cRSP IT Security Concept

Document Objective

The Siemens common Remote Service Platform (cRSP) is the IT platform used throughout the group for implementing remote access to IP-based equipment. This security concept describes the measures taken by Siemens Smart Infrastructure to protect customer data and IT systems when using remote services. In its current version, this concept is applied to all Siemens security, fire safety, and building automation systems for which remote services are available over the entire life cycle.

Document Layout

This document is divided into two main sections: the general operating concept and the technical security concept.

The first section, the general operating concept for remote services, discusses the fundamental aspects of information security within Siemens. It introduces the topic of remote services for building technology, along with application-specific use cases for remote connections. This part also covers strategic security measures in data management and personnel selection, which are organizationally implemented for remote services.

It provides customers with a general understanding of data security in remote connections.

The second section, the technical security concept, details technical measures and advice on remote access, including access types and logging, secure IT infrastructure, protecting data transmissions, and protecting against attacks.

Technical components, processes, and procedures, such as authentication and authorization, are described in detail. This part is especially helpful for IT specialists interested in connection types or encryption methods.

Finally, an overview of various connectivity options is provided in the appendix.

Introduction

Data and information on building infrastructure must be available reliably, quickly, globally, and securely. Siemens common Remote Services meet all these requirements to the greatest extent.

Contents

• Introduction
• General operating concept
  • Data security
  • Remote services
  • Data management
  • Personnel selection
  • Platform availability
• Certified technical security concept
  • Customer-controlled access
  • Access scenario
  • Authentication and authorization
  • Network structure
  • Virtual private network (VPN)
  • Security measures on the Internet/customer network
• Appendix
  • Connectivity options

General Operating Concept

Data Security as a Basic Requirement

Confidentiality and long-term partnerships are highly valued at Siemens. Therefore, data security is given the highest priority. Before implementing an enhanced service package with remote support, Siemens conducts an in-depth analysis of the situation, considering national and international regulations, technical infrastructures, and industry specifics.

Within the scope of proactive services, data is sent regularly via the existing secured connection from the systems to Siemens. This connection is established after successful authorization (see "Authentication and authorization" below).

Graph showing data points over time, with axes labeled 'HUR' and time stamps from 21:01:2015 to 23:30.

Remote Services for Building Technology

As modern systems and solutions become more interconnected, Siemens offers an additional service portfolio alongside existing on-site system service. This is based on remote support, providing enhanced flexibility and system availability.

Remote connections enable faster and more efficient determination of system issues and allow for quick, intelligent resolution from a remote location. Even when remote repairs are not possible, the information obtained through remote diagnosis helps the service technician provide the best possible and highly efficient on-site support, ensuring they are well-informed and equipped.

Furthermore, Siemens' proactive services take preventive action to avoid errors, minimizing system downtime.

Critical data, such as login data, is not stored in the cRSP.

Image of a digital lock with binary code flowing around it.

Use Cases for Remote Services

The following are use cases that may vary according to access type and duration:

• Remote commissioning: Support for commissioning systems, customizing configuration/supply.
• Operational assistance: Customer support in operating the system.
• Remote diagnosis: Advanced diagnosis of faults from a remote location, collection of diagnostic information for technician deployment.
• Remote repair: Restoring operation, clearing faults, customizing configuration/supply.
• Maintenance support: Preparation and support for maintenance and repairs, downloading updates and patches.
• Performance monitoring: Electronic monitoring of the system for faults, threshold values, and states.

The Remote Advantage

Remote service provides additional support to optimally service fire safety, security, and building automation systems amidst growing complexity. The advantages of cRSP include:

• Remote monitoring to proactively detect and correct interruptions, minimizing system downtimes.
• Faster and more efficient determination of system problem causes.
• Fast, intelligent correction of problems through remote intervention.
• Service engineers arrive on site well-informed and optimally equipped.
• Fast user support for application issues.
• Ability to escalate support.

General Operating Concept (Continued)

Data Management

Siemens treats customer data as confidential and grants access on a need-to-know basis. This principle is supported by rule-based access mechanisms within a dedicated infrastructure and tool landscape. Data management measures are tailored to customer data protection requirements, data types, and applicable regulations.

Personnel Selection

Siemens service technicians and experts are trained in data protection and IT security, understanding the serious consequences of non-compliance. Only trained employees work in the Remote Service Center. Siemens employs strict selection criteria and requires ongoing training for its service technicians, ensuring customer data is handled securely.

Platform Availability

The availability of remote services is ensured by three data centers located in Germany, Singapore, and the United States. Each center's capacity is designed to prevent cRSP platform disruption during malfunctions. Disaster recovery (DR) and business continuity management (BCM) plans further enhance service availability.

Siemens CERT Auditing

The Siemens Computer Emergency Response Team (CERT) is an internal, independent team that develops preventive security measures and assesses the information security of the IT infrastructure.

Certification

Siemens was among the first organizations globally to implement an internationally valid information security management system (ISMS) according to ISO/IEC 27001 for remote services. The cRSP platform undergoes regular audits for effective protection and continuous improvement.

General Operating Concept (Continued)

You Determine How Access Takes Place

As a basic requirement, every service activity must be contractually authorized. Access is granted only for contractually agreed use cases.

To enable access to systems from outside the Siemens network, the Customer Web Portal (CWP) with enhanced security requirements (two-factor authentication) is used. In addition to setting up a connection, customers can explicitly bar access to individual destinations and enable them only when needed. Combined with log file retrieval upon successful access, this provides customers with full control over remote access to their systems.

Access Scenario Example

• Customers can lock all connections or specific systems. A service technician requiring access to a locked system must contact the customer. The customer can then log into CWP to unlock the required connection. After the service is completed, the customer can re-lock the connection.
• Full access: An expressly authorized service engineer can connect to the system at any time with customer permission. Each system access is automatically logged for customer review. Customers often opt for full access when proactive preventive maintenance and maximum system availability are key priorities.
• Access can be granted in real-time or at agreed intervals. This allows for statistical data collection for system optimization, proactive fault management, and services. Siemens collaborates closely with customers to ensure only agreed-upon data is transmitted.

General Operating Concept (Continued)

Authentication and Authorization of Siemens Service Personnel

The central backend of the cRSP platform resides in a separate segment within the Siemens intranet. Siemens issues PKI certificates to employees. Each time a service technician logs into the cRSP portal, their access rights are verified using PKI and a strong authentication method involving a smart card. Defined access models are mirrored within the cRSP platform and translated into authorized IT system access levels, matched to the service technician's verified identity.

This procedure ensures that service technicians can only access specific areas of a system for which they have been expressly authorized in advance.

Authenticating and Authorizing Your Personnel

To enable access to your systems from outside the Siemens network, the Customer Web Portal (CWP) with enhanced security requirements (two-factor authentication) has been established. The CWP is located within the Siemens DMZ (Demilitarized Zone). Established users and their authorizations, similar to Siemens intranet users, are stored on a server in another network segment. Authentication occurs in the CWP using a user ID, password, and a mobile PIN. For web portal access, users enter their username, password, and mobile PIN or email.

For questions or assistance, please contact your local Siemens country organization.

Diagram illustrating network zones: Intranet Zone (Siemens engineer, CRSP Portal Server, Radius Server), DMZ (Access Server, CRSP DMZ, Authentification Server, CWP (Customer Web Portal) Server), and Internet (Customer, VPN, Customer System, 2 Factor Authentification, External client).

Technical Security Concept

Network Structure

To protect both your network and the Siemens intranet against threats, Siemens has secured the cRSP infrastructure within a DMZ. Service technicians do not establish end-to-end connections to your systems. Instead, connections terminate in the DMZ, which is protected by firewalls on both sides. A reverse proxy server establishes the connection to your system and mirrors incoming communication to the Siemens intranet. This prevents connections between the Siemens intranet and your network using unauthorized protocols, as the mirroring process only works with predefined protocols.

This architecture prevents:

• Unauthorized access from one network to another.
• Access from a third network by unauthorized systems and users.
• Fraudulent use of secret passwords or access data.
• Transmission of viruses or other harmful programs between networks.

Virtual Private Network (VPN) via a Broadband Connection

cRSP consistently uses a secure VPN tunnel over a broadband internet connection, offering maximum security, high data transfer rates, and high availability.

Diagram illustrating the network structure with Customer, Internet, DMZ, and Siemens (ASC) zones. It shows monitoring of system parameters via a CRSP access server and CRSP portal, with a secure tunneled connection via Virtual Private Network (VPN).

Technical Security Concept (Continued)

Security Measures for IPsec

Siemens utilizes the established IP Security (IPSec) standard with preshared secrets for encrypted and authenticated data transmission. A recommended minimum configuration includes preshared secrets consisting of an arbitrary string of at least 12 random characters. The Internet Security Association and Key Management Protocol (ISAKMP) is used for secure exchange of encryption keys. Encrypted Secure Payload (ESP) ensures data confidentiality through AES-256 encryption, while the SHA2 hash method provides data integrity and authenticity. Diffie Hellman key exchange with a 2048-bit key size (group 14) is used for key exchange security and Perfect Forward Secrecy (PFS).

Diagram illustrating Siemens Owned Access via IPSec: Internet Connection -> VPN Broadband IPSec -> Access Point -> Customer Network. Ports UDP 500, 4500, TCP 22 are shown. Also shows Siemens Intranet components like IPSec router, CRSP Portal, DB, Access Server, TSE Laptop.

Security Measures for SSL-VPN

As an alternative to IPSec VPN, Siemens offers a solution based on SSL VPN using state-of-the-art TLS 1.3. This solution can be installed on Windows or Linux (specific distributions only) and is also installed on the DigitalizationBox and Remote Solution Gateway. Before a connection is established, the device must be registered with a one-time password (OTP). This OTP is generated using the system's unique data and is valid only for its registration process. An SSL connection to the VPN server can only be established if the server certificate is signed by an internal Siemens Certification Authority (CA), ensuring that only the specific device can communicate with cRSP servers. An additional hardware-based hash prevents unauthorized devices from connecting to cRSP (system cloning).

Diagram illustrating Internet Based Connection via SSL VPN: Internet Connection -> SSL VPN Tunnel -> Access Point -> Customer Network. Port TCP 443 is shown. Also shows Siemens Intranet components like SSL VPN Server, Access Server, CRSP Portal, DB, TSE Laptop.

Diagram showing DigitalizationBox/Remote Solution Gateway connection via SSL VPN: Internet Connection -> SSL VPN Tunnel -> Access Point -> Customer Network. Port TCP 443 is shown.

Technical Security Concept (Continued)

Security Measures in the Customer Network

The following section lists the protocols and services used. Specific security measures or customized firewall functions for special applications or network segments are available depending on the chosen connectivity options.

Protocols

Depending on the product being serviced, various protocols are supported by the cRSP secured connection to the customer system:

• The HTTP protocol (preferably HTTPS).
• Microsoft Remote Desktop, Telnet, PuTTY, NetOp, WinVNC; Anydesk.
• BACnet.
• A large range of UDP-based connectivity products (e.g., FS20 fire systems).
• Other protocols, if needed.
• Ftp/sftp (file transfer protocol, secure file transfer protocol).

Secured cRSP Server

Siemens' backend exclusively uses hardened systems designed for stability. Frequent updates ensure that actively developed distributions remain secure. According to the current state of the art, infections by worms, viruses, Trojan horses, and other attacks are highly unlikely. Additionally, Siemens' secured cRSP servers and encrypted databases comply with the latest security guidelines. The effectiveness of these protection measures is regularly audited (ISO/IEC 27001:2013), ensuring cRSP servers operate with state-of-the-art technology.

Quote

"The risks are manageable if the industry relies on a universal security concept."

— Dr. Rolf Reinema, Head of the IT Security Technology Field, Research and Development Department, Siemens, Corporate Technology (CT)

Appendix

IPsec

Siemens Owned Access

Connection between cRSP infrastructure and customer network is performed through a router provided by Siemens.

Diagram showing Siemens Owned Access via IPSec: Internet Connection -> VPN Broadband IPSec -> Access Point -> Customer Network. Ports UDP 500, 4500, TCP 22 are shown.

Customer Owned Access

Connection between cRSP infrastructure and customer network is performed through a customer router or it ends at the customer's firewall.

Diagram showing Customer Owned Access via IPSec: Internet Connection -> VPN Broadband IPSec -> Access Point -> Customer Network. Ports UDP 500, 4500, TCP 22 are shown.

Appendix (Continued)

SSL VPN

Internet Based Connection

Each equipment is connected to cRSP through the internet and utilizes a secure SSL VPN tunnel. Access to the internet is provided by the customer.

Diagram showing Internet Based Connection via SSL VPN: Internet Connection -> SSL VPN Tunnel -> Access Point -> Customer Network. Port TCP 443 is shown.

DigitalizationBox/Remote Solution Gateway

Connection between cRSP infrastructure and customer network is performed through a router provided by Siemens. Access to the internet is provided by the customer or over a mobile connection.

Diagram showing DigitalizationBox/Remote Solution Gateway connection via SSL VPN: Internet Connection -> SSL VPN Tunnel -> Access Point -> Customer Network. Port TCP 443 is shown.

General Statement

People spend about 90 percent of their time indoors. Improve the places where they spend their lives, and you improve their lives.

With Siemens' people, technology, products, and services, the aim is to create perfect places for every stage of life. When building technology creates perfect places – that's Ingenuity for life.

Creating environments that care.

Learn more at: siemens.com/smart-infrastructure

Article no. BT_0123_EN (Status 07/2019)

Subject to changes and errors. The information in this document contains only general descriptions and/or performance features which may not always specifically reflect those described, or which may undergo modification in the course of further product development. The requested performance features are binding only when expressly agreed upon in the concluded contract.