Концепт
EcoStruxure Building Operation Software and EcoStruxure BMS Servers
These hardening guidelines applies to the EcoStruxure Building Operation software products and the EcoStruxure BMS server products.
Identification and Authentication
Ensure default admin account use is absolutely minimized. All users should have a unique user account.
Более подробную информацию см. Administration Accounts in EcoStruxure BMS Server Local Domain .
Ensure trusted self-signed or Certification Authority certificates are used.
Ensure there is a process in place for maintenance and renewal of certificates.
Более подробную информацию см. Certificates .
Ensure password policies are configured according to customer needs.
Более подробную информацию см. Password Policy .
The following settings are recommended:
The minimum number of hours between password changes is 0.
A password expires after 90 days.
The password history is set to 6.
At least 3 characters need to be different in the new password.
A password contains at least 8 characters.
A password contains at least 1 lowercase character.
Uppercase characters are not required in a password.
A password contains at least 1 numeric character.
The numeric character can be the first or last character, such as "123password".
A password contains at least 1 special character: !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~´.
The special character can be the first or last character, such as "password!".
Ensure the setting for temporarily disabling users after failed logon attempts is configured as required by the customer. This limits the risk for Denial of Service situations and brute-force attacks.
Более подробную информацию см. Domain – Policies Tab .
You can block the use of certain easy-to-guess passwords. A default list is loaded from the factory. For adding more passwords to the blocklist, contact Schneider Electric.
Ensure the EcoStruxure Building Operation service runs under a custom account with permissions designed to be as limited as possible.
Более подробную информацию см. Installing the Enterprise Server .
Ensure MD5 hashing is disabled.
Более подробную информацию см. Encrypted Communication .
Authorization
Ensure the security banner is enabled and convey any custom terms applicable for the users to access the system.
Более подробную информацию см. Security Banner .
Ensure the access control scheme is carefully planned and implemented.
Более подробную информацию см. Software Permissions Management .
Ensure processes are in place to regularly inspect the account management configuration.
Более подробную информацию см. Software Permissions Management .
Ensure the object, point and command level permissions are implemented to provide the least possible rights for the respective roles.
Более подробную информацию см. Software Permissions .
Ensure processes are in place to regularly inspect the account management configuration.
Более подробную информацию см. Software Permissions Management .
Confidentiality
Ensure HTTP is disabled, and that TLS 1.3 is used.
Более подробную информацию см. Encrypted Communication .
Ensure email transmission uses secure options.
Более подробную информацию см. Selecting and Specifying an Email Server for Email Notifications .
Ensure that the embedding of third-party web sites is disabled and that the hosting of EcoStruxure Building Operation web pages within other pages is disabled.
Более подробную информацию см. Security Configuration in WebStation .
Ensure unsafe Javascript constructions are disabled.
Более подробную информацию см. Enabling WebStation to Use Unsafe JavaScript Methods .
Ensure the EcoStruxure Building Operation installation folders and data storage folders on the hosting Microsoft Windows operating system are protected from Windows user accounts that interactively log on to Windows.
For more information, see operating system documentation.
Ensure the TimescaleDB/PostgreSQL installation folders and data storage folders are adequately protected and that the deployment is hardened appropriately.
Ensure separate accounts are used for third-party access of the External Log Storage, In particular, you want to separate the account that EcoStruxure Building Operation is using to access the database.
Ensure encrypted communication is used between EcoStruxure Building Operation servers and TimescaleDB/PostgreSQL.
Более подробную информацию см. External Log Storage Encrypted Communication Workflow .
Ensure that OPC UA servers are configured to only communicate with appropriate encryption methods.
For more information, see the documentation for the respective OPC UA servers.
Integrity
Ensure inactivity logoff is activated with a sufficiently low timeout.
Более подробную информацию см. Automatic Logoff .
Ensure all servers have accurate configuration of NTP time synchronization.
Configuration of NTP is done in the EcoStruxure Building Operation software, except for the FDP server where the configuration is done in EcoStruxure Fire Expert.
Более подробную информацию см. Network Time .
Более подробную информацию см. O1891 EcoStruxure Fire Expert - Configuration Manual .
Более подробную информацию см. Audit Trailing of User Activity .
Ensure that the embedding of third-party web sites is disabled and that the hosting of EcoStruxure Building Operation web pages within other pages is disabled.
Более подробную информацию см. Security Configuration in WebStation .
Ensure unsafe Javascript constructions are disabled.
Более подробную информацию см. Enabling WebStation to Use Unsafe JavaScript Methods .
Ensure the EcoStruxure Building Operation installation folders and data storage folders on the host Microsoft Windows operating system are protected from Windows user accounts that interactively log on to Windows.
For more information, see operating system documentation.
Ensure that you use Secure Boot versions of server hardware and edge servers.
Ensure Compliance Pack is activated, change control is enabled and the appropriate settings are deployed in accordance with customer requirements.
Более подробную информацию см. Change Control .
Ensure that only appropriate document types are enabled. Disable document types that are not needed.
Более подробную информацию см. Document Policy .
Restricted Data Flow
Ensure network design is planned and implemented according to current guidelines and best practices.
Более подробную информацию см. Guidance on Implementing a Cybersecure BMS Architecture with EcoStruxure Building Operation . on the Schneider Electric website .
Ensure HTTP is disabled.
Более подробную информацию см. Encrypted Communication .
Ensure USB ports are disabled.
The USB ports on the FDP server cannot be disabled.
Более подробную информацию см. Disabling the USB Port on an Automation Server .
Ensure the SSH access is configured according to minimum needs.
The FDP server SSH access cannot be configured and is only used during the firmware upgrade.
Более подробную информацию см. Disabling Port 22 on an Automation Server .
For EcoStruxure BMS servers with no need for secondary Ethernet access, ensure Ethernet 2 Port is disabled.
Более подробную информацию см. Disabling the Ethernet 2 Port .
Ensure the EcoStruxure Web Services server interface is disabled.
Более подробную информацию см. EcoStruxure Web Service Server .
Ensure the firewall in EcoStruxure BMS servers and Enterprise servers are configured appropriately.
Более подробную информацию см. Firewall .
For more information, see Microsoft Windows documentation.
Timely Response to Events
Ensure a SIEM system is in place and that remote logging is enabled.
Более подробную информацию см. Field Server Remote System Logging .
Ensure web server access logging is enabled and that there is an inspection process in place.
Более подробную информацию см. Web Server Access Logging .
Resource Availability
Ensure backup functionality is properly configured and tested.
Более подробную информацию см. Backup and Restore Overview .
Ensure processes are in place for continuous testing of recovery processes.
Ensure that networking guidelines are followed.
Более подробную информацию см. Guidance on Implementing a Cybersecure BMS Architecture with EcoStruxure Building Operation . on the Schneider Electric website .
Более подробную информацию см. Software Permissions .
Semantic Database Password Update
For security reasons, change the password for the admin user on the semantic database. Changing the password of the admin user on the semantic database helps to protect the database. If the password is not changed the Ecostruxure Building Operation generates a system alarm.
Более подробную информацию см. Configure EcoStruxure Building Automation System to use Semantic Workflow .
Administration Accounts in EcoStruxure BMS Server Local Domain
Certificates
Domain – Policies Tab
Installing the Enterprise Server
Encrypted Communication
Security Banner
Software Permissions Management
Software Permissions
Selecting and Specifying an Email Server for Email Notifications
Security Configuration in WebStation
Enabling WebStation to Use Unsafe JavaScript Methods
External Log Storage Encrypted Communication Workflow
Automatic Logoff
Audit Trailing of User Activity
Network Time
Change Control
Document Policy
Disabling the USB Port on an Automation Server
Disabling Port 22 on an Automation Server
Disabling the Ethernet 2 Port
EcoStruxure Web Service Server
Firewall
Web Server Access Logging
Field Server Remote System Logging
Backup and Restore Overview
Configure EcoStruxure Building Automation System to use Semantic Workflow