Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Remote Services – Security Concept siemens.com/energy/remoteservices Answers for energy.

advertisement 
siemens.com/energy/remoteservices
Remote Services –
Security Concept
Answers for energy.
2
Introduction
Remote services – Reasons and objectives
Remote services will become increasingly important in the
future as companies try to offset rising cost pressures and
as the availability of plants and turbo machinery becomes
more and more crucial. Through remote monitoring and
diagnosis, many developing faults can be detected at
an early stage. This means that maintenance can be performed as needed, rather than at fixed intervals.
Due to the massive use of microelectronics in today’s
­products and the conversion from mechanical/electromechanical product features to software-based functionality,
product support and services are changing significantly.
Increasingly, traditional types of service will be replaced
by IT-based services and services that rely on expert
knowledge.
Furthermore, as products become more interconnected
with IT solutions and communication technology ad­vances, the need for new, more effective remote service
offerings is increasing.
As services evolve in this direction, security issues and data
privacy become even more important. Both are absolutely
crucial in remote services.
3
General operational
concept
Purpose of this document
This security concept describes the measures we at S
­ iemens
follow to protect customer data, application ­programs, and
IT systems when we perform remote services.
Our security concept is divided into two main parts. The
first is the general operational section, where we explain
the basic concept of the Siemens Turbomachinery Application – Remote Monitoring System (STA-RMS) platform
and especially the “Connectivity Layer” using common
Remote Service Platform (cRSP), our service processes,
and the technical capabilities of our products. This part is
designed for users, technical managers, and all those
who want to obtain a general overall understanding of
how Siemens STA-RMS platform works. The second part,
the technical concept, is primarily for IT specialists and
data security experts who need more detail about the
technical and organizational security measures we take
to achieve a high level of security and ensure data privacy. It explains how a connection to S
­ iemens ­STA-RMS
4
platform via cRSP is established, what our security infrastructure looks like, and the measures we take to prevent
malicious attacks.
Service and maintenance of technical equipment
Given the growing complexity of modern products and
solutions, ­Siemens has responded to this challenge by
­providing additional support in order to optimally service
our customers.
It is often faster and more efficient to determine the
causes of equipment issues via remote diagnosis and,
where possible, address the issue remotely. Even in cases
where remote repair is not possible, the information
obtained via remote diagnosis can support the Siemens
service engineer on-site. In addition, our remote services
help us to increasingly act in a preventive manner, rather
than waiting to react in case of an emergency.
Our concept for remote monitoring and diagnostics is
based on the ongoing collection of the operational data
New perspective on a
changing energy system:
the power matrix
Our energy system is in a
state of radical change. As
the share of distributed
power generation grows, so
does the system’s complexity.
Consumers are increasingly
becoming power producers
themselves and feed their
surplus into the grid. The
linear energy conversion
chain has turned into a
multifaceted system with
countless new actors.
of our turbo machinery or plant equipment. Additionally,
a software program independently monitors certain
important parameters within the data collector of the
equipment at the customer’s site. If values exceed or
fall below the defined limits, our STA-RMS platform is
designed to automatically send a message to our 24-hour
global helpdesk at the responsible Product Competence
Center. The incoming message is analyzed and, if necessary, forwarded to the customer for their information.
Remote repair can be then initiated in consultation with
the customer.
Where necessary, Siemens technicians travel to the site
to address the issue indicated in the message. This is all
done within the scope of the specific service agreement –
whether it’s one of our LTP (Long-Term Programs) agreements or a dedicated Remote Diagnostic Service agreement.
Whether on-site or remote, when accessing data sets
c­ ontaining sensitive data, our data privacy protection
­programs are designed in compliance with applicable
­regulations and guidelines.
remote desktop management tools. They provide a display
of the customer’s monitor at the 24-hour global helpdesk,
and enable remote access by the Siemens service engineer.
For this, the customer is to explicitly grant access for each
individual session. The customer can track the course of
the online support and, if necessary, terminate the access
provided to the 24-hour global helpdesk at any time.
Proactive and value-added service activities
As part of our remote diagnostic services, the customer’s
device proactively sends predefined data and events to our
STA-RMS platform. This enables our 24-hour global helpdesk at the responsible Product Competence Center to analyze the customer’s equipment. This can include technical
data such as oil pressure, oil temperature, vibration levels,
statistic data (for instance, number of starts, etc.), or
equipment reliability data.
In addition, remote monitoring and diagnostics of selected
equipment parameters enable us to offer our customers
new attractive services designed to further optimize product utilization and life cycle costs.
Features of online support: Remote access to customer
equipment for online support (for example, troubleshooting or user questions regarding operation) is done through
5
Customer requirements for safety and security
are fundamental for ­­Siemens
As the first step, the customer’s requirements for safety
and security of their equipment must be communicated to
­Siemens and then carefully evaluated. For example, based
on the customer’s business, technical infrastructure,
­specific security issues, and applicable regulations, there
may be a need to implement additional security measures
that are beyond the standard scope of a product.
By clarifying and addressing these at the outset, Siemens
can establish a level of trust with the customer. This is critical as the customer must grant Siemens certain access
rights to their equipment.
The following non-exhaustive list sets forth some typical
customer requirements.
Comprehensive logging
The customer and/or specific regulations may require
comprehensive and comprehensible logging of session
data.
Audit trail
Industry-specific requirements and/or applicable regulations may require that remote service sessions are
recorded, so that the session is traceable in the case
of future audits.
6
Online supervision
The customer may want to observe a remote session in
real time. In particular, when critical parts of the equipment are being serviced, customers may want to supervise actions and be able to stop the session at any time.
Selective access: comprehensive administration
of user rights and data access
Customers may want to have a detailed level of gradation of user rights and access to systems and data. For
highly critical components, personalized access rights
with strong authentication may be required.
Protection of data privacy
Before connecting remotely to a customer’s equipment,
there must be clarification on how data privacy pro­
tection issues are to be addressed. In addition, certain
industry standards and/or applicable regulations require
specific measures to ensure data privacy.
Using a standard solution
A growing number of manufacturers offer remote services for their products in various configurations. This
can result in an increasing number and variety of remote
connections between the customer and the product
manufacturers (OEMs), which may increase administrative effort for the customer. The added administrative
complexity can also increase the possibility of security
gaps. ­Siemens strives to avoid this situation by building
on a certified, standards-compliant solution for ­Siemens
products.
Organizational
security concept
The organizational structure is as significant as the technical part of the security concept. For us at S
­ iemens it is very
important to provide the highest quality to our customers.
Therefore, we take care that customers are included in
every step of the implementation and all operation processes. All processes are designed to offer a high level of
traceability.
Implementation process
This section provides detailed information on the following
topics:
Relevant systems, users, and other necessary information
are reviewed by the customer in advance.
After the finalization of the implementation the customer
receives detailed documentation of his plant’s connection
to the STA-RMS platform.
Implementation process
User management
Establishing a connection
Work permit for remote service
Access control
Remote access logging
Organizational measures
Maintenance and further development of the
“Connectivity Layer” (cRSP)
Remote Services
Remote Support
User management
­Siemens requires that users of the STA-RMS platform are
authorized for access, and that they are trained in Remote
Service. The certification process is intended to provide
them with sufficient knowledge of applicable policies and
procedures for the access and use of the information.
Remote Diagnostic Services
Customer App
Dashboards
Performance Maintenance
Service App
Diagnostic &
Decision Level
Condition Based Monitoring
(CBM) & New Remote Services
AMS/cRSP App
Advanced Diagnostics Agent
Event Agent
STA-RMS platform
Based on the contract requirements, the connections to
the plants are planned and then verified with the customer. The implementation starts after the customer has
agreed to the suggested implementation plan in accordance with the contract.
Event Analysis
Agent
Vibration Agent
Early Warning
Agent
Performance Agent
Notification Agent
Condition
Monitoring &
Analysis Level
Database
Connectivity and Security
All protocols through cRSP VPN Tunnel
Connectivity Level
Using cRSP
STA-RMS
Onsite Connector
at Customer Site
TRICONEX
MODBUS
OPC
WIN CC
ABB
SIMATIC
PCS 7
SIMATIC
S7
EPS
NETWORK
YOKOGAWA
SPPAT3000
Data Collectors for different control systems and solutions for all Siemens Energy Service products are available.
7
The user certification is valid for one year, and after that
period the users are not allowed to connect with the
STA-RMS platform until successful recertification.
Establishing the connection
To authorize remote access for a ­Siemens service engineer,
additional security mechanisms can be put into place, such
as authentication servers using one-time passwords.
Work permit for remote service
In addition to the general policy, which says that a customer must grant the permission to the Siemens service
engineer to connect to the unit for every session, a
­customer can unlock/lock his systems via the STA-RMS
“Connectivity Layer” (cRSP), so that no physical activity
is needed.
This is possible via the Access Management Service (AMS)
of the STA-RMS platform where customers can also supervise the access.
Access control
For every service activity, the service contract can ensure
that the customer grants access to his plant to the STARMS platform, and retains control of who is permitted
access to the equipment. Access is only granted to identify or correct errors. After a set period of time, during
which no action has occurred, the Siemens remote session on the customer equipment automatically ends.
8
Remote access logging
­Siemens records access to the customer equipment and
applies a time stamp. In addition, the Siemens service
engineer who accesses the equipment is assigned a unique
user identification, which is also recorded in this log. As a
result, we can inform the customer within an appropriate
period of time which service engineer had access to data,
when, and what communication activities were performed
on each piece of equipment. We typically retain these log
reports for two years, but can retain them for a longer
period if it is a customer contract requirement.
Maintenance and further development of the
STA-RMS platform
Maintenance and development tasks are based on dedicated processes. Suggested changes are discussed and
assigned by a Change Control Board (CCB)/Change Advisory Board (CAB). After the realization of the changes,
they are tested for failures or incompatibilities in a release
environment to protect productive environments. After
the approval at the end of the tests, the changes are
­implemented in the productive environment. This process
is mandatory for all changes concerning the STA-RMS
platform.
Organizational measures
Our ­Siemens service engineers understand the need
for data privacy and IT security, and are trained to have
knowledge of the applicable requirements.
Technical security concept
Security infrastructure of the
STA-RMS platform
This section provides more detailed technical information
on the following topics:
Authentication and authorization of
– customer personnel
–S
­ iemens service personnel
– authorized service partners
Privacy along the transmission route
The cRSP – DMZ: this is the “Demilitarized Zone”
between the S
­ iemens intranet and the Internet
or public lines
Security measures for accessing the customer network
Protocols and services supported
­­Siemens Intranet
Authentication and authorization of S
­ iemens
service personnel
The central access portal of the “Connectivity Layer” (cRSP)
within the STA-RMS platform is located within the Siemens
intranet, in a separate network segment, and requires a
valid cRSP user ID and password to access it. A strong
authentication method, such as PKI (Public Key Infrastructure) using a smart card, is also available.
A multi-level service domain concept defines which users
are permitted to access which equipment. This means that
Siemens service engineers can only access customer equipment for which they have been authorized. Furthermore,
only the Siemens “Connectivity Layer” (cRSP) access functions for which the engineer is explicitly authorized are
released for viewing by that engineer. Other equipment in
the customer’s network not maintained by S
­ iemens are not
configured for access by Siemens engineers.
Business Partner Network
AP
Access
Portal
Customer
Remote
Service
Center
­­S iemens
Service
Technician
Service
Partner
BP
Access Portal
AS
Access
Server
DB
DS
Data
Server
DB
STA-RMS
Platform
DMZ
cRSP
Internet
VPN
AMS
Access
Manage­ment
Service
DMZ
Business
Partner
BTS
Terminal
Server
Diallines
ISDN / POTS
Optional Extension
Communication
Link
Service Router
Customer Access
Gateway
Architectural overview of our security infrastructure
Customer Network
9
Authentication and authorization of ­Siemens service
partners and customer personnel
Comprehensive services for our customers sometimes
require the involvement of service and engineering partners. To provide the same level of security in those cases,
our Access Management Service (AMS), an optional addon to our STA-RMS platform security infrastructure, is
available.
The access portal for AMS users is located in the cRSP DMZ
and is accessible through the Internet. The users and their
rights are stored on the same server, in a separate network
segment, as the Siemens intranet users.
The authentication of the AMS is realized with user ID,
password, and mobile PIN.
When the customer needs access to the AMS, he/she
enters his/her username and his/her password followed by
a mobile PIN that has just been sent to the mobile phone
number, stored in his user profile. The PIN has to be
entered within three minutes, or the authentication process has to start from the beginning.
This type of access via the AMS may also be useful for customer personnel who are not on site, but who want to
monitor certain critical service activities online. In that
case, the authorization for the customer personnel can be
configured in a way that certain remote service activities
can be executed only if approved/confirmed by this individ-
10
ual. This form of secure access may also be useful for customer maintenance personnel working from home who
want to perform certain remote service activities via the
Internet.
Privacy along the transmission route
We use state-of-the-art encryption to protect our customer’s data from unauthorized access during transmission.
Demilitarized Zone – DMZ
To protect the customer and the Siemens intranet from
problems and attacks, we have secured the “Connectivity
Layer,” which is based on Linux servers, in a Demilitarized
Zone (DMZ).
Connections by the Siemens service engineer to the customer equipment, and vice versa, are not “put through
directly.” They terminate in the ”Connectivity Layer,” using
a reverse proxy function. This means that a connection
established from the Siemens intranet is terminated in the
access server. This server then establishes the connection
to the customer’s equipment and mirrors the communication coming from the customer back to the Siemens
intranet. This is configured to prevent any possibility of
communication between the Siemens intranet and the
customer’s network over any protocols that have not been
specifically authorized. Mirroring occurs only for predefined protocols and only after successful authorization
at the ”Connectivity Layer.”
Furthermore, all data streams coming from and to the
­customer or the ­Siemens intranet is led through firewalls
featuring the latest detection methods.
This architecture is designed to prevent:
Unauthorized access (for instance, by hackers)
Fraudulent use of secure passwords, access data, etc.
Transmission of viruses or similar harmful programs
from one network to the other
In addition, we do not store any critical data in the DMZ –
including, in particular, customer access data.
Within the scope of our proactive remote services, data is
periodically sent by the monitored equipment. This communication is also established only after successful authorization of the equipment that is requesting the connection. Data sent through the VPN tunnels to the DMZ is then
securely transferred onto the STA-RMS platform.
Securing the transmission route
Encrypted connections to the STA-RMS platform or AMS
The connections from the customers’ equipment to the
STA-RMS platform are HTTPS secured. All connections end
in the browser window in which the STA-RMS platform or
the AMS is opened. This is designed to prevent either the
data sent by the customer equipment via the Internet or
the data send from the STA-RMS platform from being read
by invaders.
Virtual Private Network (VPN) with Internet Protocol Security (IPSec) via the I­ nternet: We recommend establishing a
broadband, secure connection via the Internet. This can offer
the following advantages: a high level of security, optimum
data transfer quality and availability, and access to all STARMS platform-based services. A Virtual Private Network (VPN)
is used for this, secured with IPSec between the Siemens DMZ
and the customer’s network portal.
IPSec is designed to protect data against tampering and
being read by others (optional). ­Siemens uses the established standard IP Security with pre-shared secrets for
encrypted and authenticated data transmission. Pre-shared
secrets comprise at least twelve randomly selected characters. The Internet Security Association and Key Management Protocol (ISAKMP) is used to exchange encryption
key information. The use of an Authentication Header (AH)
is for data integrity by using the MD5 or SHA1 hash
method. Encrypted Secure Payload (ESP) provides for the
confidentiality of data by 3DES encryption. The Diffie-Hellmann key, with a 1024, or 1536-bit key length, can be
used as symmetrical session keys.
­ iemens can assist and provide customers with the prereqS
uisites (for instance, VPN router) to use the Siemens STARMS platform. The VPN endpoint on Siemens’ side is cur-
11
rently a Cisco router that is configured according to the
customer’s infrastructure needs and security requirements.
upper- and lower-case alphanumeric characters as well as
special characters. The passwords are ten characters in length.
Virtual Private Network (VPN) with SSL via the Internet:
Additional to the VPN via IPSec the STA-RMS platform
offers connections using SSL (Secure Socket Layer) to the
Siemens DMZ.
Enhanced control capabilities through debugging
(optional)
Customers who want to receive service router SNMP or
syslog messages on their router, or who want to see the
current service router configuration, should contact their
local ­Siemens representative.
To achieve this, a Siemens-SSL client has to be installed in
the customer equipment/data collector. The client encrypts
the data with certificates and sends them to the Siemens
DMZ. This so-called SSL tunnel, which is based on SSL V3,
provides communication privacy over the Internet to prevent eavesdropping, tampering, or message forgery
between the client and the server.
Virtual Private Network via dial-up connections
This functionality is no longer supported by S
­ iemens. Customers who do have a dial-up infrastructure can contact
their local S
­ iemens representative for further information.
Technical security measures for the transmission route
We offer the following technical measures to provide
added security:
Secure password transmission with CHAP
To transfer passwords, we use the Challenge Handshake Protocol (CHAP), which provides encrypted password transmission. The CHAP password, as well as passwords for Telnet and
configuration mode access, are randomly generated from
12
Security measures within the customer network
Access to the customer network
In light of the security issues involved, external access to
the customer network requires specific measures. The key
security features depend on the specific concept and configuration of the service router (customer access gateway)
chosen.
Access enabled by customer
One general security measure that can be implemented is
to block any external access when not explicitly authorized
or initiated by a component within the customer network.
This security measure is supported by the STA-RMS platform, but has some limitations – especially in cases where
no on-site personnel are available. However, if this option
is chosen, the “Connectivity Layer” of the STA-RMS platform
supports various mechanisms such as single log-in passwords or defined-service timeslots. All security measures –
such as authentication, authorization, and logging –
described under “Authentication and authorization of
­Siemens service personnel” and “Authentication and
authorization of Siemens service partners and customer
personnel” are available without such limitations.
Customer-supplied access (COA)
If a customer already has an existing remote access solution in place, this system can, in most cases, be configured
to work securely with the Siemens STA-RMS platform’s
infrastructure. To clarify the required configuration and
measures, customers should contact their local Siemens
service representative.
Service VPN router/­Siemens-supplied access (SOA)
The preferred solution – due to cost, performance, and
security benefits – is our specified VPN-router solution
with broadband Internet access, for example, DSL. This
solution supports high-performance remote service solutions with lower communication costs and enables valueadded remote services to be added in the future.
Specific customer demands for additional security measures for certain applications, network segments, etc., or
requested on-site firewall features, can be provided based
on this access solution.
System access
When remote access to a customer’s equipment is released
(either manually by the user/administrator or automatically,
based on system configuration), Siemens recommends that
the service engineer is authenticated at the equipment
before being able to work on the equipment.
Protocols
Depending on the capabilities of the software on a customer’s equipment, the following can be used to service the
equipment:
the http – or preferably https – protocol, or
the Telnet, PuTTY, NetOp, pcAnywhere, WinVNC, TeraTermPro, Timbuktu, Netmeeting, Tarantella; Citrix-/ MS
Terminal Server; SNMP; X.11 service tools/protocols
and others (if customers need other protocols, they are
welcome to contact their local ­Siemens representative
for further information).
Data transmission from the customer’s equipment to
the STA-RMS platform
For our diagnostic services, only mandatory technical data
is sent from the customer’s equipment to the STA-RMS
platform automatically (based on the customer’s equipment configuration).
Depending on the capabilities of the software, the following services are used:
ftp/sftp (file transfer protocol, secure file transfer protocol)
scp (secure copy)
or optionally, other services of a system management tool.
13
Data transmission from STA-RMS platform to the
­customer’s equipment (optional)
Depending on the customer’s needs and product capabilities, an STA-RMS platform-based software update service
is available if requested. In this case, data could be sent
manually or automatically from the STA-RMS platform to
the customer’s equipment in accordance with the customer’s preferences as set out in the contract. This includes,
for example, Anti Virus Pattern and Microsoft Hotfixes.
Threats stemming from Internet connection
Equipments connected to the corresponding STA-RMS platform via the Internet are – as with any connection via the
Internet – exposed to a certain level of threat. As discussed
above, Siemens security infrastructure contains anti-virus
protection solutions. However, if the customer uses their
Internet connection for other purposes, we recommend
that they take appropriate precautions to protect their
equipment.
The update service includes the delivery of the software
packages and could include installation. For further information about available services for your specific equipment, please contact your local Siemens representative.
Threats from e-mail traffic
Certain types of customer equipment can send e-mails
(without attachments) to the corresponding STA-RMS platform and in this direction only. E-mails sent from customer
equipment to the STA-RMS platform are forwarded to the
appropriate Siemens mail server and then sent to the
recipient. The Siemens mail server scans e-mails for viruses
and reacts in accordance with the Siemens established
guidelines to protect the Siemens intranet. Since
no e-mails are sent to the customer equipment, infection
of the customer equipment in this manner is unlikely.
Features of S
­ iemens equipments to protect
against malicious attacks
STA-RMS platform protection
The servers of the “Connectivity Layer” are Linux servers.
Infection by worms, viruses, Trojan horses, or other viruses
have not been reported as of the date of this publication.
Nevertheless, we use state-of-the-art virus protection programs to protect the STA-RMS platform.
Customer equipment
Threats from the STA-RMS platform
The reverse proxy function, and the firewalls described
on page 10, are intended to protect against a virus
­infection on the customer’s equipment from affecting
the STA-RMS platform or the distribution of viruses in
the direction of the customer’s equipment.
14
Infection of serviced equipment through contact
with infected customer equipment
Infection of the STA-RMS platform through contact with
infected customer equipment is unlikely as there is no
direct IP routing betwixt and between.
Furthermore, all data streams coming from and to the
­customer or the Siemens intranet are led through firewalls
featuring up-to-date anti-virus detection methods.
The following provides information about how a connection to a customer
can be realized via the STA-RMS “Connectivity Layer” using cRSP.
An access router for the cRSP can be placed anywhere in the customer’s network – as far as a routable connection
between the systems and the cRSP router is possible.
VPN Situation 1
In this case, the Internet link is directly terminated by the cRSP access router. There is no additional gateway
in the customer’s network.
­Siemens cRSP SOA
Internet
Customer Site
Customer
Internet Gateway
Internet Access =
­Siemens cRSP Router
Server System
n cRSP Tunnel Endpoint
VPN Situation 2
In this case, the cRSP access router bypasses the entire firewall of the customer. This solution should only be
chosen if the customer’s firewall is neither capable of forwarding IPSec traffic to a device in the customer’s
LAN nor of owning a DMZ interface.
This is an easy but not a recommended solution since the customer’s firewall is bypassed.
­Siemens cRSP SOA
Internet
Customer
Internet Gateway
Customer
Firewall
Customer Site
Server System
­Siemens cRSP Router
n cRSP Tunnel Endpoint
15
VPN Situation 3
In this case, the Internet link is terminated by the customer’s equipment, but the IPSec tunnel is still terminated by the Siemens router. The Siemens router is placed within the customer’s DMZ beyond the firewall.
SSH (TCP port 22), ISKMP (UDP port 500/4500), ESP (IP protocol number 50), and AH (IP protocol number 51)
are required to be forwarded to the cRSP access router (WAN address).
­Siemens cRSP SOA
Internet
Customer Site
Customer
Internet Gateway
Customer
Firewall
Server System
Customer DMZ
­Siemens cRSP Router
n cRSP Tunnel Endpoint
VPN Situation 4
In this case, the Internet link is established by the customer’s equipment, the IPSec tunnel however is terminated by the Siemens router. The router is placed within a DMZ of the customer’s firewall, but the LAN interface is directly connected to the customer’s network.
SSH (TCP port 22), ISKMP (UDP port 500/4500), ESP (IP protocol number 50), and AH (IP protocol number 51)
are required to be forwarded to the cRSP access router (WAN address).
­Siemens cRSP SOA
Internet
Customer Site
Customer
Internet Gateway
Customer
Firewall
Server System
Customer DMZ
­Siemens cRSP Router
n cRSP Tunnel Endpoint
16
VPN Situation 5
In this case, the Internet link is terminated by the customer’s equipment, but the customer’s equipment is not
capable of terminating IPSec tunnels. Furthermore, the equipment does not feature a DMZ where the router
can be placed. The Siemens router is placed within the network.
SSH (TCP port 22), ISKMP (UDP port 500/4500), ESP (IP protocol number 50), and AH (IP protocol number 51)
are required to be forwarded to the cRSP access router (WAN address).
­Siemens cRSP SOA
Internet
Customer Site
Customer
Internet Gateway
Customer
Firewall
Server System
­Siemens cRSP Router
n cRSP Tunnel Endpoint
VPN Situation 6
In this case, the Internet link and the IPSec tunnel is terminated by the customer’s equipment.
All necessary parameters will be verified between the contact persons.
­Siemens cRSP COA
Customer Site
Internet
Customer
Internet Gateway
Customer router or firewall,
at which the tunnel will be terminated
n cRSP Tunnel Endpoint
Server System
17
VPN Situation 7
In this case, the Internet link is terminated by the customer’s equipment, but the tunnel is terminated directly
on the customer equipment with a cRSP SSL client. TCP Port 443 from internal to external must be opened in
the customer firewall.
­Siemens cRSP SSL-VPN Client
Customer Site
Internet
Customer
Internet Gateway
Customer
Firewall
Server System
n cRSP Tunnel Endpoint
Contacts
For more details please contact https://sta-rms.siemens.com/remote-services-contacts.
18
How the STA-RMS platform
answers possible customer
questions?
How can I prevent unauthorized access to my plant?
The AMS provides the possibility to lock all equipment to
prevent access. The customer can unlock the access for
his/her equipments individually in case remote service is
needed. The routers Siemens delivers are configured so
that no other data transfer is allowed other than transfer
from and to the S
­ TA-RMS platform.
Do I have to buy hardware to use the cRSP or could
I use my corporate firewall?
­Siemens provides various connection methods, which
include also the possibility to use a corporate firewall of
a customer (if the customer equipment is capable of
terminating the IPSec tunnel), as well as a software-based
connection method.
How is the cRSP always available if I need remote
support?
The cRSP is highly redundant due to three data centers.­
The operation is designed for 24 hours/365 days.
Is it possible to use my authentication server additional
to the strong authentication method provided by the
cRSP?
Yes, customers have the possibility to use their
authentication server on the customer site in addition.
Could I use the cRSP also for my own staff?
It is also possible to include customer staff, as well as
business partners, into the cRSP. Access for non-Siemens
personnel can be granted by the customer via the AMS.
What are the major advantages of the cRSP compared
to point-to-point connections?
The cRSP can be accessed worldwide without specific
software, this provides wide flexibility.
How do I keep the overview about what is happening
in my plant?
The cRSP offers comprehensive logging mechanisms,
which can be accessed via the AMS. Additionally, an SMS
or an e-mail can be sent if someone is trying to access a
system of your site via the cRSP. E-mails can also be sent
when the user is finished with the session, which can
include a description of the work done.
Additional to this, the heightened security level in the
cRSP-DMZ, the user management based on different roles,
and the given log level can not be reached by point-topoint connections.
Is it possible to supervise remote experts while they
are working?
Depending on the application used for the remote service,
it is possible to supervise the remote experts. Which
applications are allowed for remote service is a part of the
planning and is included in the documentation of the cRSP
connection.
I have many IPSec tunnel connections to my plant.
Could I detach them with the cRSP?
Yes, that is possible if all the other parties migrate
to the cRSP.
Are there any certifications available for the cRSP?
Yes, the operation of the cRSP is designed to be ISO 27001
certifiable.
19
Published by and copyright © 2013:
­­Siemens AG
Energy Sector
Freyeslebenstrasse 1
91058 Erlangen, Germany
­­Siemens AG
Energy Sector
Service Division
Oil & Gas and Industrial Applications
Wolfgang-Reuter-Platz
47053 Duisburg, Germany
­­Siemens Energy Inc.
4400 Alafaya Trail
Orlando, FL 32826- 2399, USA
For more information, contact our
Customer Support Center.
Phone:+49-180-524-70-00
Fax:+49-180-524-24-71
(Charges depending on provider)
E-mail: support.energy@siemens.com
siemens.com/energy
Energy Service Division
Oil & Gas and
Industrial Applications Services
Order No. E50001-G510-A219-X-7600
Dispo 34806, c4bs 7447
bdk 120273, P WS 1212
Printed in Germany
Printed on paper treated with
chlorine-free bleach.
All rights reserved. Trademarks
mentioned in this document are the
property of Siemens
­­
AG, its
affiliates, or their respective
owners.
Subject to change without prior
notice. The information in this
document contains general
descriptions of the technical options
available, which may not apply in all
cases. The required technical
options should therefore be
specified in the contract.
Related documents
SIEMENS is a global powerhouse in electronics and electrical
SIEMENS is a global powerhouse in electronics and electrical
Engineering Intern (12 Months)
Engineering Intern (12 Months)
Fast access to current, reliable information Energy Management Suite Instrumentation, Controls & Electrical
Fast access to current, reliable information Energy Management Suite Instrumentation, Controls & Electrical
Graduate Manufacturing Engineering
Graduate Manufacturing Engineering
Graduate Engineers
Graduate Engineers
Click Here
Click Here
Download
advertisement