Concetto
SpaceLogic MP and RP Controllers
These hardening guidelines applies to the MP and RP controller products.
Identification and Authentication
Before web services can be enabled, you need to install a server certificate and key securely using SpaceLogic Certificate Configuration Tool. Per maggior informazioni, consulta RP Controller Web Service API . on exchange.se.com .
The RPC web service must be enabled and can be disabled on demand. Per maggior informazioni, consulta Configuring RP Controller Web Service Settings .
The RPC web service also supports client certificate authentication as an option. To increase security, client certificate validation may be enabled. Per maggior informazioni, consulta RP Controller Web Service API . on exchange.se.com .
Ensure to use of trusted self-signed or Certification Authority certificates.
Ensure a process is in place for maintenance and renewal of certificates.
Per maggior informazioni, consulta Certificates .
Web services have their own password policy and enforcement system which is separate from other EcoStruxure BMS functionality. Per maggior informazioni, consulta RP Controller Web Service API . on exchange.se.com .
Only the web service provides an authorization capability. Per maggior informazioni, consulta RP Controller Web Service API . on exchange.se.com .
Standard BACnet/IP does not provide any level of confidentiality. For systems requiring additional “on the wire” security, using sealed metal conduits may be an option.
Web services provides confidentiality at the HTTPS protocol level. Per maggior informazioni, consulta RP Controller Web Service API . on exchange.se.com .
Standard BACnet/IP does not provide encrypted data transmission. For systems requiring additional “on the wire” security, using sealed metal conduits may provide similar protection.
Web services provides data encryption at the HTTPS protocol level. Per maggior informazioni, consulta RP Controller Web Service API . on exchange.se.com .
Standard BACnet/IP provides a level of data integrity checking at the protocol level. The IP protocol provides and additional level of integrity protection.
WebServices provides integrity checking at the HTTPS protocol level. learn.microsoft.com/en-us/azure/rtos/netx-duo/netx-duo-web-http/chapter1 .
Restricted data flow
Ensure the IP field network design is planned and implemented according to current guidelines and best practices.
Per maggior informazioni, consulta Guidance on Implementing a Cybersecure BMS Architecture with EcoStruxure Building Operation . on the Schneider Electric website .
Ensure USB ports are disabled.
Per maggior informazioni, consulta Disabling the USB Port on an Automation Server .
For BACnet/IP controllers with no needed use of the secondary Ethernet port, ensure Ethernet 2 Port is disabled.
Per maggior informazioni, consulta Disabling the Ethernet 2 Port .
Ensure the EcoStruxure web services server interface is disabled.
Per maggior informazioni, consulta Configuring RP Controller Web Service Settings .
Timely response to events
Ensure a SIEM system is in place and that remote logging is enabled.
Per maggior informazioni, consulta SpaceLogic RP-C Advanced .
Resource availability
Ensure backup functionality is properly configured and tested.
Per maggior informazioni, consulta Backup and Restore Overview .
Ensure processes are in place for continuous testing of recovery processes.
Ensure that networking guidelines are followed.
Per maggior informazioni, consulta Guidance on Implementing a Cybersecure BMS Architecture with EcoStruxure Building Operation . on the Schneider Electric website .
Configuring RP Controller Web Service Settings
Certificates
Disabling the USB Port on an Automation Server
Disabling the Ethernet 2 Port
SpaceLogic RP-C Advanced
Backup and Restore Overview