Concepto
SpaceLogic MP and RP Controllers
These hardening guidelines applies to the MP and RP controller products.
Identification and Authentication
Before web services can be enabled, you need to install a server certificate and key securely using SpaceLogic Certificate Configuration Tool. Para obtener más información, consulte RP Controller Web Service API . on exchange.se.com .
The RPC web service must be enabled and can be disabled on demand. Para obtener más información, consulte Configuring RP Controller Web Service Settings .
The RPC web service also supports client certificate authentication as an option. To increase security, client certificate validation may be enabled. Para obtener más información, consulte RP Controller Web Service API . on exchange.se.com .
Ensure to use of trusted self-signed or Certification Authority certificates.
Ensure a process is in place for maintenance and renewal of certificates.
Para obtener más información, consulte Certificates .
In the past, BACnet/SC SpaceLogic controller certificate management was handled through various third-party tools and the SpaceLogic Certificate Configuration Tool. With the latest EcoStruxure BMS release, you can now install, replace, and manage your certificates on the controller using WorkStation.
Before performing certificate management, be sure to determine which tool best fits your needs. Para obtener más información, consulte BACnet/SC SpaceLogic Controllers Certificate Management Tool Selection Workflow .
Use the SpaceLogic Certificate Configuration Tool to perform the initial certificate deployment using a secure HTTPS protocol. Para obtener más información, consulte BACnet/SC SpaceLogic Controllers Certificate Management Workflow Using the Certificate Configuration Tool ..
Use WorkStation for simplicity and ease of use. Para obtener más información, consulte BACnet/SC SpaceLogic Controllers Certificate Management Workflow using WorkStation .
Web services have their own password policy and enforcement system which is separate from other EcoStruxure BMS functionality. Para obtener más información, consulte RP Controller Web Service API . on exchange.se.com .
Only the web service provides an authorization capability. Para obtener más información, consulte RP Controller Web Service API . on exchange.se.com .
Standard BACnet/IP does not provide any level of confidentiality. For systems requiring additional “on the wire” security, using sealed metal conduits may be an option.
Web services provides confidentiality at the HTTPS protocol level. Para obtener más información, consulte RP Controller Web Service API . on exchange.se.com .
Standard BACnet/IP does not provide encrypted data transmission, while BACnet/SC does.
BACnet/SC is a secure, encrypted protocol designed specifically to meet the requirements, policies, and constraints of managed IP infrastructures. You create a BACnet/SC network to take advantage of its enhanced security and establish secure communications connections with other BACnet/SC devices, particularly when server to controller and/or controller to controller communication requires encrypted communications. Para obtener más información, consulte Creating and Configuring a BACnet/SC Network .
For systems requiring additional “on the wire” security, using sealed metal conduits may provide similar protection.
Web services provides data encryption at the HTTPS protocol level. Para obtener más información, consulte RP Controller Web Service API . on exchange.se.com .
Standard BACnet/IP provides a level of data integrity checking at the protocol level. The IP protocol provides and additional level of integrity protection.
WebServices provides integrity checking at the HTTPS protocol level. learn.microsoft.com/en-us/azure/rtos/netx-duo/netx-duo-web-http/chapter1 .
Restricted data flow
Ensure the IP field network design is planned and implemented according to current guidelines and best practices.
Para obtener más información, consulte Guidance on Implementing a Cybersecure BMS Architecture with EcoStruxure Building Operation . on the Schneider Electric website .
Ensure USB ports are disabled.
Para obtener más información, consulte Disabling the USB Port on an Automation Server .
For BACnet/IP controllers with no needed use of the secondary Ethernet port, ensure Ethernet 2 Port is disabled.
Para obtener más información, consulte Disabling the Ethernet 2 Port .
Ensure the EcoStruxure web services server interface is disabled.
Para obtener más información, consulte Configuring RP Controller Web Service Settings .
Timely response to events
Ensure a SIEM system is in place and that remote logging is enabled.
Para obtener más información, consulte SpaceLogic RP-C Advanced .
Resource availability
Ensure backup functionality is properly configured and tested.
Para obtener más información, consulte Backup and Restore Overview .
Ensure processes are in place for continuous testing of recovery processes.
Ensure that networking guidelines are followed.
Para obtener más información, consulte Guidance on Implementing a Cybersecure BMS Architecture with EcoStruxure Building Operation . on the Schneider Electric website .
Configuring RP Controller Web Service Settings
Certificates
Disabling the USB Port on an Automation Server
Disabling the Ethernet 2 Port
SpaceLogic RP-C Advanced
Backup and Restore Overview
BACnet/SC SpaceLogic Controllers Certificate Management Tool Selection Workflow
BACnet/SC SpaceLogic Controllers Certificate Management Workflow Using the Certificate Configuration Tool
BACnet/SC SpaceLogic Controllers Certificate Management Workflow using WorkStation
Creating and Configuring a BACnet/SC Network