security in web connections. TLS V1.0 and
2 Technical terms and abbreviations
Term Explanation
V1.1 are out-of-date versions that do not support modern
cryptographic algorithms, and they contain security
vulnerabilities that may be exploited by attackers. Newer
V1.2 and V1.3 must be used.
TPM Trusted Platform Module. TPM (ISO/IEC 11889) is an
international standard for a crypto-processor, an electronic
component designed to secure hardware through integrated
cryptographic keys.
UDP User Datagram Protocol. UDP is a transaction-oriented
transfer protocol with no delivery and duplicate protection.
Applications requiring ordered reliable delivery of streams of
data should use the TCP.
VLAN Virtual LAN. VLAN is any broadcast domain that is
partitioned and isolated in a computer network at the data
link layer (OSI layer 2).
VLANs work by applying tags to network frames and
handling these tags in networking systems – creating the
appearance and functionality of network traffic that is
physically on a single network but acts as if it is split
between separate networks.
In this way, VLANs can keep network applications separate
despite being connected to the same physical network, and
without requiring multiple sets of cabling and networking
devices to be deployed.
WSI Desigo CC Web Service Interface.
VPN Virtual Private Network
IT Security Notices 3
End of the Life Cycle (EOL)
3 IT Security Notices
Responsibility of the system operator
The information technology (IT) used in a system is the responsibility of the system
operator.
National standards, regulations, and legislation
Specifications for IT security are also put into effect through country-specific
legislation. You must observe the country-specific legislation when planning and
commissioning.
Siemens products are developed and produced in compliance with the relevant
European and international safety standards. Should additional country-specific or
local security standards or legislation concerning IT security apply at the place of
operation, you must apply these in addition to the guidelines and the permitted
applications in this document.
For example, the 'European Union Agency for Cybersecurity'
www.enisa.europsa.eu provides information on basic IT security in Europe:
https://www.enisa.europa.eu/topics/cybersecurity-education.
For Germany, the 'Federal Office for Information Security' (BSI)
www.bsi.bund.de/EN provides information on basic IT security in both German and
English.
Further links: www.cisecurity.org
Siemens cybersecurity guidelines

The Siemens cybersecurity guidelines in this document provide the system
operator with additional specifications – alongside basic IT security – for operating
a corresponding system. These additional specifications are valid at the time of
publication.
NOTICE
Modified Security Risks in the Life Cycle of the System
Additional security risks
● You must log compliance with the specifications. See Maintenance of IT
Components [➙ 57].
3.1 End of the Life Cycle (EOL)

Any IT component involved in the access to Desigo CC must be replaced as soon
as it ceases to be supplied with security updates by the manufacturer.
If any of such unsupported EOL IT components cannot be replaced, Desigo CC
must be immediately disconnected from untrustworthy networks.
4 Cybersecurity basics
Introduction to cybersecurity
4 Cybersecurity basics
This section provides a basic overview of cybersecurity. If you are not familiar with
this subject area, make sure to read and understand concepts and definitions that
are presented in the following subsections.
4.1 Introduction to cybersecurity

Cybersecurity covers all mechanisms for protecting IT systems, such as
computers, devices like primary controllers, or web servers in a building automation
system, from unauthorized access, faults, modifications, or destruction. It also
prevents confidential information from being accessed and information obtained
without authorization through fraud or other crimes from being used. This
minimizes the risk of losing system and data confidentiality, integrity, and
availability.
Cybersecurity can be implemented in accordance with different industry and
national standards, which usually set out different levels of protection depending on
the system use and the acceptable risk level.
Up until now, most cybersecurity breaches have involved attacks on conventional
computer systems, such as the Internet, intranet, or home networks. Denial of
service, theft of critical private and commercial information, bank account and
credit card fraud, and ransomware are all examples of the damage caused.
By contrast, there have been fewer attacks on industrial controls, such as building
automation controls, as these types of systems often ran on proprietary operating
systems. The hardware only had a limited functionality, and these systems were
rarely connected to other networks.
Current computer standards are being used increasingly in industrial controls to
make them cheaper and more powerful. What's more, industrial controls are
usually connected to other customer networks and the Internet, which – in turn –
makes them more vulnerable to attacks. Connections can also be used to start an
attack on the automation network from the company network and vice versa.
It is therefore particularly important to provide an appropriate level of security for
modern building technology solutions.
4.2 Security concepts and risk assessment process

The image below illustrates the relationship between the key cybersecurity
concepts. The depicted flow represents the assessment process loop that guides
decisions about security protection.
A Vulnerability is a fault or flaw in the design, implementation, operation, or

management of a system, which could be exploited to breach the security of the
system.
Cybersecurity basics 4
System security, roles, and responsibilities
A Threat is something that has the potential to breach security if an entity,

circumstance, capability, action, or event exists which could cause damage. The
common criteria characterize a threat in relation to the following aspects:
● Risk factor
● Suspected method of attack
● Weaknesses which form a basis for the attack
● Attacked system resource
The Impact describes the extent of the damage sustained by the systems in the
event of an IT security incident. In some cases, the extent of the damage can be
assessed based on monetary value, for example, the cost of replacing the devices.
Often, however, "Impact" refers to damage to reputation and other intangible
assets that are difficult to assess.
An Asset is a tangible or intangible item of property, which needs to be protected
by the security policy of an information system, which is to be protected by means
of a countermeasure, or which is required for a system task.
A Risk is an expectation of damage, expressed as probability, where a specific
threat exploits a specific vulnerability, resulting in a specific harmful outcome.
The residual risk is the proportion of an original risk or series of risks that remains
once countermeasures have been applied.
A Countermeasure is implemented to reduce the risk. This can include hardware
or software methods to minimize the probability of an attacker gaining access to
the system. For example, isolating a system from the rest of the system with the
aid of standard passwords.
4.3 System security, roles, and responsibilities

As explained in the Introduction to cybersecurity [➙ 12], every modern building
automation system must have an appropriate degree of IT security. However, it is
not possible to ensure complete security, so there will always be a residual risk.
The costs of a countermeasure should not exceed the potential damage from
which they are to protect. In every case, the system operator must be aware of the
residual risk and decide whether it is acceptable for the company.
It is important to consider the security requirements systematically so that the
effectiveness of the measures is assessed as a whole, and each component is not
treated separately. Most notably, compensatory countermeasures can be used to
alleviate the vulnerabilities of given subsystems so that the total required security
level is achieved.
It is also important that the various parties involved – manufacturers, system
integrators, and system operators – contribute to the system in line with their
specific role.
● The manufacturer is responsible for supplying products that offer the degree
of security specified in their product specification and product documentation.
● The system integrator is responsible for designing and applying the solution
in line with the safety requirements of the system operator and for taking the
intended operating environments of the products being used into account.
● The system operator is responsible for keeping the security measures up to
date during the service life of the solution.
To uphold the level of security of the solution, a framework for a continuous
security program needs to be established. This must regularly assess the target
security level, the risks of the system, the status, and the effectiveness of the
measures applied and implement corrective measures.
The guidelines in this document support a continuous process for achieving IT
security on a system level.
To reduce the risk of vulnerabilities, make sure to secure your system and the
communication network as set out in the following chapters.
5 Cybersecurity throughout the life cycle of the system
Installation and commissioning
5 Cybersecurity throughout the life cycle of

the system
The following sections contain general information on cybersecurity and how a
system can be secured throughout each phase of its life cycle.
For a comprehensive system security checklist with detailed actions, see
Recommended System Hardening [➙ 48].
5.1 Installation and commissioning

During the initial phase of a system's life cycle, the security assessments are key to
ensuring meticulous and early integration.
These ensure that threats, requirements, and potential restrictions regarding
functionality and integration are considered from an early stage. In this initial
phase, security – with the involvement of the information security officer – is
considered from the point of view of business risk.
Planning and awareness enable savings in terms of costs and time to be made as
appropriate risk management planning is implemented.
Security discussions should be held as part of the development project, not as a
separate element, in order to ensure that all employees involved in the project
have a sound understanding of the business decisions and their risk impacts on
the development project as a whole.
For security purposes, important activities to support the installation and
commissioning of a standard system include the following:
● Creating an inventory list for the system.
● Creating a diagram containing an overview of the system.
● Identifying the critical data in the system.
● Determining the protection requirements for the system.
● Following the guidelines for hardening the individual components, if available.
Based on this information, measures to reduce risk can be taken to achieve the
best possible level of security for the system.
5.1.1 Responsibility for IT security
NOTICE
The system operator is responsible for setting up and maintaining an appropriate
level of IT security. The following points and measures are to be considered in
particular:
● Use of virus scanners

● Disabling of unnecessary services and network connections
● Regular application of patches and updates for the operating system and all
installed applications
● Firmware updates
5.1.2 Physical and environmental security

The following restrictions apply to physically protecting Desigo CC against
unauthorized and malicious use:
● The technical room in which the control panel is installed must be locked and
access must be controlled by means of organizational access restrictions.
● Publicly accessible data transmission lines, such as cabling for a fire brigade
key safe, must be protected against unauthorized access.
Cybersecurity throughout the life cycle of the system 5
● Network lines and cabling must be physically protected if one of these

components is in a publicly accessible area.
● The network endpoints must be physically, organizationally, or logically
protected. Only connect approved devices to these interfaces. If no devices are
connected, the interface must be disabled.
● Critical components must not be connected to the network.
● Define and implement processes to grant and revoke physical access.
● Additional controls, such as location protection, additional restrictive access
control for the building and rooms, security personnel, or monitoring, can help
to improve the physical security of the system.
5.1.3 Implementing the required functionality

● Make sure that no unknown hardware is physically connected to the interfaces
of the systems.
● Disable interfaces or interface types that are not being used in the current
setup.
● Make sure that no ports other than those specified in the firewall rules are
open.
● Make sure that no services other than those necessary to ensure complete
system functionality are running during normal system operation.
● Use the Desigo CC management stations in line with intended operation and in
accordance with applicable norms and regulations.
5.1.4 Communication security

Only secured encryption protocols must be used for communication with the
Desigo CC highly protected zone (as defined in System security concept [➙ 20]).
Depending on the application and the way in which multiple management stations
communicate with one another, protecting publicly accessible data transmission
lines may be obligatory.
Only local client communication is permitted for the Desigo CC highly protected
zone. This means that the client is part of the Desigo CC security zone and cannot
be connected to another network zone at the same time.
To further enhance the security situation, the client should only be used in a
controlled environment.
● A corresponding protection component must be set up at the boundary to the
Desigo CC highly protected zone for each connection to external networks or
other systems.
● Local connections to the management stations will require additional protective
measures unless the component with access to the Desigo CC highly protected
zone is single-homed and therefore does not interface with other systems.
● Additional protective measures are required if the component with access to
the Desigo CC highly protected zone is multi-homed.
● Communication between the Desigo CC highly protected zone and other zones
must be restricted to a minimum and pass through a firewall.
5.1.5 Devices with access to the highly protected zone

Comply with the following measures to improve the security of devices with access
to the Desigo CC highly protected zone (see System security concept [➙ 20]):
WARNING! Untrustworthy applications on the service laptop/PC or a mobile
device which have access to the Desigo CC highly protected zone are a risk and
may prevent for instance Desigo CC alarms or faults from being recorded and
processed, causing damages to people and property.
● Operate all corresponding devices such as PCs and Android

smartphones/tablets with a current, continually updated operating system and
active, continually updated antivirus software.
● Operate devices such as routers, hardware firewalls, and other components
used to protect the Desigo CC highly protected zone with current firmware and
ensure that updates and patches are continually installed.
● Replace devices used to protect the Desigo CC highly protected zone if they
have reached the end of their life cycle. See also Disposal / phase-out / EOL
[➙ 18].
● Ensure that components used to protect the Desigo CC highly protected zone
are not publicly accessible.
5.1.6 Guidelines for PCs
NOTICE
Missing updates on the PC operating system
Access to fire detection system data and possible misuse of data when accessing
a fire detection installation
● Maintain and configure your PC in accordance with the guidelines in the
Siemens CERT 'Security Measure Plan for Windows'.
● PCs are only permitted for use if manufacturer support is in place for the
operating system used.
● All the updates and patches provided by the manufacturer must be installed on
the operating system. In addition, a continually updated antivirus software must
be installed.
● Integrity of the installed files must be checked for security assessment and as
an incident-response task.
See Recommended System Hardening [➙ 48].
Please contact your Siemens contact partner if you do not have access to the
web pages at https://www.cert.siemens.com/.
5.1.7 Guidelines for Smartphones
NOTICE
Access to Desigo CC data and possible misuse of data due to unprotected
smartphones or mobile terminals
● Configure your smartphone or mobile terminal according to the guidelines of
the Siemens CERT Security Measure Plan for Android Devices, Apple iOS
and Touchdown.
Guidelines of the Siemens CERT Security Measure Plans for

Android devices, Apple iOS and Touchdown
● The internal encryption function must be activated on your smartphone or
mobile terminal.
● The following requirements must be met regarding the encryption password
used:
– At least eight characters
– At least one upper-case letter
Operation and maintenance
– At least one lower-case letter

– At least one special character or numeral
● Configure the data storage space for your apps so that app data can only be
placed inside the encrypted internal memory of the device or on encrypted
memory cards.
– Check whether the memory cards inside your device can be encrypted.
You will find the Siemens CERT Security Measure Plan for Android Devices, Apple
iOS and Touchdown here: https://www.cert.siemens.com/rules/mobile/.
Please contact your Siemens contact partner if you do not have access to the
web pages at https://www.cert.siemens.com/.
5.1.8 Password guidelines

● In general, preset passwords must be changed during or immediately after
installation.
● A password should be made up of uppercase and lowercase letters, special
characters, and numbers. At least two of these character types must be used.
5.1.9 PIN guidelines

You can log into the system and enable an 'access level' with a Personal
Identification Number (PIN).
● In general, preset PINs need to be changed during or immediately after
installation.
● According to the Siemens IT security requirements, every PIN must contain
eight figures. If this is not possible, the maximum possible length must be used.
● We do not recommend that service technicians create a PIN or change the
number of figures required for a PIN to a smaller number. This must be
documented.
5.2 Operation and maintenance

The system is set up and put into operation in this phase. Expansions and/or
modifications to the system are developed and tested. Hardware and/or software is
added or replaced.
The system is monitored in accordance with the security requirements to ensure
continuous performance. Necessary system modifications are incorporated. The
operating system is regularly assessed to determine how the system can be
designed more effectively, more securely, and more efficiently.
Operation continues for as long as the system can be effectively adapted to the
needs of an organization, while maintaining an agreed risk level.
The most important security activities in this phase are as follows:
● Examining operational readiness
● Managing the system configuration
● Implementing processes and procedures for secured operation
● Continuous monitoring of system security controls
5.2.1 Security of saved data

Generally, data is saved unencrypted in the system, except for passwords, which
are always encrypted.
Confidential customer data may be saved on various devices such as CD/DVD-
ROMs, USB drives, and the service laptop. To protect this confidential data, the
following additional measures must be taken:
Disposal / phase-out / EOL
● Encrypt the confidential customer data saved on the removable media and
treat the encryption password as confidential.
● Store the removable media in a lockable system housing designed for storing
such media.
● Lock the system housing used to store the removable media.
● Encrypt confidential data on the service laptop/PC.
A service laptop/PC that stores confidential customer data is subject to the same
protection requirements as removable media.
● Continually perform maintenance on the service laptop/PC, in accordance with
Guidelines for PCs [➙ 16].
● Maintenance for the service laptop/PC comprises the following aspects:
– Correct configuration
– Hardening
– Maintenance
– Patching
See more information about data encryption techniques and Bit Locker tool in Data
encryption.
5.2.2 Regular patches and updates

The maintenance of IT security is a sustained process for which the corresponding
tasks must be continually repeated. Every specified security measure must
therefore be checked to determine whether it only needs to be implemented once
or whether it needs to be performed at regular intervals, for example, regular
updates to antivirus software.
● Log all maintenance measures implemented.
● Observe the information in the Cybersecurity basics [➙ 12] section.
● Install security updates regularly.
● Run a risk analysis on the security properties of the applied software at regular
intervals.
A comprehensive hardening checklist is presented in Checklist 1: Server
Hardening.
5.2.3 Handling incidents

If a security-related event occurs, please contact your Siemens contact partner
immediately, for example, a field engineer, a sales employee, or contact the
Siemens Computer Emergency Response Team for products – ProductCERT:
Website: https://www.siemens.com/cert/advisories
E-mail: productcert@siemens.com
To ensure that your problem can be resolved quickly, we request that you write
your inquiry to ProductCERT in either English or German.
5.3 Disposal / phase-out / EOL

Disposal – the last phase of the system life cycle – concerns the disposal of the
system and the termination of existing contracts. Questions regarding information
security in the context of the disposal of information and systems should be
addressed explicitly.
If information systems are transferred, become obsolete, or are no longer usable, it
is important to ensure that the resources and assets of the owner are protected.
As a rule, there is no definite end to a system. Systems are normally developed
further on account of changes in requirements and technological improvements, or
they transition to the next generation.
System security plans should be continuously developed as the system is
developed. When the security plan for the subsequent system is developed, most
Disposal / phase-out / EOL
of the environmental, management, and operational information should continue to

be relevant and useful.
The disposal activities ensure that the system is phased out in an orderly manner
and retain the vital information about the system to enable some or all the
information to be reactivated in the future if necessary.
One area of focus is the orderly retention of data to ensure that the data can be
migrated to another system effectively or, in compliance with the applicable
regulations and guidelines for the management of documents, to enable data to be
archived for possible future access.
The most important security activities for this phase are as follows:
● Creating and implementing a transition plan
● Creating and implementing a disposal plan
● Retaining data in an orderly manner
● Archiving critical information
● Deleting media securely
● Disposing of hardware and software
5.3.1 Disposal procedures

As soon as an IT component involved in accessing the Desigo CC highly protected
or private zone is no longer able to be provided with security updates, this IT
component must be replaced.
If this EOL IT component cannot be replaced, Desigo CC must be immediately
disconnected from untrustworthy networks.
As soon as the system operator decides that Desigo CC components are to be
systematically taken out of operation, the data and settings of these components
must be properly destroyed, and the systems reset to the manufacturer's default
settings prior to disposal.
6 System security concept
Definition of security zones

This section discusses the specific Desigo CC security concepts. Make sure to fully
read and understand this information, which is then required to implement the
required hardening measures. See Recommended System Hardening [➙ 48].
6.1 Definition of security zones

For security purposes, Desigo CC can operate based on the following levels of
network zones, with increasing degree of risk:
● Highly protected zone: Zone protected from violations by physical, technical,
and organizational means.
● Insecure private zone: Managed and protected zone that can include office
LAN, home office via VPN, demilitarized zone (DMZ), company VLAN, and
secured WAN.
● Insecure public zone: External, open network, from where Flex clients can
access the system.
The components in the highly protected zones should not be connected to other
networks (for example, intranet or internet), except for the required connections
detailed in this document. Required connections are those to the clients in the
office network and DMZ. The communication across different zones should be
limited to the necessary minimum by means of a firewall.
NOTICE
Insecure Networks
Connections between computers in the highly protected zone and insecure
networks like the Internet or any other networks can compromise the Desigo CC
security.
System security concept 6
Zone boundary protection
6.2 Zone boundary protection

● The Desigo CC highly protected zone and DMZ zone, as defined above, are
security-critical areas that are physically protected (access-controlled rooms,
locked-in racks in server room) and use separated networks that only permit
restricted access to its components.
● A separate VLAN alone does not meet the requirements for zone boundary
protection. A firewall is required too.
● Allowed components in the Desigo CC highly protected zone level are: Desigo
CC stations - servers, clients, and Front-End Processors (FEP) - and printers.
See Intended operating environment and application options [➙ 36].
In case one of the allowed components is remote, a physically protected and
secured communication is also required.
● Allowed components in the DMZ zone are: Desigo CC stations, a separate web
server, and optional computers with OPC Clients.
● The zone boundary protection must be implemented via firewall to limit the
inbound and outbound communication among network zones.
The following architectural drawing shows an example of Desigo CC deployment
including, from top to bottom:
● A private zone comprising an office area with Desigo CC client stations and a
DMZ with the IIS web server.
● A highly protected zone comprising a database server, as well as Desigo CC
server and FEP in a server room, and a client station in a control room.
● A highly protected zone comprising the field devices.
Customer IT Customer IT
Local Office DMZ
Desigo CC Web Server

Clients
HTML5
IIS
Firewall Firewall
Customer IT Desigo CC Desigo CC

Server Backbone Server Backbone Control Room
Desigo CC
Database Desigo CC Desigo CC
Server Desigo CC
Server FEP FEP
+ local Client Client
WinCC OA WinCC OA WinCC OA

HTML5
My SQL
Desigo PX SiPass FS20 System One SPC Cameras VMS
Desigo PX Desigo SiPass FS20 System One SPC Subsystem n Subsystem m
System components
6.3 System components

As illustrated below, the Desigo CC software can be installed on a single server or
broken up in the following main functional blocks:
● Desigo CC server: Monitors and commands the field networks, executes
automatic actions, and interacts with users through clients.
● Database server: Manages the Historical data collected by Desigo CC.
● Notification (MNS): Provides alarm notification.
● Video: Supports CCTV surveillance.
● Web server: Provides web connectivity.
● FEP (Front End Processor): Extends and distributes connectivity to field
networks.
● Installed clients: Provide user access to system functionalities, connecting
directly to the Desigo CC server.
● Windows App and Web clients: Provide web access to Desigo CC from the
highly protected zone through the web server.
● Flex clients: Provide multi-platform, secured web access to Desigo CC from
insecure zones through the web server.
Required Certificates
6.4 Required Certificates

The following table illustrates the public key certificates (or digital certificates) that
are required for Desigo CC client/server solutions.
Additional certificates may be required for specific system architectures.
Feature Enhanced/Extended Key Usage Notes

Key Usage
● Website to host WSI/FlexClient ● Server Authentication Digital signature, Buy one digital
● WinCC OA Service communication (1.3.6.1.5.5.7.3.1) key encipherment certificate per
● Station SNI, Client Identification ● Client Authentication or key agreement Server/FEP or client
(1.3.6.1.5.5.7.3.2) station
● Web Application (Click Once) ● Code Signing Digital signature Buy one digital
(1.3.6.1.5.5.7.3.3) certificate per Click
Once client station
6.5 Least functionality implementation

The principle of least functionality recommends that systems should be configured
to provide only essential capabilities and to prohibit or restrict the use of non-
essential functions, such as ports, protocols, applications, and/or services that are
not required for the systems to operate as planned.
To implement this principle in Desigo CC, apply the following measures:
● Protect access to computer BIOS with an administrator password. Make sure
to set a safe boot process.
● Before installing Desigo CC, remove any unnecessary application programs
from Windows, and disable any Windows services that is not explicitly required,
for example Print Spooler (if you do not have a printer), Remote Desktop
Services (if not used), and more as necessary.
● Limit the number of Administrators. If you need to create multiple Administrator
roles, you can restrict their access by creating Administrator roles that can
manage only select parts of the system, such as certain devices or functions.
● In the Desigo CC installation, only select the required options and extension
modules. See the
● In SMC, configure the Desigo CC project with only the necessary options and
extension modules.
● In the Desigo CC security configuration, prohibit or restrict access to parts of
the installation (Scope Rights), Applications (Application Rights) and Event
categories (Event Rights) as necessary.
● In the firewall, prohibit the use of ports that are not required. See Firewall rules
and system services [➙ 25].
● Check user roles and privileges for Desigo CC databases. See History
database (HDB) users and roles [➙ 29] and, if necessary, Notification (MNS)
database roles and backup folder [➙ 31].
● Regularly assess and review roles and responsibilities for Windows and Desigo
CC users.
Least functionality implementation
6.5.1 Main Server Folder Shares for Client and FEP

Installations
When installing additional installed clients, FEPs or a remote web server, the
project directory is no longer shared, with the only exception of the individual
folders that need to be accessed remotely. Access to the shares typically is
configured using SMC (the engineer only needs to assign the user
accounts/groups; SMC takes care of setting the access rights).
The local client and the web server on the Desigo CC server do not need file
sharing; only access rights to the folders in the project directory must be
configured.
Below you can find a description of what can be actually configured.
NOTICE
Avoid Exposed Network Shares
Since exposed network shares could be used to illicitly discover unrestricted
information from the network, avoid unrestricted use as much as possible.
For example, only enable users and computers that need access.
In Desigo CC, shares are only needed for installed clients and the web server
(unless they are on the same machine), not for the Windows App and web clients.
Since these should be reached via dedicated server or control room network,
never expose the shares to the office network or customer intranet (direct or
through VPN) and never expose shares to the Internet.
For more information, see Setting Up the Project in the Desigo CC online help.
Please take note the following terms:
● Windows client account
Refers to the user logged on to Microsoft Windows on the client machine; this
Windows user can be different from the user logged on to Desigo CC.
● Web server account
Refers to the account configured in the Desigo CC web server installation.
The following subdirectories of the [project] directory are accessed by the client
installation (installed client or FEP) and the web server.
● Documents
Provide read access on all files and subfolders to the web server account and
all Windows client accounts.
● Devices, Graphics, Libraries, and Profiles
Provide read/write access on all files and subfolders (including the permission
to delete them, but not the root folder itself) to the web server account and all
Windows client accounts.
– Graphics
Access may be Unrestricted to read-only for Windows client accounts that
only display but do not configure graphics.
– Libraries
Access may be Unrestricted to read-only for Windows client accounts that
run Desigo CC in Operation mode only.
– Profile
Provide read access to all Windows client accounts, read/write access to
the web server account.
● Shared
Provide read access on all files and subfolders to the web server account and
all Windows client accounts.
● All other folders
Provide read/write access to the [System Account] only ([System Account] is
configured in SMC).
Do not provide access on these folders to any other account.
Firewall rules and system services
6.6 Firewall rules and system services

The firewall rules table shows a list of required ports and services needed to allow
the communication between different network zones of a protected system
configuration. In general, all the protective controls for data connections/network
traffic at zone boundaries must be configured as follows:
● Deny by default.
● Allow only ports/services that are required to operate Desigo CC.
The following list exemplifies the allowed ports/services for a typical system
configuration. Depending on system configuration on site, divergent set of rules
may result.
Ideally, an advanced Firewall should:
● Identify and control applications on any port
● Identify and control anomalous behavior
● Encrypt outbound SSL/TLS and control SSH. See the description of the
certificate use in the sections that follow.
● Provide application function control
● Systematically manage unknown traffic
● Scan for viruses and malware in all applications, on all ports
● Enable the same application visibility and control for all users and devices
● Make network security simpler, not more complex, with the addition of
application control
Firewall Settings
When using Desigo CC with a firewall, the execution of processes that open ports
for the communication are Unrestricted by the firewall.
You must add the following ports as exceptions to the firewall if you are installing
Desigo CC on a server. Configuring your firewall settings allows the access
between the server and all its client stations, and between the server and field
panels.
The table below lists the TCP and UDP ports you should add to the server firewall
and any network firewalls between the server and clients, and between the server
and field panels.
NOTICE
Do not open a port for a program you do not recognize. The following table lists
all the ports required for safe operation of the system. Ports that are not required
for system operation must be closed to avoid any security risks.
Server Communication
Port usage across machine boundaries for client-server and server-server
communication
Core Services on Main Server
The port must be configured in the firewall of the main server for inbound
communication if the host is protected by a firewall.
Deployment Variants: Remote IIS and Remote SQL Server
Optional Services on the Main Server
Notes
Directories of the host processes:
1) Located in C:/Siemens/WinCC_OA/3.17/bin/
2) Located in [Installation Directory]/GMSMainProject/bin/
Variable ports:
3) The port of an SQL server named instance is by default variable. See the SQL server
documentation on how to configure a fixed port for a named instance.
Consumer:
5) Desigo CC System Management Console (SMC)
6) Executables on the client installation
[Installation Directory]/GMSMainProject/bin/Siemens.Gms.ApplicationFramework.exe
C:/Siemens/WinCC_OA/3.17/bin/WCCOActrl.exe
7) Executables on the client installation
8) Executables on the FEP installation opening outbound connections
C:/Siemens/WinCC_OA/3.17/bin/WCCOActrl.exe
Additional executables on the FEP depend on the driver type. For example,
BACnet: [Installation Directory]/GMSMainProject/bin/WCCOAGmsBACnet.exe
SNMP: C:/Siemens/WinCC_OA/3.17/bin/WCCOAsnmp.exe
9) Microsoft Internet Information Services (IIS)
10) [Installation Directory]/GMSMainProject/bin/WCCOAHDBReader.exe
[Installation Directory]/GMSMainProject/bin/WCCOAHDBWriter.exe
[Installation Directory]/GMSMainProject/bin/WCCOAReportMan.exe
11) [Installation Directory]/GMSMainProject/bin/WCCOACoHoMngr.exe
12) C:/Siemens/WinCC_OA/3.17/bin/WCCILdist.exe
Subsystem connectivity
Outbound connections (ports used by the host to connect to automation systems)
Notes
1) File located in C:/Siemens/WinCC_OA/3.17/bin/

A Modbus subsystem uses the underlying Modbus Driver from WinCC OA. It uses Modbus
protocol over TCP. During import, the field engineer must specify the IP Address and the port
number for communicating with the device. If the port number field is left empty, then the
Modbus Importer applies the default value: 502. However, after the import, the user can modify
both IP address and port number from the Desigo CC client.
2) File located in [Installation Directory]/GMSMainProject/bin/
3) The default port for the first BACnet driver is UDP: 47808. The port can be changed. Every
additional driver needs another UDP port.
4) The default port for the first SNMP network is UDP: 161. The port can be changed. Every
additional network needs another UDP port.
5) File located in C:/Program Files/Siemens/Video API/Service/
Notification
Outbound connections (ports used by the host to connect to remote notification
systems)
History database (HDB) users and roles
6.7 History database (HDB) users and roles

Users for History Database
The following users are configured for the HDB:
User Account Description

HDB owner <user Desigo CC SMC user who requires HDB owner rights for
defined> database configuration operations. Change it as desired
by stopping and editing database from SMC.
NOTE: The HDB owner must be different from the HDB
user and the HDB service user.
HDB user System Desigo CC project user who requires HDB user rights for
read and write operations. Change it as desired in
System > System Account Settings from SMC.
HDB HDB Desigo CC service user who requires HDB service user
service service rights for maintenance operations. Change it as desired
user in System > HDB Service Account Settings from
SMC.
Required user rights for History Database

HDB rights / user SQL HDB HDB HDB
system owner user service
administra user
tor
Create, restore, or upgrade History X
Database
Edit HDB owner or HDB user or HDB X
service user
Drop History Database X
Resolve unmounted archive X
Receive the History Database X X
information
Edit History Database size, recovery X X
model, administration model, backup
file, recovery log path and Long
Term Storage configuration
Start or stop automatic maintenance, X X
statistics
Delete or purge the History X X
Database
Run history backup X X X
Read and write to History Database X
Automatic maintenance X
History database (HDB) users and roles
Desigo CC-configured roles for History Database

Role Description
HdbUserRole Detailed privileges for read and write
operations are granted at a database level
on a least privilege/need-to-know basis.
HdbServiceUserRole Detailed privileges for maintenance
operations are granted at a database level
on a least privilege/need-to-know basis.
Role/privilege mapping in History Database

User Database user Database Role/privilege
HDB owner dbo HDB db_owner
HDB user HdbUser HDB HdbUserRole
HDB service HdbServiceUs HDB HdbServiceUserRole
user er
guest guest HDB CONNECT revoked
HDB cert user HdbCertUser HDB db_owner
HDB cert user n/a master CREATE ANY DATABASE
granted
VIEW SERVER STATE granted
HDB owner HdbDbo HDB archive db_owner
HDB user HdbUser HDB archive HdbUserRole
HDB service dbo HDB archive db_owner
user
guest guest HDB archive CONNECT revoked
Notification (MNS) database roles and backup folder
6.8 Notification (MNS) database roles and backup

folder
Notification DB roles
The same roles as defined for system HDB (see History database (HDB) users and
roles [➙ 29]) also need to be configured for Notification DB.
Notification DB shared folder user rights

When creating a Desigo CC backup, the Notification DB required to run Notification
is also backed up. During this backup, the SQL Server creates a shared folder
where the configured Notification DB backup folder is then stored.
Especially in case of a remote SQL Server, make sure that the System Account
user (PMON user) and the SQL Server Logon user both have write-permission
access to the shared folder, or else the backup will fail.
Database service user

The Database service user performs the database maintenance activities such as
database purge, database backup and database index refreshing.
During the purge operation, to free up disk space, the Database service user also
deletes the media folders (Audio and Video files) of the closed incidents. The
Windows user configured as Database service user must have the following file
and folder permissions:
● Modify permission on the MNS folder located at [installation
drive:]\[installationfolder]\[project].
● Write permission on the MNS_DbMaintenanceService.log file located at
[installation drive:]\[installationfolder]\GMSMainProject\Log.
IEC62443 Security Level 2 (SL2) 7
Introduction to IEC62443 SL2 standard
7 IEC62443 Security Level 2 (SL2)

This section discusses the IEC62443 standards, which defines a set of
cybersecurity standards that covers the entire life cycle of a product, see
Cybersecurity throughout the life cycle of the system [➙ 14]. For the roles involved,
see System security, roles, and responsibilities [➙ 13].
As a product, Desigo CC supports IEC 62443 Security Level 2 (SL2) (IEC62443-3-
3 SL2 and/or IEC62443-4-2 SL2). The following subsections present the technical
and managerial aspects related to the integration and operation of Desigo CC for
an SL2 secured solution.
7.1 Introduction to IEC62443 SL2 standard

IEC 62443 is a set of standards for the security of industrial automation and control
systems (IACS). It provides a comprehensive set of cybersecurity
recommendations for developing, maintaining and retiring hardware, software and
firmware of IACS.
A key part of the standards is about security levels (SL). SL is used to assess the
cybersecurity risks to each system and understand how to best address such risks.
There are five Security Levels, from 0 to 4. SL0 is the minimum level of risk and
SL4 is the maximum.
While SL0 and SL1 provide no requirements or requirements for casual or
coincidental violations, SL2 is specifically about protections against intentional
violators with generic skills. Such protections force potential attackers to invest a
disproportionate amount of time and/or resources.
SL3 and SL4 deal with higher-risk requirements against intentional violations and
attacks with increasingly sophisticated capabilities and technical means.
7 IEC62443 Security Level 2 (SL2)
System components and network separation in SL2 deployments
7.2 System components and network separation in

SL2 deployments
As discussed in Definition of security zones [➙ 20], the system security depends
largely on the network security, which requires separation of networks and the
management of multiple interconnected zones. The following tables lists the
Desigo CC components [➙ 22] and the network security zones where they can be
deployed for SL2.
Component SL2 allowed zones Notes

Desigo CC server Highly protected zone
Desigo CC FEP Highly protected zone
Desigo CC installed Highly protected zone
client
Desigo CC Flex client Highly protected zone
Insecure private zone
Insecure public zone
Desigo CC Windows Highly protected zone
app client
Desigo CC Web client Highly protected zone
(IE)
Desigo CC field Highly protected zone
network
SQL server Highly protected zone If separated from Desigo CC
server
Notification server Highly protected zone If separated from Desigo CC
server
Video server Highly protected zone If separated from Desigo CC
server
IIS server Highly protected zone If separated from Desigo CC
Insecure private zone server
SORIS adapter Highly protected zone If separated from Desigo CC
server
Table 1: System components in network zones
7.3 IEC 62443 SL2 general requirements

The SL2 requirement list for Desigo CC includes the physical, administrative and
technical measures summarized in the list here below. See the IEC 62443
standard to understand the full content of the requirements.
This general list must be integrated with additional technical requirements that
depend on the specific Desigo CC architectures. See the additional SL2
requirement subsections in Intended operating environment and application
options [➙ 36].
Physical and environmental measures

● Install system computers in locked data centers or 24/7-supervised rooms.
Only Flex clients, if used, can operate in public insecure area.
● Data centers and rooms must be equipped with access control supporting
individual identification and authorization. Define and implement processes to
grant and revoke physical access.
IEC62443 Security Level 2 (SL2) 7
IEC 62443 SL2 general requirements
● Supervise software and hardware maintenance tasks on system computers.

● Implement network separation as required by the Desigo CC architecture of
your system. See Zone boundary protection [➙ 21]
Administrative measures
● Restrict access to server computers to authorized users and logged.
● Restrict access to Installed Client, Windows App Client and IE Web Client to
authorized users.
● Require Windows authentication to gain access to the system.
● Establish a 24/7 hardware and software supervision to detect misuse,
alterations, and data corruption.
● Restrict user permissions according to the Least Privilege concept.
Technical measures
● Apply the IEC62443-4-2 SL2 computer hardening requirements, which include:
- Windows and Desigo CC system hardening, to reduce the vulnerability of the
solution.
- Network security, to support and manage the required separation.
- User security, to manage user accounts and system access.
- Application security, to control and monitor software applications and
services.
- Security information and event management, to monitor the integrity of the
system.
- Patch management, to support validation and prompt installation of security
updates.
- Backup and restore, to support backup and restore of the solution.
See Recommended System Hardening [➙ 48] for useful information.
System-specific measures
● Bind IP socket to receive data sent to the local address only.
● Use a separate NIC for each dedicated field network connection.
● Make sure to install all SL2-compliant Desigo CC EMs. Some application-
specific EMs may not be compliant.
8 Intended operating environment and application options
Single station in highly protected zone
8 Intended operating environment and

application options
This section illustrates examples of typical Desigo CC architecture solutions and
discusses the cybersecurity issues to be considered for each of them.
8.1 Single station in highly protected zone

Intended use case
This is the configuration choice in all cases where only one client is required, and
system size is limited. It is also named stand-alone configuration. The Desigo
CC server, database service and one installed client are deployed on the same
hardware platform, which can be physical or virtual. The field networks are
connected directly to the Desigo CC station.
Single-station configuration
This scenario includes the following features:
● Client and Server are hosted on the same machine.
● Operators have access to the server computer.
● Local configuration and administration
● Microsoft SQL Server installed locally
● Engineering, administration, and system maintenance / service are executed
on the same machine with high privilege account.
● Machine is only connected to dedicated field system networks.
● No IT firewall is required in between Desigo CC components.
● IPv4
Security
● Simple setup (certificate configuration not required).
● Effort for security configuration is low.
● A single-station system is secured from outside attacks. However, installation
guidelines for closing outside communication by firewall settings, virus scanner,
and backup must be followed to secure the system.
Technical reference
● In the Desigo CC online help, in System Deployments, see Stand-Alone
System.
Intended operating environment and application options 8
Single station in highly protected zone
Deployment diagram
Highly protected
Desigo CC zone
Server Backbone
Protected Server Hardware
Desigo CC Client /
Desigo CC Server
BIRT
MySQL
WinCC OA
Firewall
8.1.1 SL2 requirements for single station deployment

General measures
● Apply the general SL2 measures (IEC 62443 SL2 general requirements
[➙ 34]).
Specific technical measures

● Make sure not to allow any communication from the station except to
subsystems.
Limitations
● All users are fully trusted (no privilege restrictions), therefore operators have
de-facto high-privilege access.
● No customer network and Intranet/Internet access.
Client/server with local intranet web server
8.2 Client/server with local intranet web server

Intended Use Case
This is the configuration choice for cases where multiple clients are required,
connected through a dedicated or shared local area network (LAN), or via a mobile
WLAN connection.
External web connectivity is not required. The web server is restricted to the
customer network (not reachable from the internet). If necessary, networked FEP
stations may be deployed to provide additional connection capability.
Communication between the key components can be secured by standard IT
security mechanisms like authentication certificates.
Client/server local configuration

This scenario includes the following features:
● The Desigo CC server, database service and the first installed client are
deployed on the same hardware platform, which can be physical or virtual. If
required, a local web server can also be installed on the same platform.
● Field networks are connected directly to the Desigo CC server.
● FEP can be used to better balance the communication load or to better adapt
to the distribution of the field systems. A typical case for FEP usage would be a
system with multiple remote sites and one central control location.
● Operators do not have access to the server.
● Computers are connected via dedicated or shared (customer) networks.
● Installed clients are connected to the server by system LAN.
● The size of the field system and the number of clients that can be supported by
this configuration depend on the server hardware configuration.
● The communication between clients and the server must be secured using
certificates. This might be simplified on dedicated and protected networks, such
as within a control room.
Server station
A dedicated workstation with the following features:
● Desigo CC server
● Own administration
● Microsoft SQL Server installed Microsoft SQL Server
● Own network segment
● IPv4/IPv6
● IIS Web server without Internet access
● IT firewalls must allow communication between server and client
Client station
A dedicated workstation with the following features:
● Desigo CC client/FEP
● Own administration
Client/server with local intranet web server
● IPv4/IPv6
● Internal firewalls
Technical reference
● In the Desigo CC online help, in System Deployments, see Client/Server.
For web configuration, in Project Setup, see Websites and Web
Applications.
Deployment diagram
Customer IT
Local Office
Desigo CC
Client
HTML5
Desigo CC
Customer IT Server Backbone Desigo CC
Desigo CC Client
Server Backbone Control Room
Desigo CC WSI
Desigo CC FEP Desigo CC Server Desigo CC FEP
IIS Web Server
Desigo CC
Client
HTML5
MySQL
Desigo PX SiPass FS20 System One OPC Cameras VMS
8.2.1 SL2 requirements for local client/server deployment

General measures
[➙ 34]).

● Allow communication outside highly protected zone only via IIS.
● Use a separate WSI for each network or use case.
● Use encrypted server/client communication.
● Use CA certificates.
Client/server with remote intranet web server
8.3 Client/server with remote intranet web server

Intended Use Case
This section describes a Desigo CC client/server deployment scenario with the
web server (IIS) installed on a separate computer.
Client/server configuration with remote intranet web server

Compared to the Client/server with local intranet web server [➙ 38], this scenario
includes the following additional features:
● Outside the highly protected zone, a separate computer runs the web server
(IIS) for websites and web applications, without Internet access.
NOTE: To simplify the website configuration using SMC, we recommend that
you also install the Desigo CC client (or FEP) component on this machine.
● The web application user on the remote web server has access rights on the
shared project folder on the server.
Technical reference
● In the Desigo CC online help, in System Deployments, see Client/Server.
Applications.
Client/server with remote intranet web server
Deployment diagram
Customer IT Customer IT Customer IT
Intranet Desigo-CC Branch office Desigo-CC Home office Desigo-CC
Client Client Client
HTML5 HTML5 HTML5
Firewall
Local Office Local Office
Web server
Desigo-CC
Client
HTML5
IIS
Desigo CC
Customer IT Server Backbone Desigo-CC
Desigo CC
Desigo CC Desigo CC
Server
FEP FEP
+ local Client
Desigo-CC Client
HTML5
MySQL
8.3.1 SL2 requirements for client/server deployment with

remote intranet web server
General measures
[➙ 34]).

● Install IIS in a DMZ.
● Apply a company-level VPN/Terminal.
Client/server with remote internet access using FlexClient
8.4 Client/server with remote internet access using

FlexClient
Intended Use Case
This is the configuration choice for the cases where multiple installed clients,
connected through a dedicated or shared LAN, are required. Web connectivity is
also required to allow remote access through a Desigo CC Flex client or provide
remote connectivity to an external application through the web services.
The Desigo CC server, history database service, web server and the first installed
client are deployed on the same hardware platform, which can be physical or
virtual.

Compared to the Client/server with remote intranet web server [➙ 40], this
scenario includes the following additional features:
● The separate web server (IIS) handles internet connections.
Technical reference
● In the Desigo CC online help, in System Deployments, see Server and a
Remote Web Server (IIS).
Applications.
Client/server with remote internet access using FlexClient
Deployment diagram
WWW
Branch office Desigo-CC Home office Desigo-CC
Client Client
Desigo-CC
Client
HTML5 HTML5
HTML5
Firewall
Local Office DMZ
Web server
Desigo-CC
Client
HTML5
IIS
Desigo CC
Customer IT Server Backbone Desigo-CC
Desigo CC
Desigo CC Desigo CC
Server
FEP FEP
+ local Client
Desigo-CC Client
HTML5
MySQL
8.4.1 SL2 requirements for client/server deployment with

remote internet access using FlexClient
General measures
[➙ 34]).

● Internet access from Flex clients only.
● Install IIS in a DMZ.
● Apply a company-level VPN/Terminal.
Client/server in distributed solutions
8.5 Client/server in distributed solutions

Intended Use Case
This is the configuration choice for cases where system size or specific customer
indications require the deployment of key Desigo CC components on different
hardware platforms, which can be physical or virtual.
Communication between the key components is required to be secured by
standard IT security mechanisms like certificates.

Compared to the Client/server with remote internet access using FlexClient [➙ 42],
this scenario includes the following additional features:
● Multiple interconnected Desigo CC servers.
Technical reference
● In the Desigo CC online help, see Distributed Systems.
Deployment diagram
WWW
Branch office Desigo CC Home office Desigo CC
Desigo CC Client Client
Client
HTML5 HTML5
HTML5
Firewall
Local Office DMZ
Web server
Desigo CC
Client
HTML5
IIS
Desigo CC Desigo CC
Customer IT Server Backbone 1 Server Backbone 2 Desigo CC
Desigo CC Client / Desigo CC Client /
Desigo CC Server Desigo CC WSI / Desigo CC FEP Desigo CC Server Desigo CC WSI / Desigo CC FEP
Desigo CC Server Desigo CC Server Desigo CC
Client
WinCC OA WinCC OA WinCC OA WinCC OA WinCC OA WinCC OA
HTML5
MySQL
8.5.1 Distributed system configurations

The distributed system configuration allows interconnecting several projects that
run independently, either on one or several physical machines. The interconnection
of the projects allows transparent engineering and operation through them seeing
them as one and only one system. The distributed system configurations extend
the support of very large systems even further, increase robustness eliminating
single point of failures and allow geographical or discipline segregation.
As illustrated below, three types of distributed deployments are supported:
● Fully meshed: Each server is logically connected to all others. Clients can see
all objects in all servers. Servers can be geographically distributed. Virtual
servers are also supported.
● Segmented: A fully meshed configuration where all systems run on the same
server. Allows building larger systems on one single server.
● Hierarchical: Front servers are logically connected to one head server. Clients
connected to the head server can see all objects; clients connected to front
servers can only see local objects. For campus or inherently hierarchical
applications.
Fig. 1: Distributed System Configurations
Virtual environment
8.6 Virtual environment

Desigo CC supports several server virtualization environments and their
redundancy options, including transparent network virtualization.
The following key components can be virtualized:
● Desigo CC Server
● Video Management Service
● Microsoft SQL Server
● Microsoft IIS Server
● Desigo CC FEP
Virtualization of clients is not recommended. Depending on the virtualization
software, performance issues (such as, display of multiple video streams or graphic
display) may occur.
Terminal Server applications, Desktop-, Service-, and Application Virtualization are
not supported.
Technical reference
● In the Desigo CC online help, see Virtualization and VM Software.
9 Recommended System Hardening
Hardening Windows server

In this section you can find the recommended checklists to perform security
controls on the Desigo CC system components.
The checklists must be completed for each instance of any component.
9.1 Hardening Windows server

Windows server hardening checklist
Controls Status
Implement physical and environmental security measures
Separate networks
Apply protective firewall rules
Secure client/server communication with encryption
Secure communication to remote Desigo CC (if applicable)
Perform user management
Configure Windows features and roles
Manage software updates
Secure Remote Access
Configure Windows services
Apply Windows User Account Control (UAC)
Use Windows logging and monitoring
Secure Internet browsers
Mitigate Windows SMBv1 remote code execution vulnerabilities
Implement physical and environmental measures

We recommend installing the system computers in a protected environment, and
control and supervise the access to both hardware and software. See IEC 62443
SL2 general requirements [➙ 34].
Separate networks
Depending on the architecture of your Desigo CC solution, the zone boundary
protection must be implemented via firewall to limit the inbound and outbound
communication among network zones. See Zone boundary protection [➙ 21].
Apply protective firewall rules

If for example, you are building a web server, you only want web ports 80 and 443
open to that server from the Internet. If anonymous internet clients can talk to the
server on other ports, that opens a huge and unnecessary security risk. If the
server has other functions such as remote desktop (RDP) for management, they
should only be available over a VPN connection, ensuring that unauthorized
people cannot exploit the port at will from the net.
The Windows firewall is a built-in software firewall that allows configuration of port-
based traffic from within the OS. On a standalone server, or any server without a
hardware firewall in front of it, the Windows firewall will provide some protection
against network-based attacks by limiting the attack surface to the allowed ports.
That said, a hardware firewall is always a better choice because it offloads the
Recommended System Hardening 9
traffic to another device and offers more options on handling that traffic, leaving the
server to perform its main duty. Whichever method you use, the key point is to
restrict traffic to only necessary pathways.
See Hardening firewall [➙ 53].
Secure client/server communication with encryption

Secure communication to remote server
For backward compatibility reasons, Windows 10 is currently delivered with weak
protocols and cipher suites for the Secure Channel (also known as Schannel). For
example, Schannel is used by Microsoft IIS for providing secured Hypertext
Transfer Protocol (HTTPS) communication and WCF based web services.
For secured communication, make sure to disable SSL v2.0 and SSL v3.0
protocols as well as cipher suites using MD5 hashes, RC4 algorithm, 3DES
algorithm, or Diffie-Hellman Key Exchange from the Desigo CC server.
For both client and server components, replace TLS V1.0 and V1.1 with newer
V1.2 or V1.3.
To do that, the following registry file are provided in the folder AdditionalSW / IT
Security of the distribution set.
- Desigo CC server: IIS+Server_Hardening(Schannel).reg
- Desigo CC Windows 10 client: TLS_1.2_Win10_IE_Client.reg
See the corresponding Readme.txt file for detailed instructions.
Optional: Disable TLS 1.0 and TLS 1
When TLS 1.2 is enabled and no other software uses TLS 1.0 and TLS 1.1, you
can disable TLS 1.0 and TLS 1.1 on the server. Use the following registry
commands:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityP
roviders\SCHANNEL\Protocols\TLS 1.0\Server
Enabled (type = DWORD, Value = 0 hexadecimal)
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityP
roviders\SCHANNEL\Protocols\TLS 1.1\Server
Enabled (type = DWORD, Value = 0 hexadecimal)
Perform user management

User access rights in Desigo CC are determined by four main factors:
● The system must know the user (authentication)
● The user must be assigned a user group
● The user group has the appropriate application rights
● The user group must have the appropriate scope rights
If all of these conditions are met, the user can log on to Desigo CC and read/write
objects and execute tasks, depending on the assigned rights.
For detailed information on how to configure user authorization (users, user
groups, application rights, scope rights), see sections User and User Group
Administration and Scopes in the Desigo CC online help.
User authentication
Desigo CC users can be configured to use local passwords or to use Windows
authentication (for example, Active Directory): use Windows authentication
wherever possible to enhance security, control, and management of passwords.
Configuration guidelines for Windows users
● Use nominative accounts (do not use generic -group accounts- that are used
by multiple persons).
● Rename the default administrator account.
● Disable the local administrator whenever possible. Consider using a non-
administrator account to handle your business, requesting elevation with Run
As and entering the administrator password when prompted.
● Verify that the local guest account is disabled where applicable. None of the
built-in accounts is secure.
● Use a password policy to make sure accounts cannot be compromised. If your
server is a member of AD, the password policy is set at the domain level in the
Default Domain Policy. Stand-alone servers can be set in the local policy
editor. Either way, a good password policy will at least establish:
- Complexity and length requirements. We recommend 15 or at least 12
characters, including upper case, lower case, special characters, and numbers.
- Password expiration, to enforce periodic password change.
- Password history, to prevent reusing the same password.
- Account lockout after a number of failed login attempts.
● If accounts are created by default or from a template, use different passwords
for each installation.
● Do not use the same password for the default administrator account and the
service account.
● Make sure there is a process in place to disable and then remove (above
desired logs' retention time) old/unused user accounts.
● Auto-logon features skip the identification of a user and should therefore only
be used either in controlled environments, where the effective user can be
determined differently, or for users that are only authorized to see non-
unrestricted data.
Support of Open ID using 0Auth2.0 Authorization Code Flow
● In current release, Desigo CC supports Auth0 as identity provider. It supports
OpenID with OAuth 2.0 Protocol using Authorization Code Flow.
● Note that, in the implementation of OpenID, Desigo CC does not use the State
parameter, that is an opaque value to maintain state between the client request
and the server callback. Typically, this is implemented with a session cookie in
the browser and can mitigate the so-called Cross-Site Request Forgery (CSRF
or XSRF) attacks. In Desigo CC, we do not see CSRF risks because of the
State parameter, as we apply the Authorization Code Flow (see also RCF 6749
OAuth2.0). The user’s access token from the Authorization server is validated
by Desigo CC before creating a session on the server. If user details do not
match, then the session is not created.
Configure Windows features and roles

Microsoft uses roles and features to manage OS packages. Roles are basically a
collection of features designed for a specific purpose, so they can be used if the
server fits one, and then the features can be customized from there. Two equally
important things to do are:
1. Make sure everything you need is installed. This might be a .NET framework
version or IIS, but without the right pieces, your applications will not work.
2. Uninstall anything you do not need. Extraneous packages unnecessarily
extend the attack surface of the server and should be removed whenever
possible.
This is equally true for default applications installed on the server that will not be
used. Servers should be designed with necessity in mind and stripped lean to
make the necessary parts function as smoothly and quickly as possible.
Manage software updates

The best way to keep your server secured is to keep it up to date. This does not
necessarily mean applying updates as soon as they are released with little to no
testing, but simply having a process to ensure updates is applied within a
reasonable window. Most exploited vulnerabilities are over a year old, though
critical updates should be applied as soon as possible in testing and then in
production, if there are no problems.
All components (such as virtualization software, operating systems or anti-malware
software) should always be running with the latest security patches. It is not within
the control of Siemens to provide patches for components that are operated with
Desigo CC but do not originate from Siemens, such as client operating systems.
● Use a proper discovery service
The only way to know if a breach or vulnerability exists is to employ broad
discovery capabilities. A proper discovery service entails a combination of active
and passive discovery features and the ability to identify physical, virtual, and on
and off premise systems that access your network. Developing this current
inventory of production systems, including everything from IP addresses, OS types
and versions and physical locations, helps keep your patch management efforts up
to date. It is therefore important to inventory your network on a regular basis.
● Perform application patching
Many limitations of OS platform support and discovery services lie in accounting for
only applications from a specific OS and ignoring third-party software. Much of
Windows software vulnerabilities come from non-Microsoft applications running on
Windows, which means you not only need comprehensive OS coverage, but also
comprehensive application coverage.
● Apply coverage on and off premise
Patching your OS and applications will be meaningless, however, if not done for
every computer in every location. Users can work remotely without ever touching
the network, but the network must secure these users as if they were on premise.
Patch management systems and other security controls should provide the same
level of coverage and control off premise as they do on premise.
● Patch frequently
As more end user systems can leave the network, patching frequency becomes
more important. You may be following the patching patterns of prominent tech
influencers, but they could be wrong for you. Microsoft may keep to a predictable
security patch release cycle, but most other vendors have unpredictable release
schedules.
NOTICE
End of Life IT Components
IT components must be replaced as soon they pass their End of Life.
● Use a test system when updating third-party components

Siemens cannot guarantee that updating of third-party components can be used
without consequences on the operation of the overall system. Depending on the
criticality of the system, we recommend establishing a release process.
Secure remote access

Use RDP via VPN. Leaving it open to the Internet offers potential hackers another
inroad into your server.
Make sure RDP is only accessible by authorized users. By default, all
administrators can use RDP once it is enabled on the server. Additional people can
join the Remote Desktop Users group for access without becoming administrators.
In addition to RDP, various other remote access mechanisms such as PowerShell
and SSH should be carefully locked down if used and made accessible only within
a VPN environment.
Use protocols that utilize suitable authentication and encryption. Unencrypted
management protocols such as Telnet, TFTP, FTP, SNMP prior to version 3, and
HTTP should not be used. Using HTTPS, SFTP or SSH for management is highly
recommended, preferably configured to use strong ciphers.
Configure Windows services

Windows server has a set of default services that start automatically and run in the
background. Many of these are required for the OS to function, but some are not
and should be disabled, if not in use. Following the same logic as the firewall, we
want to minimize the attack surface of the server by disabling everything other than
primary functionality.
Important services should be set to start automatically so that the server can
recover without human interaction after failure. For more complex applications,
take advantage of the Automatic (Delayed Start) option to give other services a
chance to get going before launching intensive application services. You can also
set up service dependencies in which a service will wait for another service or a set
of services to successfully start before starting. Dependencies also allow you to
stop and start an entire chain at once, which can be helpful when timing is
important.
Apply Windows User Account Control

Microsoft provides best practices analyzers based on role and server version that
can help you further harden your systems by scanning and making
recommendations.
Although User Account Control (UAC) can be annoying, it serves the important
purpose of abstracting executables from the security context of the logged-on user.
This means that even when you are logged on as an admin, UAC will prevent
applications from running as you without your consent. This prevents malware from
running in the background and malicious websites from launching installers or
other code. Leave UAC on whenever possible.
Use Windows logging and monitoring

Make sure that your logs and monitoring are configured, and capturing the data
you want so that, in the event of a problem, you can quickly find what you need
and remedy the issue. Logging works differently depending on whether your server
is part of a domain. Domain logons are processed by domain controllers, and as
such, they have the audit logs for that activity, not the local system. Stand-alone
servers will have security audits available and can be configured to show passes
and/or failures.
Check the maximum size of your logs and scope them to an appropriate size. Log
defaults are almost always far too small to monitor complex production
applications. As such, disk space should be allocated during server builds for
logging, especially for applications like Microsoft Exchange. Logs should be
backed up according to your organization’s retention policies and then cleared to
make room for more current events.
Secure Internet browsers

When using any web browser to run a Desigo CC client, make sure to disable the
saving function for credentials in the web browser settings.
Mitigate Windows SMBv1 remote code execution vulnerabilities

Remote code execution vulnerabilities exist in the way that the Microsoft Server
Message Block 1.0 (SMBv1) server handles certain requests. An attacker who
successfully exploited the vulnerabilities could gain the ability to execute code on
the target server.
To exploit the vulnerability, in most situations, an unauthenticated attacker could
send a specially crafted packet to a targeted SMBv1 server.
The EternalBlue exploit targets a vulnerability (addressed in Microsoft Security
Bulletin MS17-010) in the SMBv1 protocol, through port 445. During an attack,
black hats scan the internet for exposed SMB ports, and if found, launch the exploit
Hardening firewall
code. If the target is vulnerable, the attacker will then run a payload of the
attacker’s choice on the target. This was the mechanism behind the effective
distribution of WannaCryptor.D ransomware across networks.
Mitigating Factors: Disable SMBv1 in Windows and Windows Server
See the following references:
https://support.microsoft.com/en-sg/help/2696547/how-to-detect-enable-and-
disable-smbv1-smbv2-and-smbv3-in-windows-and
https://docs.microsoft.com/en-us/windows/security/threat-protection/security-policy-
settings/microsoft-network-server-digitally-sign-communications-always
https://blogs.technet.microsoft.com/filecab/2012/05/03/smb-3-security-
enhancements-in-windows-server-2012/
9.2 Hardening firewall

Firewall hardening checklist
Controls Status
Restrict access to administrative ports.
Disable plain text protocols for administrative ports.
Restrict remote management access.
Restrict access to administrative ports

Restricting access to administrative ports reduces the attack surface exposed by
the device. Access to administrative ports should be unrestricted to trusted
interfaces and/or IP addresses. By amending firewall rules, it is possible to restrict
access to the web console of both the gateway and the management systems.
Disable plain text protocols for administrative ports

Communication sent using plain text protocols could be sniffed by attackers. Check
and disable or replace all plain text protocols. For instance, Check Point allows a
secured, encrypted alternative to every plain text protocol, such as SSH instead of
Telnet.
Restrict remote management access

The likelihood is that only authorized personnel in your IT department require to log
on and remotely manage devices. For this reason, many firewalls allow
configuration to restrict management access to specific interfaces, network ranges,
and even IP addresses.
In addition, use protocols that utilize suitable authentication and encryption. See
Hardening Windows server [➙ 48].
Hardening system server
9.3 Hardening system server

Desigo CC server checklist
Even in homogeneous Windows-only environments, managing vulnerabilities and
patches across different OS versions can be a daunting affair. The following can
serve as a practical starting point for protecting today’s Windows-based
infrastructures against cyber-attacks.
Controls Status
Identify untested/insecure firmware.
Check integrity of binary files.
Fix unpatched/incompatible drivers.
Address vulnerabilities in Windows-bundled software.
Enforce data encryption.
Obfuscate local administrator accounts.
Disable guest/anonymous accounts.
Put LAN manager in check.
Identify untested/insecure firmware and third-party firmware

modifications
Modern Windows (7, 8, 10, and Windows Server versions) use what is known as
the UEFI firmware standard in place of a computer or device’s standard BIOS.
Because the Windows Binary Loader uses UEFI, and UEFI implementation is in
the hands of hardware vendors (for example, IBM, Lenovo, Dell)—less scrupulous
brands may be inclined to make extra modifications. It is therefore critical that
computers or devices manufactured by suspect brands are identified and
scrutinized for their potential impact on IT security.
Check integrity of binary files

Establish a mechanism to verify the integrity of Desigo CC software files. A tool is
provided in the distribution media that can generate a report with cryptographic
signatures (hash functions) of the installed binary files. At that point, for security
assessment or incident-response purposes, you can compare the signatures and
detect any changes made to original file. The tool is available in the folder:
\AdditionalSW\DCCHashGenerator\. See the Readme.txt file for detailed
instructions.
Fix unpatched/incompatible drivers

A myriad of hardware devices and services are used by today’s computers, which
invariably creates an ongoing concern around the incompatibility and vulnerability
of drivers. And increasingly, drivers are a common source of new security gaps
introduced into the environment. Vulnerability detection should therefore include
both software packages as well as discreet, stand-alone components such as
drivers. Outdated and non-supported drivers should be removed from systems
entirely.
Address vulnerabilities in Windows-bundled software

Windows 10 ships with several bundled apps like Photos, Groove Music, and
Skype, among others. These items are pre-installed with every user account on
your Windows 10, but like all software—are subject to their own specific
Hardening system server
vulnerabilities and flaws. Software vulnerability scanning should include both the
Windows operating system and bundled apps that ship with it.
Enforce data encryption

Data breaches may be inevitable, but stolen data can still be protected—even
when in the hands of attackers. Encryption has its pros and cons, but for the most
part is a relatively transparent and easy way to prevent data from being exposed,
before and after it has been stolen. BitLocker is Microsoft’s solution for file
encryption, and ships with newer versions of Windows. The drawback to BitLocker
is that every Windows machine using it also brings a supporting BIOS and has the
Trusted Platform Module (TPM) chip enabled.
Obfuscate local administrator accounts

More often, malicious programs and hackers will target default local administrator
accounts as low hanging fruit for exploitation. A simple renaming of an
administrator account adds a simple but effective layer of defense against brute-
force attacks. Choosing a less common name makes the account less susceptible
to hacking attempts—though in later versions of Windows, local administrator
accounts are disabled by default.
Disable guest/anonymous accounts

This applies to both Windows and Windows-related services—so guest and
anonymous accounts in use by Windows as well as in other Windows-related
services (for example, Microsoft SQL Server or Microsoft Exchange Server) should
be disabled. Be sure to account for all Windows-related packages, including
Microsoft SharePoint deployments and IIS instances.
Put LAN Manager in check

The dated LM (LAN Manager) and NTLMv1 authentication protocols have
vulnerabilities and should be disabled. LM hash storage should also be disabled,
as LM password hashes can be easily converted back to plain text.
Hardening system client
9.4 Hardening system client

Desigo CC client checklist
All clients that are attached to other networks must implement secured operation,
including hardening and malware protection.
Controls Status
Apply the relevant hardening Windows requirements. See Hardening Windows server
[➙ 48].
Apply the relevant hardening system requirements. See Hardening system server
[➙ 54].
● Hardening is performed using mostly native Windows and Microsoft tools.

● Malware and hackers attack by exploiting security vulnerabilities. The solution
is to reduce the attack surface so that we provide fewer opportunities for
exploitation. The main rule is the principle of least privilege.
To implement the principle of least privilege is to configure your system so that
it only does what you normally do, and nothing else. This minimizes the attack
surface, and removes services that listen on the network 24/7 to anybody who
wants to send it stuff (like an exploit).
9.5 Hardening notification application

Notification hardening checklist
Controls Status
Use MS SQL Server 2019 Enterprise Edition.
Apply standard SQL Server settings.
Avoid SQL Server manual maintenance
Verify impact of current limitations.
● Use MS SQL Server 2019 Enterprise Edition is required for mission-critical

applications with advanced IT security (IEC62443 SL2 compliance).
● To avoid misbehavior when sending notifications, use the standard SQL
Server settings.
● To avoid misbehavior when sending notifications, avoid SQL Server manual
maintenance, as this is done automatically by the Notification application.
Current limitations:
● Notification recipient information such as recipients name, email address, and
phone number are visible to authenticated Desigo CC users with the
corresponding Notification application rights.
● VOIP and SIP connections are currently not encrypted. For mission-critical
applications with advanced IT security needs (SL2), we recommend using the
next version with encrypted communication.
Maintenance of IT Components 10
10 Maintenance of IT Components
The maintenance of IT security is a sustained process for which the corresponding
tasks must be continually repeated. Each designated security measure must
therefore be examined to determine whether it is sufficient to implement it once or
whether implementation at regular intervals is required, such as regular antivirus
software updates.
● Log all maintenance measures implemented.
● Observe the information in the 'IT Security Notices' chapter.
● Install security updates regularly.
● Run risk analyses on the security properties of the applied software at regular
intervals.
You will find information on a corresponding risk analysis here, for example:
● https://www.enisa.europa.eu/topics/threat-risk-management/risk-
management/current-risk/risk-management-inventory/rm-ra-
methods/m_it_grundschutz.html
● https://www.bsi.bund.de/EN/Topics/ITGrundschutz/Download/download_node.
html
Issued by
Siemens Switzerland Ltd
Smart Infrastructure
Global Headquarters
Theilerstrasse 1a
CH-6300 Zug
+41 58 724 2424
www.siemens.com/buildingtechnologies
© Siemens Switzerland Ltd, 2021

Technical specifications and availability subject to change without notice.
A6V11646120_en_d_50 Restricted

CybersecurityGuidelines DESIGOCC V5x

Uploaded by

Copyright:

Available Formats

You might also like

CybersecurityGuidelines DESIGOCC V5x

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

CybersecurityGuidelines DESIGOCC V5x

Uploaded by

Copyright:

Available Formats

Desigo CC V5.

A6V11646120_en_d_50 Smart Infrastructure

1 About this document .................................................................................5

1 About this document

Retention and availability

Target group Activity Qualification

Source language and reference document

⊳ Prerequisite for an instruction telling you what to do

1. Instruction with at least two steps

◈ Instruction with one step

Additional information and tips

Layout and page breaks

1.1 Applicable Documents

1.2 Download center

1.3 Revision History

Version Edition date Brief description

2 Technical terms and abbreviations

National standards, regulations, and legislation

Siemens cybersecurity guidelines

3.1 End of the Life Cycle (EOL)

4.1 Introduction to cybersecurity

4.2 Security concepts and risk assessment process

A Vulnerability is a fault or flaw in the design, implementation, operation, or

A Threat is something that has the potential to breach security if an entity,

4.3 System security, roles, and responsibilities

5 Cybersecurity throughout the life cycle of

5.1 Installation and commissioning

5.1.1 Responsibility for IT security

● Use of virus scanners

5.1.2 Physical and environmental security

● Network lines and cabling must be physically protected if one of these

5.1.3 Implementing the required functionality

5.1.4 Communication security

5.1.5 Devices with access to the highly protected zone

● Operate all corresponding devices such as PCs and Android

5.1.6 Guidelines for PCs

5.1.7 Guidelines for Smartphones

Guidelines of the Siemens CERT Security Measure Plans for

– At least one lower-case letter

5.1.8 Password guidelines

5.1.9 PIN guidelines

5.2 Operation and maintenance

5.2.1 Security of saved data

5.2.2 Regular patches and updates

5.2.3 Handling incidents

5.3 Disposal / phase-out / EOL

of the environmental, management, and operational information should continue to

5.3.1 Disposal procedures

6 System security concept

6.1 Definition of security zones

6.2 Zone boundary protection

Desigo CC Web Server

Customer IT Desigo CC Desigo CC

WinCC OA WinCC OA WinCC OA

Desigo PX SiPass FS20 System One SPC Cameras VMS

Desigo PX Desigo SiPass FS20 System One SPC Subsystem n Subsystem m

6.3 System components

6.4 Required Certificates