Remote Services – Security Concept siemens.com/energy/remoteservices Answers for energy.

siemens.com/energy/remoteservices

Remote Services –

Security Concept

Answers for energy.

2

Introduction

Remote services – Reasons and objectives

Remote services will become increasingly important in the future as companies try to offset rising cost pressures and as the availability of plants and turbo machinery becomes more and more crucial. Through remote monitoring and diagnosis, many developing faults can be detected at an early stage. This means that maintenance can be performed as needed, rather than at fixed intervals.

Due to the massive use of microelectronics in today’s

products and the conversion from mechanical/electromechanical product features to software-based functionality, product support and services are changing significantly.

Increasingly, traditional types of service will be replaced by IT-based services and services that rely on expert knowledge.

Furthermore, as products become more interconnected with IT solutions and communication technology ad - vances, the need for new, more effective remote service offerings is increasing.

As services evolve in this direction, security issues and data privacy become even more important. Both are absolutely crucial in remote services.

3

4

General operational concept

Purpose of this document

This security concept describes the measures we at Siemens follow to protect customer data, application programs, and

IT systems when we perform remote services.

Our security concept is divided into two main parts. The first is the general operational section, where we explain the basic concept of the Siemens Turbomachinery Application – Remote Monitoring System (STA-RMS) platform and especially the “Connectivity Layer” using common

Remote Service Platform (cRSP), our service processes, and the technical capabilities of our products. This part is designed for users, technical managers, and all those who want to obtain a general overall understanding of how Siemens STA-RMS platform works. The second part, the technical concept, is primarily for IT specialists and data security experts who need more detail about the technical and organizational security measures we take to achieve a high level of security and ensure data privacy. It explains how a connection to Siemens STA-RMS platform via cRSP is established, what our security infrastructure looks like, and the measures we take to prevent malicious attacks.

Service and maintenance of technical equipment

Given the growing complexity of modern products and solutions, Siemens has responded to this challenge by

providing additional support in order to optimally service our customers.

It is often faster and more efficient to determine the causes of equipment issues via remote diagnosis and, where possible, address the issue remotely. Even in cases where remote repair is not possible, the information obtained via remote diagnosis can support the Siemens service engineer on-site. In addition, our remote services help us to increasingly act in a preventive manner, rather than waiting to react in case of an emergency.

Our concept for remote monitoring and diagnostics is based on the ongoing collection of the operational data

New perspective on a changing energy system: the power matrix

Our energy system is in a state of radical change. As the share of distributed power generation grows, so does the system’s complexity.

Consumers are increasingly becoming power producers themselves and feed their surplus into the grid. The linear energy conversion chain has turned into a multifaceted system with countless new actors.

of our turbo machinery or plant equipment. Additionally, a software program independently monitors certain important parameters within the data collector of the equipment at the customer’s site. If values exceed or fall below the defined limits, our STA-RMS platform is designed to automatically send a message to our 24-hour global helpdesk at the responsible Product Competence

Center. The incoming message is analyzed and, if necessary, forwarded to the customer for their information.

Remote repair can be then initiated in consultation with the customer.

Where necessary, Siemens technicians travel to the site to address the issue indicated in the message. This is all done within the scope of the specific service agreement – whether it’s one of our LTP (Long-Term Programs) agreements or a dedicated Remote Diagnostic Service agreement.

Whether on-site or remote, when accessing data sets

containing sensitive data, our data privacy protection

programs are designed in compliance with applicable

regulations and guidelines.

Features of online support: Remote access to customer equipment for online support (for example, troubleshooting or user questions regarding operation) is done through remote desktop management tools. They provide a display of the customer’s monitor at the 24-hour global helpdesk, and enable remote access by the Siemens service engineer.

For this, the customer is to explicitly grant access for each individual session. The customer can track the course of the online support and, if necessary, terminate the access provided to the 24-hour global helpdesk at any time.

Proactive and value-added service activities

As part of our remote diagnostic services, the customer’s device proactively sends predefined data and events to our

STA-RMS platform. This enables our 24-hour global helpdesk at the responsible Product Competence Center to analyze the customer’s equipment. This can include technical data such as oil pressure, oil temperature, vibration levels, statistic data (for instance, number of starts, etc.), or equipment reliability data.

In addition, remote monitoring and diagnostics of selected equipment parameters enable us to offer our customers new attractive services designed to further optimize product utilization and life cycle costs.

5

Customer requirements for safety and security are fundamental for Siemens

As the first step, the customer’s requirements for safety and security of their equipment must be communicated to

Siemens and then carefully evaluated. For example, based on the customer’s business, technical infrastructure,

specific security issues, and applicable regulations, there may be a need to implement additional security measures that are beyond the standard scope of a product.

By clarifying and addressing these at the outset, Siemens can establish a level of trust with the customer. This is critical as the customer must grant Siemens certain access rights to their equipment.

The following non-exhaustive list sets forth some typical customer requirements.

Comprehensive logging

The customer and/or specific regulations may require comprehensive and comprehensible logging of session data.

Audit trail

Industry-specific requirements and/or applicable reg- ulations may require that remote service sessions are recorded, so that the session is traceable in the case of future audits.

Online supervision

The customer may want to observe a remote session in real time. In particular, when critical parts of the equipment are being serviced, customers may want to supervise actions and be able to stop the session at any time.

Selective access: comprehensive administration of user rights and data access

Customers may want to have a detailed level of gradation of user rights and access to systems and data. For highly critical components, personalized access rights with strong authentication may be required.

Protection of data privacy

Before connecting remotely to a customer’s equipment, there must be clarification on how data privacy protection issues are to be addressed. In addition, certain industry standards and/or applicable regulations require specific measures to ensure data privacy.

Using a standard solution

A growing number of manufacturers offer remote services for their products in various configurations. This can result in an increasing number and variety of remote connections between the customer and the product manufacturers (OEMs), which may increase administrative effort for the customer. The added administrative complexity can also increase the possibility of security gaps. Siemens strives to avoid this situation by building on a certified, standards-compliant solution for Siemens products.

6

Organizational security concept

The organizational structure is as significant as the technical part of the security concept. For us at Siemens it is very important to provide the highest quality to our customers.

Therefore, we take care that customers are included in every step of the implementation and all operation processes. All processes are designed to offer a high level of traceability.

This section provides detailed information on the following topics:

Implementation process

User management

Establishing a connection

Work permit for remote service

Access control

Remote access logging

Organizational measures

Maintenance and further development of the

“Connectivity Layer” (cRSP)

Implementation process

Based on the contract requirements, the connections to the plants are planned and then verified with the customer. The implementation starts after the customer has agreed to the suggested implementation plan in accordance with the contract.

Relevant systems, users, and other necessary information are reviewed by the customer in advance.

After the finalization of the implementation the customer receives detailed documentation of his plant’s connection to the STA-RMS platform.

User management

Siemens requires that users of the STA-RMS platform are authorized for access, and that they are trained in Remote

Service. The certification process is intended to provide them with sufficient knowledge of applicable policies and procedures for the access and use of the information.

Remote Services

Dashboards

Diagnostic &

Decision Level

Remote Support

Customer App

Event Agent

Remote Diagnostic Services Performance Maintenance

Service App

Condition Based Monitoring

(CBM) & New Remote Services

AMS/cRSP App

Event Analysis

Agent

Advanced Diagnostics Agent

Vibration Agent

Early Warning

Agent

Performance Agent Notification Agent

Condition

Monitoring &

Analysis Level

Connectivity Level

Using cRSP

Database

Connectivity and Security

All protocols through cRSP VPN Tunnel

STA-RMS

Onsite Connector at Customer Site TRICONEX MODBUS OPC WIN CC ABB

SIMATIC

PCS 7

SIMATIC

S 7

EPS

NETWORK

YOKO-

GAWA

Data Collectors for different control systems and solutions for all Siemens Energy Service products are available.

SPPA-

T3000

7

The user certification is valid for one year, and after that period the users are not allowed to connect with the STA-RMS platform until successful recertification.

Establishing the connection

To authorize remote access for a Siemens service engineer, additional security mechanisms can be put into place, such as authentication servers using one-time passwords.

Work permit for remote service

In addition to the general policy, which says that a customer must grant the permission to the Siemens service engineer to connect to the unit for every session, a

customer can unlock/lock his systems via the STA-RMS

“Connectivity Layer” (cRSP), so that no physical activity is needed.

This is possible via the Access Management Service (AMS) of the STA-RMS platform where customers can also supervise the access.

Access control

For every service activity, the service contract can ensure that the customer grants access to his plant to the STA-

RMS platform, and retains control of who is permitted access to the equipment. Access is only granted to identify or correct errors. After a set period of time, during which no action has occurred, the Siemens remote session on the customer equipment automatically ends.

Remote access logging

Siemens records access to the customer equipment and applies a time stamp. In addition, the Siemens service engineer who accesses the equipment is assigned a unique user identification, which is also recorded in this log. As a result, we can inform the customer within an appropriate period of time which service engineer had access to data, when, and what communication activities were performed on each piece of equipment. We typically retain these log reports for two years, but can retain them for a longer period if it is a customer contract requirement.

Maintenance and further development of the

STA-RMS platform

Maintenance and development tasks are based on dedicated processes. Suggested changes are discussed and assigned by a Change Control Board (CCB)/Change Advisory Board (CAB). After the realization of the changes, they are tested for failures or incompatibilities in a release environment to protect productive environments. After the approval at the end of the tests, the changes are

implemented in the productive environment. This process is mandatory for all changes concerning the STA-RMS platform.

Organizational measures

Our Siemens service engineers understand the need for data privacy and IT security, and are trained to have knowledge of the applicable requirements.

8

Technical security concept

Security infrastructure of the

STA-RMS platform

This section provides more detailed technical information on the following topics:

Authentication and authorization of

– customer personnel

– Siemens service personnel

– authorized service partners

Privacy along the transmission route

The cRSP – DMZ: this is the “Demilitarized Zone” between the Siemens intranet and the Internet or public lines

Security measures for accessing the customer network

Protocols and services supported

Authentication and authorization of Siemens service personnel

The central access portal of the “Connectivity Layer”

(cRSP) within the STA-RMS platform is located within the

Siemens intranet, in a separate network segment, and requires a valid cRSP user ID and password to access it.

A strong authentication method, such as PKI (Public Key

Infrastructure) using a smart card, is also available.

A multi-level service domain concept defines which users are permitted to access which equipment. This means that

Siemens service engineers can only access customer equipment for which they have been authorized. Furthermore, only the Siemens “Connectivity Layer” (cRSP) access functions for which the engineer is explicitly authorized are released for viewing by that engineer. Other equipment in the customer’s network not maintained by Siemens are not configured for access by Siemens engineers.

Siemens

Service

Technician

Siemens Intranet

AP

Access

Portal

Remote

Service

Center

STA-RMS

Platform

DB

DB

AS

Access

Server

DS

Data

Server

DMZ cRSP

Internet

VPN

Diallines

ISDN / POTS

Communication

Link

Service Router

Customer Access

Gateway

Architectural overview of our security infrastructure

Business Partner Network

DMZ

Business

Partner

Customer

Service

Partner

BP

Access Portal

AMS

Access

Manage ment

Service

BTS

Terminal

Server

Optional Extension

Customer Network

9

Authentication and authorization of Siemens service partners and customer personnel

Comprehensive services for our customers sometimes require the involvement of service and engineering partners. To provide the same level of security in those cases, our Access Management Service (AMS), an optional addon to our STA-RMS platform security infrastructure, is available.

The access portal for AMS users is located in the cRSP DMZ and is accessible through the Internet. The users and their rights are stored on the same server, in a separate network segment, as the Siemens intranet users.

The authentication of the AMS is realized with user ID, password, and mobile PIN.

When the customer needs access to the AMS, he/she enters his/her username and his/her password followed by a mobile PIN that has just been sent to the mobile phone number, stored in his user profile. The PIN has to be entered within three minutes, or the authentication process has to start from the beginning.

This type of access via the AMS may also be useful for customer personnel who are not on site, but who want to monitor certain critical service activities online. In that case, the authorization for the customer personnel can be configured in a way that certain remote service activities can be executed only if approved/confirmed by this individual. This form of secure access may also be useful for customer maintenance personnel working from home who want to perform certain remote service activities via the Internet.

Privacy along the transmission route

We use state-of-the-art encryption to protect our customer’s data from unauthorized access during transmission.

Demilitarized Zone – DMZ

To protect the customer and the Siemens intranet from problems and attacks, we have secured the “Connectivity

Layer,” which is based on Linux servers, in a Demilitarized

Zone (DMZ).

Connections by the Siemens service engineer to the customer equipment, and vice versa, are not “put through directly.” They terminate in the ”Connectivity Layer,” using a reverse proxy function. This means that a connection established from the Siemens intranet is terminated in the access server. This server then establishes the connection to the customer’s equipment and mirrors the communication coming from the customer back to the Siemens intranet. This is configured to prevent any possibility of communication between the Siemens intranet and the customer’s network over any protocols that have not been specifically authorized. Mirroring occurs only for predefined protocols and only after successful authorization at the ”Connectivity Layer.”

10

Furthermore, all data streams coming from and to the

customer or the Siemens intranet is led through firewalls featuring the latest detection methods.

This architecture is designed to prevent:

Unauthorized access (for instance, by hackers)

Fraudulent use of secure passwords, access data, etc.

Transmission of viruses or similar harmful programs from one network to the other

In addition, we do not store any critical data in the DMZ – including, in particular, customer access data.

Within the scope of our proactive remote services, data is periodically sent by the monitored equipment. This communication is also established only after successful authorization of the equipment that is requesting the connection. Data sent through the VPN tunnels to the DMZ is then securely transferred onto the STA-RMS platform.

Securing the transmission route

Encrypted connections to the STA-RMS platform or AMS

The connections from the customers’ equipment to the

STA-RMS platform are HTTPS secured. All connections end in the browser window in which the STA-RMS platform or the AMS is opened. This is designed to prevent either the data sent by the customer equipment via the Internet or the data send from the STA-RMS platform from being read by invaders.

Virtual Private Network (VPN) with Internet Protocol Secu-

rity (IPSec) via the Internet: We recommend establishing a broadband, secure connection via the Internet. This can offer the following advantages: a high level of security, optimum data transfer quality and availability, and access to all STA-

RMS platform-based services. A Virtual Private Network (VPN) is used for this, secured with IPSec between the Siemens DMZ and the customer’s network portal.

IPSec is designed to protect data against tampering and being read by others (optional). Siemens uses the established standard IP Security with pre-shared secrets for encrypted and authenticated data transmission. Pre-shared secrets comprise at least twelve randomly selected characters. The Internet Security Association and Key Management Protocol (ISAKMP) is used to exchange encryption key information. The use of an Authentication Header

(AH) is for data integrity by using the MD5 or SHA1 hash method. Encrypted Secure Payload (ESP) provides for the confidentiality of data by 3DES encryption. The Diffie-

Hellmann key, with a 1024, or 1536-bit key length, can be used as symmetrical session keys.

Siemens can assist and provide customers with the prerequisites (for instance, VPN router) to use the Siemens STA-

RMS platform. The VPN endpoint on Siemens’ side is cur-

11

rently a Cisco router that is configured according to the customer’s infrastructure needs and security requirements.

Virtual Private Network (VPN) with SSL via the Internet:

Additional to the VPN via IPSec the STA-RMS platform offers connections using SSL (Secure Socket Layer) to the

Siemens DMZ.

To achieve this, a Siemens-SSL client has to be installed in the customer equipment/data collector. The client encrypts the data with certificates and sends them to the Siemens

DMZ. This so-called SSL tunnel, which is based on SSL V3, provides communication privacy over the Internet to prevent eavesdropping, tampering, or message forgery between the client and the server.

Virtual Private Network via dial-up connections

This functionality is no longer supported by Siemens. Customers who do have a dial-up infrastructure can contact their local Siemens representative for further information.

Technical security measures for the transmission route

We offer the following technical measures to provide added security:

Secure password transmission with CHAP

To transfer passwords, we use the Challenge Handshake Protocol (CHAP), which provides encrypted password transmission. The CHAP password, as well as passwords for Telnet and configuration mode access, are randomly generated from upper- and lower-case alphanumeric characters as well as special characters. The passwords are ten characters in length.

Enhanced control capabilities through debugging

(optional)

Customers who want to receive service router SNMP or syslog messages on their router, or who want to see the current service router configuration, should contact their local Siemens representative.

Security measures within the customer network

Access to the customer network

In light of the security issues involved, external access to the customer network requires specific measures. The key security features depend on the specific concept and configuration of the service router (customer access gateway) chosen.

Access enabled by customer

One general security measure that can be implemented is to block any external access when not explicitly authorized or initiated by a component within the customer network.

This security measure is supported by the STA-RMS platform, but has some limitations – especially in cases where no on-site personnel are available. However, if this option is chosen, the “Connectivity Layer” of the STA-RMS platform supports various mechanisms such as single log-in passwords or defined-service timeslots. All security measures – such as authentication, authorization, and logging –

12

described under “Authentication and authorization of

Siemens service personnel” and “Authentication and authorization of Siemens service partners and customer personnel” are available without such limitations.

Customer-supplied access (COA)

If a customer already has an existing remote access solution in place, this system can, in most cases, be configured to work securely with the Siemens STA-RMS platform’s infrastructure. To clarify the required configuration and measures, customers should contact their local Siemens service representative.

Service VPN router/ Siemens-supplied access (SOA)

The preferred solution – due to cost, performance, and security benefits – is our specified VPN-router solution with broadband Internet access, for example, DSL. This solution supports high-performance remote service solutions with lower communication costs and enables valueadded remote services to be added in the future.

Specific customer demands for additional security measures for certain applications, network segments, etc., or requested on-site firewall features, can be provided based on this access solution.

System access

When remote access to a customer’s equipment is released

(either manually by the user/administrator or automatically, based on system configuration), Siemens recommends that the service engineer is authenticated at the equipment before being able to work on the equipment.

Protocols

Depending on the capabilities of the software on a customer’s equipment, the following can be used to service the equipment:

the http – or preferably https – protocol, or

the Telnet, PuTTY, NetOp, pcAnywhere, WinVNC, Tera-

TermPro, Timbuktu, Netmeeting, Tarantella; Citrix-/ MS

Terminal Server; SNMP; X.11 service tools/protocols

and others (if customers need other protocols, they are welcome to contact their local Siemens representative for further information).

Data transmission from the customer’s equipment to the STA-RMS platform

For our diagnostic services, only mandatory technical data is sent from the customer’s equipment to the STA-RMS platform automatically (based on the customer’s equipment configuration).

Depending on the capabilities of the software, the following services are used:

ftp/sftp (file transfer protocol, secure file transfer protocol)

scp (secure copy) or optionally, other services of a system management tool.

13

Data transmission from STA-RMS platform to the

customer’s equipment (optional)

Depending on the customer’s needs and product capabilities, an STA-RMS platform-based software update service is available if requested. In this case, data could be sent manually or automatically from the STA-RMS platform to the customer’s equipment in accordance with the customer’s preferences as set out in the contract. This includes, for example, Anti Virus Pattern and Microsoft Hotfixes.

The update service includes the delivery of the software packages and could include installation. For further information about available services for your specific equipment, please contact your local Siemens representative.

Features of Siemens equipments to protect against malicious attacks

STA-RMS platform protection

The servers of the “Connectivity Layer” are Linux servers.

Infection by worms, viruses, Trojan horses, or other viruses have not been reported as of the date of this publication.

Nevertheless, we use state-of-the-art virus protection programs to protect the STA-RMS platform.

Customer equipment

Threats from the STA-RMS platform

The reverse proxy function, and the firewalls described on page 10, are intended to protect against a virus

infection on the customer’s equipment from affecting the STA-RMS platform or the distribution of viruses in the direction of the customer’s equipment.

Threats stemming from Internet connection

Equipments connected to the corresponding STA-RMS platform via the Internet are – as with any connection via the

Internet – exposed to a certain level of threat. As discussed above, Siemens security infrastructure contains anti-virus protection solutions. However, if the customer uses their

Internet connection for other purposes, we recommend that they take appropriate precautions to protect their equipment.

Threats from e-mail traffic

Certain types of customer equipment can send e-mails

(without attachments) to the corresponding STA-RMS platform and in this direction only. E-mails sent from customer equipment to the STA-RMS platform are forwarded to the appropriate Siemens mail server and then sent to the recipient. The Siemens mail server scans e-mails for viruses and reacts in accordance with the Siemens established guidelines to protect the Siemens intranet. Since no e-mails are sent to the customer equipment, infection of the customer equipment in this manner is unlikely.

Infection of serviced equipment through contact with infected customer equipment

Infection of the STA-RMS platform through contact with infected customer equipment is unlikely as there is no direct IP routing betwixt and between.

Furthermore, all data streams coming from and to the

customer or the Siemens intranet are led through firewalls featuring up-to-date anti-virus detection methods.

14

The following provides information about how a connection to a customer can be realized via the STA-RMS “Connectivity Layer” using cRSP.

An access router for the cRSP can be placed anywhere in the customer’s network – as far as a routable connection between the systems and the cRSP router is possible.

VPN Situation 1

In this case, the Internet link is directly terminated by the cRSP access router. There is no additional gateway in the customer’s network.

Siemens cRSP SOA

Internet Customer Site

Siemens common

Remote Service Platform

Customer

Internet Gateway

Internet Access =

Siemens cRSP Router

cRSP VPN Tunnel supported

System by

Siemens

VPN Situation 2

In this case, the cRSP access router bypasses the entire firewall of the customer. This solution should only be chosen if the customer’s firewall is neither capable of forwarding IPSec traffic to a device in the customer’s

LAN nor of owning a DMZ interface.

This is an easy but not a recommended solution since the customer’s firewall is bypassed.

Siemens cRSP SOA

Internet

Customer

Firewall

Customer Site

Customer

Internet Gateway

Siemens common

Remote Service Platform supported

System by

Siemens

Internet Access =

Siemens cRSP Router

cRSP VPN Tunnel

15

VPN Situation 3

In this case, the Internet link is terminated by the customer’s equipment, but the IPSec tunnel is still terminated by the Siemens router. The Siemens router is placed within the customer’s DMZ beyond the firewall.

SSH (TCP port 22), ISKMP (UDP port 500/4500), ESP (IP protocol number 50), and AH (IP protocol number 51) are required to be forwarded to the cRSP access router (WAN address).

Siemens cRSP SOA

Internet

Siemens common

Remote Service Platform

Customer Site

Customer

Firewall

Customer

Internet Gateway

Customer DMZ

cRSP VPN Tunnel

Siemens cRSP Router supported

System by

Siemens

VPN Situation 4

In this case, the Internet link is established by the customer’s equipment, the IPSec tunnel however is terminated by the Siemens router. The router is placed within a DMZ of the customer’s firewall, but the LAN interface is directly connected to the customer’s network.

SSH (TCP port 22), ISKMP (UDP port 500/4500), ESP (IP protocol number 50), and AH (IP protocol number 51) are required to be forwarded to the cRSP access router (WAN address).

Siemens cRSP SOA

Internet

Siemens common

Remote Service Platform

Customer Site

Customer

Firewall

Customer

Internet Gateway

Customer DMZ

cRSP VPN Tunnel

Siemens cRSP Router supported

System by

Siemens

16

VPN Situation 5

In this case, the Internet link is terminated by the customer’s equipment, but the customer’s equipment is not capable of terminating IPSec tunnels. Furthermore, the equipment does not feature a DMZ where the router can be placed. The Siemens router is placed within the network.

SSH (TCP port 22), ISKMP (UDP port 500/4500), ESP (IP protocol number 50), and AH (IP protocol number 51) are required to be forwarded to the cRSP access router (WAN address).

Siemens cRSP SOA

Internet

Siemens common

Remote Service Platform

Customer

Firewall

Customer Site

Customer

Internet Gateway

Siemens cRSP Router

cRSP VPN Tunnel supported

System by

Siemens

VPN Situation 6

In this case, the Internet link and the IPSec tunnel is terminated by the customer’s equipment.

All necessary parameters will be verified between the contact persons.

Siemens cRSP COA

Customer Site

Internet

Siemens common

Remote Service Platform

Customer

Internet Gateway

Customer router or fi rewall, at which the tunnel will be terminated

cRSP VPN Tunnel supported

System by

Siemens

17

VPN Situation 7

In this case, the Internet link is terminated by the customer’s equipment, but the tunnel is terminated directly on the customer equipment with a cRSP SSL client. TCP Port 443 from internal to external must be opened in the customer firewall.

Siemens cRSP SSL-VPN Client

Customer Site

Internet

Customer fi rewall

Customer

Internet Gateway

Siemens common

Remote Service Platform supported

System by

Siemens

cRSP VPN Tunnel

18

Contacts

For more details please contact https://sta-rms.siemens.com/remote-services-contacts.

How the STA-RMS platform answers possible customer questions?

How can I prevent unauthorized access to my plant?

The AMS provides the possibility to lock all equipment to prevent access. The customer can unlock the access for his/her equipments individually in case remote service is needed. The routers Siemens delivers are configured so that no other data transfer is allowed other than transfer from and to the STA-RMS platform.

How is the cRSP always available if I need remote support?

The cRSP is highly redundant due to three data centers.

The operation is designed for 24 hours/365 days.

Could I use the cRSP also for my own staff?

It is also possible to include customer staff, as well as business partners, into the cRSP. Access for non-Siemens personnel can be granted by the customer via the AMS.

How do I keep the overview about what is happening in my plant?

The cRSP offers comprehensive logging mechanisms, which can be accessed via the AMS. Additionally, an SMS or an e-mail can be sent if someone is trying to access a system of your site via the cRSP. E-mails can also be sent when the user is finished with the session, which can include a description of the work done.

Is it possible to supervise remote experts while they are working?

Depending on the application used for the remote service, it is possible to supervise the remote experts. Which applications are allowed for remote service is a part of the planning and is included in the documentation of the cRSP connection.

Do I have to buy hardware to use the cRSP or could

I use my corporate firewall?

Siemens provides various connection methods, which include also the possibility to use a corporate firewall of a customer (if the customer equipment is capable of terminating the IPSec tunnel), as well as a software-based connection method.

Is it possible to use my authentication server additional to the strong authentication method provided by the cRSP?

Yes, customers have the possibility to use their authentication server on the customer site in addition.

What are the major advantages of the cRSP compared to point-to-point connections?

The cRSP can be accessed worldwide without specific software, this provides wide flexibility.

Additional to this, the heightened security level in the cRSP-DMZ, the user management based on different roles, and the given log level can not be reached by point-topoint connections.

Are there any certifications available for the cRSP?

Yes, the operation of the cRSP is designed to be ISO 27001 certifiable.

I have many IPSec tunnel connections to my plant.

Could I detach them with the cRSP?

Yes, that is possible if all the other parties migrate to the cRSP.

19

Published by and copyright © 2014

3:

Siemens AG

Energy Sector

Freyeslebenstrasse 1

91058 Erlangen, Germany

Siemens Energy Inc.

4400 Alafaya Trail

Orlando, FL 32826- 2399, USA

For more information, contact our

Customer Support Center.

Phone: +49-180-524-70-00

Fax: +49-180-524-24-71

(Charges depending on provider)

E-mail: support.energy@siemens.com

siemens.com/energy

Energy Service Division

Oil & Gas and

Industrial Applications Services

Order No. E50001-G510-A219-X-7600

Dispo 34806, c4bs 7447 bdk 140089, P WS 0614

Printed in Germany

Printed on paper treated with chlorine-free bleach.

All rights reserved. Trademarks mentioned in this document are the property of Siemens AG, its affiliates, or their respective owners.

Subject to change without prior notice. The information in this document contains general descriptions of the technical options available, which may not apply in all cases. The required technical options should therefore be specified in the contract.