Security Features; Overview - Siemens SICAM Q100 7KG95 Series Manual

8.2

Security Features

Overview

8.2.1
The following table contains an overview of the security features. Individual topics are explained in the
following chapters.
Table 8-4
Topic
HTTPS
Role-Based Access Control
(RBAC)
Automatic logout after a
timeout of no action
Audit log
Syslog
SICAM, SICAM Q100 7KG95xx, Manual
E50417-H1040-C522-A9, Edition 06.2021
Overview
Description
The device supports the following HTTPS features:
•
For access to the Web UI of the device, the secure HTTPS communication
protocol is used. Unencrypted HTTP access is not supported.
•
The free software OpenSSL is used for the TLS implementation.
•
The integrated Web server supports connection requests with the crypto-
graphic protocol versions TLS1.2. Older versions are rejected due to security
reasons.
•
Only high-strength Cipher Suites (key length ≥ 128 bit) are supported.
•
The device generates a self-signed TLS-certificate and is therefore not signed
and confirmed by a certification authority. When using the user interface, all
browsers will show a message regarding an unknown certificate warning
about an untrusted connection. Due to the authentication scheme used by
browsers, Siemens cannot provide certificates (for example, during
assembly) to be used for HTTPS with browsers. This is because either the
DNS name or the IP address of the device has to be part of the signed certifi-
cate, both of which are ultimately determined after installation at the site of
the customer. That is why the products generate a self-signed certificate
after the IP address has been set. This self-signed certificate has to be
trusted in a secure way on all clients used to access this device.
You can find the recommended way of trusting self-signed certificates in the
document Certificate trusting in web browsers. You can find this docu-
ment at http://www.siemens.com/gridsecurity, Downloads > Downloads
Cyber Security General > Application Notes.
•
As the certificate is linked to the IP address of the device, it is generated
anew with each change of the IP address.
The device provides a role-based access control (RBAC) mechanism for the
account management. With the RBAC mechanism, the permissions to perform
certain actions on the device are assigned to specific roles.
The device supports the centralized user-credentials management with a RADIUS
server.
For more information, refer to
If there are no actions via the user interface for a timeout session (10 min by
default), you log off automatcially. For further actions, you must log on to the
user interface again.
For more information, refer to
The device provides an audit log to track security-relevant events. Only a user
with auditor rights can access the messages in the audit log.
For more information, refer to
The device supports transmitting the audit logs to a central log server using
Syslog.
For more information, refer to
8.3.2 Configuration via the User
8.4.2 Security Settings
9.2 Audit Log.
8.6.1 Function Description.
Display and Administration
8.2 Security Features
Interface.
221