earth_america
user_standard 登录
action_search_stroke
earth_america
登录以评价并提供反馈 1 2 3 4 5 登录以评价
0
概念

概念


产品: AS-B, Device Administrator, Enterprise Central, Enterprise Server, ​License Administrator, ​License Server, AS-P, Software Administrator
功能: 安全
产品版本: 2023
2022/12/17

EcoStruxure Building Operation and SpaceLogic Servers

arrow1_rotationIdentification and Authentication arrow1_rotationAuthorization arrow1_rotationConfidentiality arrow1_rotationIntegrity arrow1_rotationRestricted Data Flow arrow1_rotationTimely Response to Events arrow1_rotationResource Availability

These hardening guidelines applies to the EcoStruxure Building Operation software products and the SpaceLogic SpaceLogic servers products.

Identification and Authentication

Admin logon password management

  • Ensure default admin account use is absolutely minimized. All users should have a unique user account.

有关更多信息,请参阅 Administration Accounts in EcoStruxure BMS Server Local Domain .

Certificate functionality

  • Ensure trusted self-signed or Certification Authority certificates are used.

  • Ensure there is a process in place for maintenance and renewal of certificates.

有关更多信息,请参阅 Certificates .

Password policies can be enforced

  • Ensure password policies are configured according to customer needs.

有关更多信息,请参阅 Password Policy .

The following settings are recommended:

  • The minimum number of hours between password changes is 0.

  • A password expires after 90 days.

  • The password history is set to 6.

  • At least 3 characters need to be different in the new password.

  • A password contains at least 8 characters.

  • A password contains at least 1 lowercase character.

  • Uppercase characters are not required in a password.

  • A password contains at least 1 numeric character.

  • The numeric character can be the first or last character, such as "123password".

  • A password contains at least 1 special character: !"#$%&'()*+,-./:;<=>?@[\]^_`{|}~´.

  • The special character can be the first or last character, such as "password!".

Disabled after failed logon attempts

  • Ensure the setting for temporarily disabling users after failed logon attempts is configured as required by the customer. This limits the risk for Denial of Service situations and brute-force attacks.

有关更多信息,请参阅 Domain – Policies Tab .

Password blocklist

  • You can block the use of certain easy-to-guess passwords. A default list is loaded from the factory. For adding more passwords to the blocklist, contact Schneider Electric.

Enterprise Server Run-As-Service selectable user account

Ensure the EcoStruxure Building Operation service runs under a custom account with permissions designed to be as limited as possible.

有关更多信息,请参阅 Installing the Enterprise Server .

Use of strong authentication hash algorithms

  • Ensure MD5 hashing is disabled.

有关更多信息,请参阅 Encrypted Communication .

Authorization

Custom logon banner

  • Ensure the security banner is enabled and convey any custom terms applicable for the users to access the system.

有关更多信息,请参阅 Security Banner  .

Role-based access control (permissions)

  • Ensure the access control scheme is carefully planned and implemented.

有关更多信息,请参阅 Software Permissions Management .

  • Ensure processes are in place to regularly inspect the account management configuration.

有关更多信息,请参阅 Software Permissions Management .

Object and point level security

  • Ensure the object, point and command level permissions are implemented to provide the least possible rights for the respective roles.

有关更多信息,请参阅 Software Permissions .

  • Ensure processes are in place to regularly inspect the account management configuration.

有关更多信息,请参阅 Software Permissions Management .

Confidentiality

Encrypted transmission of data

  • Ensure HTTP is disabled, and that TLS 1.3 is used.

有关更多信息,请参阅 Encrypted Communication .

SMTPS secure email notification support

  • Ensure email transmission uses secure options.

有关更多信息,请参阅 Selecting and Specifying an Email Server for Email Notifications .

Clickjacking protection options

  • Ensure that the embedding of third-party web sites is disabled and that the hosting of EcoStruxure Building Operation web pages within other pages is disabled.

有关更多信息,请参阅 Security Configuration in WebStation .

  • Ensure unsafe Javascript constructions are disabled.

有关更多信息,请参阅 Enabling WebStation to Use Unsafe JavaScript Methods .

Protection of data storage

  • Ensure the EcoStruxure Building Operation installation folders and data storage folders on the hosting Microsoft Windows operating system are protected from Windows user accounts that interactively log on to Windows.

For more information, see operating system documentation.

External Log Storage

  • Ensure the TimescaleDB/PostgreSQL installation folders and data storage folders are adequately protected and that the deployment is hardened appropriately.

www.enterprisedb.com/blog/how-to-secure-postgresql-security-hardening-best-practices-checklist-tips-encryption-authentication-vulnerabilities

  • Ensure separate accounts are used for third-party access of the External Log Storage, In particular, you want to separate the account that EcoStruxure Building Operation is using to access the database.

  • Ensure encrypted communication is used between EcoStruxure Building Operation servers and TimescaleDB/PostgreSQL.

有关更多信息,请参阅 External Log Storage Encrypted Communication Workflow .

Integrity

Auto logoff

  • Ensure inactivity logoff is activated with a sufficiently low timeout.

有关更多信息,请参阅 Automatic Logoff .

Audit log with system-wide synchronized timestamps

  • Ensure all servers have accurate configuration of NTP time synchronization.

有关更多信息,请参阅 Audit Trailing of User Activity .

有关更多信息,请参阅 Network Time .

Clickjacking protection options

  • Ensure that the embedding of third-party web sites is disabled and that the hosting of EcoStruxure Building Operation web pages within other pages is disabled.

有关更多信息,请参阅 Security Configuration in WebStation .

  • Ensure unsafe Javascript constructions are disabled.

有关更多信息,请参阅 Enabling WebStation to Use Unsafe JavaScript Methods .

Protection of data storage

  • Ensure the EcoStruxure Building Operation installation folders and data storage folders on the host Microsoft Windows operating system are protected from Windows user accounts that interactively log on to Windows.

For more information, see operating system documentation.

Secure boot

  • Ensure that you use Secure Boot versions of server hardware and edge servers.

Basic protection against program and data at rest modification

  • Ensure Compliance Pack is activated, change control is enabled and the appropriate settings are deployed in accordance with customer requirements.

有关更多信息,请参阅 Change Control .

Document Policy

  • Ensure that only appropriate document types are enabled. Disable document types that are not needed.

有关更多信息,请参阅 Document Policy .

Restricted Data Flow

Basic capabilities for network segmentation

  • Ensure network design is planned and implemented according to current guidelines and best practices.

有关更多信息,请参阅 Guidance on Implementing a Cybersecure BMS Architecture with EcoStruxure Building Operation . on the Schneider Electric website .

Basic options for enabling/disabling ports

  • Ensure HTTP is disabled.

有关更多信息,请参阅 Encrypted Communication .

  • Ensure USB ports are disabled.

有关更多信息,请参阅 Disabling the USB Port on an Automation Server  .

  • Ensure the SSH access is configured according to minimum needs.

有关更多信息,请参阅 Disabling Port 22 on an Automation Server .

  • For SpaceLogic servers with no need for secondary Ethernet access, ensure Ethernet 2 Port is disabled.

有关更多信息,请参阅 Disabling the Ethernet 2 Port .

  • Ensure the EcoStruxure Web Services server interface is disabled.

有关更多信息,请参阅 EcoStruxure Web Service Server .

Firewall

  • Ensure the firewall in SpaceLogic servers and Enterprise servers is configured appropriately.

有关更多信息,请参阅 Firewall .

For more information, see Microsoft Windows documentation.

Timely Response to Events

Audit log access

  • Ensure a SIEM system is in place and that remote logging is enabled.

有关更多信息,请参阅 Automation Server Remote System Logging .

  • Ensure web server access logging is enabled and that there is an inspection process in place.

有关更多信息,请参阅 Web Server Access Logging .

Resource Availability

System backup, recovery and reconstitution

  • Ensure backup functionality is properly configured and tested.

有关更多信息,请参阅 Backup and Restore Overview .

  • Ensure processes are in place for continuous testing of recovery processes.

Access to network and security configuration settings

  • Ensure that networking guidelines are followed.

有关更多信息,请参阅 Guidance on Implementing a Cybersecure BMS Architecture with EcoStruxure Building Operation . on the Schneider Electric website .

有关更多信息,请参阅 Software Permissions .

请参阅

  • Administration Accounts in EcoStruxure BMS Server Local Domain
  • Certificates
  • Domain – Policies Tab
  • Installing the Enterprise Server
  • Encrypted Communication
  • Security Banner 
  • Software Permissions Management
  • Software Permissions
  • Selecting and Specifying an Email Server for Email Notifications
  • Security Configuration in WebStation
  • Enabling WebStation to Use Unsafe JavaScript Methods
  • External Log Storage Encrypted Communication Workflow
  • Automatic Logoff
  • Audit Trailing of User Activity
  • Network Time
  • Change Control
  • Document Policy
  • Disabling the USB Port on an Automation Server 
  • Disabling Port 22 on an Automation Server
  • Disabling the Ethernet 2 Port
  • EcoStruxure Web Service Server
  • Firewall
  • Web Server Access Logging
  • Automation Server Remote System Logging
  • Backup and Restore Overview