Overview - Siemens SICAM Q100 7KG95 Series Manual

6 Security

6.1 Overview

6.1 Overview
The following table contains an overview of the SICAM Q100 security features. Individual topics are explained
in the following chapters.
Table 6-1
Topic
HTTPS
Role-based access
control (RBAC)
Audit log
Firmware with digital
signature
94
Overview
The device supports the following HTTPS features:
• For access to the Web UI of the SICAM Q100 device, the secure HTTPS-
communication protocol is used. Unencrypted HTTP access is not sup-
ported.
• The free software OpenSSL is used for the TLS implementation.
• The integrated Web server only supports connection requests with the
cryptographic protocol versions TLS1.1 and TLS1.2. Older versions are re-
jected due to security reasons.
• Only high-strength Cipher Suites (key length ≥ 128 bit) are supported.
• The device generates a self-signed TLS-certificate and is therefore not
signed and confirmed by a certification authority. When using the SICAM
Q100 user interface, all browsers will show a message regarding an
unknown certificate warning about an untrusted connection. Due to the au-
thentication scheme used by browsers, Siemens cannot provide certifi-
cates (for example, during assembly) to be used for HTTPS with browsers.
This is because either the DNS name or the IP address of the device has
to be part of the signed certificate, both of which are ultimately determined
after installation at the site of the customer. That is why the products gen-
erate a self-signed certificate after the IP address has been set. This self-
signed certificate has to be trusted in a secure way on all clients used to
access this device.You can find the recommended way of trusting self-
signed certificates in the document Certificate trusting in web browsers.
you can find this document under http://www.siemens.com/gridsecurity,
Downloads -> Downloads Cyber Security -> Application Notes.
• As the certificate is linked to the IP address of the device, it is generated a
new with each change of the IP address.
SICAM Q100 device provides a role-based access control (RBAC) mechanism
for account management. With the RBAC mechanism, the permissions to
perform certain actions on the SICAM Q100 device are assigned to specific
roles. For more detailed information, refer to chapter 6.2.2.
The device provides an audit log to track security-relevant events. Only a user
with auditor rights can access the messages in the audit log. For more detailed
information, refer to chapter 9.5.4.3.
The integrity and authenticity of the firmware package is protected by a digital
signature. Only a firmware package with a valid digital signature can be upload-
ed into the SICAM Q100 device.
Description
SICAM Q100, 7KG95xx, Device Manual
E50417-H1040-C522-A6, Edition 06.2019