earth_america
user_standard Connexion
action_search_stroke
earth_america
Log on to rate and give feedback 1 2 3 4 5 Log on to rate
0
Concept

Concept


Produits : MP-C, MP-V, RP-C, RP-V
Fonctionnalités : Sécurité
Version produit : 7.0
19/12/2024

SpaceLogic MP and RP Controllers

arrow1_rotationIdentification and Authentication arrow1_rotationRestricted data flow arrow1_rotationTimely response to events arrow1_rotationResource availability

These hardening guidelines applies to the MP and RP controller products.

Identification and Authentication

Web Services Identification and Authentication functionality

Before web services can be enabled, you need to install a server certificate and key securely using SpaceLogic Certificate Configuration Tool. Pour plus d'informations, voir RP Controller Web Service API . on exchange.se.com .

The RPC web service must be enabled and can be disabled on demand. Pour plus d'informations, voir Configuring RP Controller Web Service Settings .

The RPC web service also supports client certificate authentication as an option. To increase security, client certificate validation may be enabled. Pour plus d'informations, voir RP Controller Web Service API . on exchange.se.com .

Certificate functionality

  • Ensure to use of trusted self-signed or Certification Authority certificates.

  • Ensure a process is in place for maintenance and renewal of certificates.

Pour plus d'informations, voir Certificates .

Certificate Management Tool Selection for BACnet/SC

In the past, BACnet/SC SpaceLogic controller certificate management was handled through various third-party tools and the SpaceLogic Certificate Configuration Tool. With the latest EcoStruxure BMS release, you can now install, replace, and manage your certificates on the controller using WorkStation.

Before performing certificate management, be sure to determine which tool best fits your needs. Pour plus d'informations, voir BACnet/SC SpaceLogic Controllers Certificate Management Tool Selection Workflow .

Use the SpaceLogic Certificate Configuration Tool to perform the initial certificate deployment using a secure HTTPS protocol. Pour plus d'informations, voir BACnet/SC SpaceLogic Controllers Certificate Management Workflow Using the Certificate Configuration Tool ..

Use WorkStation for simplicity and ease of use. Pour plus d'informations, voir BACnet/SC SpaceLogic Controllers Certificate Management Workflow using WorkStation .

Web Services Password Policies

Web services have their own password policy and enforcement system which is separate from other EcoStruxure BMS functionality. Pour plus d'informations, voir RP Controller Web Service API . on exchange.se.com .

Authorization

Only the web service provides an authorization capability. Pour plus d'informations, voir RP Controller Web Service API . on exchange.se.com .

Confidentiality

Standard BACnet/IP does not provide any level of confidentiality. For systems requiring additional “on the wire” security, using sealed metal conduits may be an option.

Web services provides confidentiality at the HTTPS protocol level. Pour plus d'informations, voir RP Controller Web Service API . on exchange.se.com .

Encrypted transmission of data

Standard BACnet/IP does not provide encrypted data transmission, while BACnet/SC does.

BACnet/SC is a secure, encrypted protocol designed specifically to meet the requirements, policies, and constraints of managed IP infrastructures. You create a BACnet/SC network to take advantage of its enhanced security and establish secure communications connections with other BACnet/SC devices, particularly when server to controller and/or controller to controller communication requires encrypted communications. Pour plus d'informations, voir Creating and Configuring a BACnet/SC Network .

For systems requiring additional “on the wire” security, using sealed metal conduits may provide similar protection.

Web services provides data encryption at the HTTPS protocol level. Pour plus d'informations, voir RP Controller Web Service API . on exchange.se.com .

Integrity

Standard BACnet/IP provides a level of data integrity checking at the protocol level. The IP protocol provides and additional level of integrity protection.

WebServices provides integrity checking at the HTTPS protocol level. learn.microsoft.com/en-us/azure/rtos/netx-duo/netx-duo-web-http/chapter1 .

Secure Boot

Secure Boot ensures that during start up, devices initialize using only digitally signed and trusted software. It verifies the authenticity of the firmware during each stage of the boot sequence and allows only trusted code to run during startup. If any authentication errors are encountered, the board will not boot.

  • Ensure that you use Secure Boot versions of controller hardware.

Secure Upgrade

During an upgrade, the controller verifies whether the firmware is authentic and uncompromised Schneider Electric firmware. When the verification succeeds, the controller writes it to flash to be executed on next startup. If the verification process detects any discrepancies or alterations in the firmware's integrity, the device declines the firmware upgrade.

  • Ensure that you use the latest signed firmware.

Restricted data flow

Basic capabilities for network segmentation

  • Ensure the IP field network design is planned and implemented according to current guidelines and best practices.

Pour plus d'informations, voir Guidance on Implementing a Cybersecure BMS Architecture with EcoStruxure Building Operation . on the Schneider Electric website .

Basic options for enabling/disabling ports

  • Ensure USB ports are disabled.

Pour plus d'informations, voir Disabling the USB Port on an Automation Server  .

  • For BACnet/IP controllers with no needed use of the secondary Ethernet port, ensure Ethernet 2 Port is disabled.

Pour plus d'informations, voir Disabling the Ethernet 2 Port .

  • Ensure the EcoStruxure web services server interface is disabled.

Pour plus d'informations, voir Configuring RP Controller Web Service Settings .

Timely response to events

Audit log access

  • Ensure a SIEM system is in place and that remote logging is enabled.

Pour plus d'informations, voir SpaceLogic RP-C Advanced .

Resource availability

System backup, recovery and reconstitution

  • Ensure backup functionality is properly configured and tested.

Pour plus d'informations, voir Backup and Restore Overview .

  • Ensure processes are in place for continuous testing of recovery processes.

Access to network and security configuration settings

  • Ensure that networking guidelines are followed.

Pour plus d'informations, voir Guidance on Implementing a Cybersecure BMS Architecture with EcoStruxure Building Operation . on the Schneider Electric website .

Voir aussi

  • Configuring RP Controller Web Service Settings
  • Certificates
  • Disabling the USB Port on an Automation Server 
  • Disabling the Ethernet 2 Port
  • SpaceLogic RP-C Advanced
  • Backup and Restore Overview
  • BACnet/SC SpaceLogic Controllers Certificate Management Tool Selection Workflow
  • BACnet/SC SpaceLogic Controllers Certificate Management Workflow Using the Certificate Configuration Tool
  • BACnet/SC SpaceLogic Controllers Certificate Management Workflow using WorkStation
  • Creating and Configuring a BACnet/SC Network