siemens.com/energy/remoteservices remote … – remote monitoring system (sta-rms) platform and...

Remote Services –Security Concept

siemens.com/energy/remoteservices

Answers for energy.

3

IntroductionRemote services – Reasons and objectives

Remote services will become increasingly important in the future as companies try to offset rising cost pressures and as the availability of plants and turbo machinery becomes more and more crucial. Through remote monitoring and diagnosis, many developing faults can be detected at an early stage. This means that maintenance can be per-formed as needed, rather than at fixed intervals.

Due to the massive use of microelectronics in today’s products and the conversion from mechanical/electrome-chanical product features to software-based functionality, product support and services are changing significantly.

Increasingly, traditional types of service will be replaced by IT-based services and services that rely on expert knowledge.

Furthermore, as products become more interconnected with IT solutions and communication technology ad - vances, the need for new, more effective remote service offerings is increasing.

As services evolve in this direction, security issues and data privacy become even more important. Both are absolutely crucial in remote services.

4

General operational conceptPurpose of this document This security concept describes the measures we at Siemens follow to protect customer data, application programs, and IT systems when we perform remote services.

Our security concept is divided into two main parts. The first is the general operational section, where we explain the basic concept of the Siemens Turbomachinery Appli-cation – Remote Monitoring System (STA-RMS) platform and especially the “Connectivity Layer” using common Remote Service Platform (cRSP), our service processes, and the technical capabilities of our products. This part is designed for users, technical managers, and all those who want to obtain a general overall understanding of how Siemens STA-RMS platform works. The second part, the technical concept, is primarily for IT specialists and data security experts who need more detail about the technical and organizational security measures we take to achieve a high level of security and ensure data pri-vacy. It explains how a connection to Siemens STA-RMS

platform via cRSP is established, what our security infra-structure looks like, and the measures we take to prevent malicious attacks.

Service and maintenance of technical equipment Given the growing complexity of modern products and solutions, Siemens has responded to this challenge by providing additional support in order to optimally service our customers.

It is often faster and more efficient to determine the causes of equipment issues via remote diagnosis and, where possible, address the issue remotely. Even in cases where remote repair is not possible, the information obtained via remote diagnosis can support the Siemens service engineer on-site. In addition, our remote services help us to increasingly act in a preventive manner, rather than waiting to react in case of an emergency.

Our concept for remote monitoring and diagnostics is based on the ongoing collection of the operational data

5

of our turbo machinery or plant equipment. Additionally, a software program independently monitors certain important parameters within the data collector of the equipment at the customer’s site. If values exceed or fall below the defined limits, our STA-RMS platform is designed to automatically send a message to our 24-hour global helpdesk at the responsible Product Competence Center. The incoming message is analyzed and, if neces-sary, forwarded to the customer for their information. Remote repair can be then initiated in consultation with the customer.

Where necessary, Siemens technicians travel to the site to address the issue indicated in the message. This is all done within the scope of the specific service agreement – whether it’s one of our LTP (Long-Term Programs) agree-ments or a dedicated Remote Diagnostic Service agreement.

Whether on-site or remote, when accessing data sets containing sensitive data, our data privacy protection programs are designed in compliance with applicable regulations and guidelines.

Features of online support: Remote access to customer equipment for online support (for example, troubleshoot-ing or user questions regarding operation) is done through

remote desktop management tools. They provide a display of the customer’s monitor at the 24-hour global helpdesk, and enable remote access by the Siemens service engineer.

For this, the customer is to explicitly grant access for each individual session. The customer can track the course of the online support and, if necessary, terminate the access provided to the 24-hour global helpdesk at any time.

Proactive and value-added service activities As part of our remote diagnostic services, the customer’s device proactively sends predefined data and events to our STA-RMS platform. This enables our 24-hour global help-desk at the responsible Product Competence Center to ana-lyze the customer’s equipment. This can include technical data such as oil pressure, oil temperature, vibration levels, statistic data (for instance, number of starts, etc.), or equipment reliability data.

In addition, remote monitoring and diagnostics of selected equipment parameters enable us to offer our customers new attractive services designed to further optimize prod-uct utilization and life cycle costs.

New perspective on a changing energy system:

the power matrix

Our energy system is in a state of radical change. As

the share of distributed power generation grows, so

does the system’s complexity. Consumers are increasingly becoming power producers

themselves and feed their surplus into the grid. The linear energy conversion

chain has turned into a multifaceted system with

countless new actors.

6

Customer requirements for safety and security are fundamental for Siemens As the first step, the customer’s requirements for safety and security of their equipment must be communicated to Siemens and then carefully evaluated. For example, based on the customer’s business, technical infrastructure, specific security issues, and applicable regulations, there may be a need to implement additional security measures that are beyond the standard scope of a product.

By clarifying and addressing these at the outset, Siemens can establish a level of trust with the customer. This is criti-cal as the customer must grant Siemens certain access rights to their equipment.

The following non-exhaustive list sets forth some typical customer requirements.

Comprehensive logging The customer and/or specific regulations may require comprehensive and comprehensible logging of session data.

Audit trail Industry-specific requirements and/or applicable regulations may require that remote service sessions are recorded, so that the session is traceable in the case of future audits.

Online supervision The customer may want to observe a remote session in real time. In particular, when critical parts of the equip-ment are being serviced, customers may want to super-vise actions and be able to stop the session at any time.

Selective access: comprehensive administration of user rights and data access Customers may want to have a detailed level of grada-tion of user rights and access to systems and data. For highly critical components, personalized access rights with strong authentication may be required.

Protection of data privacy Before connecting remotely to a customer’s equipment, there must be clarification on how data privacy pro-tection issues are to be addressed. In addition, certain industry standards and/or applicable regulations require specific measures to ensure data privacy.

Using a standard solution A growing number of manufacturers offer remote ser-vices for their products in various configurations. This can result in an increasing number and variety of remote connections between the customer and the product manufacturers (OEMs), which may increase administra-tive effort for the customer. The added administrative complexity can also increase the possibility of security gaps. Siemens strives to avoid this situation by building on a certified, standards-compliant solution for Siemens products.

7

Organizational security conceptThe organizational structure is as significant as the techni-cal part of the security concept. For us at Siemens it is very important to provide the highest quality to our customers. Therefore, we take care that customers are included in every step of the implementation and all operation pro-cesses. All processes are designed to offer a high level of traceability.

This section provides detailed information on the following topics:

Implementation process User management Establishing a connection Work permit for remote service Access control Remote access logging Organizational measures Maintenance and further development of the

“Connectivity Layer” (cRSP)

Implementation process

Based on the contract requirements, the connections to the plants are planned and then verified with the cus-tomer. The implementation starts after the customer has agreed to the suggested implementation plan in accor-dance with the contract.

Relevant systems, users, and other necessary information are reviewed by the customer in advance.

After the finalization of the implementation the customer receives detailed documentation of his plant’s connection to the STA-RMS platform.

User management Siemens requires that users of the STA-RMS platform are authorized for access, and that they are trained in Remote Service. The certification process is intended to provide them with sufficient knowledge of applicable policies and procedures for the access and use of the information.

Advanced Diagnostics Agent

Customer App Service App AMS/cRSP App

Remote Support Remote Diagnostic Services Performance Maintenance Condition Based Monitoring (CBM) & New Remote Services

Event Agent Event Analysis Agent Vibration Agent Early Warning

Agent Performance Agent Notification Agent

Remote Services

Diagnostic & Decision Level

Dashboards

STA

-RM

S p

latf

orm

Condition Monitoring & Analysis Level

STA-RMS Onsite Connector at Customer Site

Connectivity Level Using cRSP

Database

Connectivity and SecurityAll protocols through cRSP VPN Tunnel

Data Collectors for different control systems and solutions for all Siemens Energy Service products are available.

TRICONEX MODBUS OPC WIN CC ABB SIMATIC PCS 7

SIMATIC S 7

EPS NETWORK

YOKO- GAWA

SPPA- T3000

8

The user certification is valid for one year, and after that period the users are not allowed to connect with the STA-RMS platform until successful recertification.

Establishing the connection To authorize remote access for a Siemens service engineer, additional security mechanisms can be put into place, such as authentication servers using one-time passwords.

Work permit for remote service In addition to the general policy, which says that a cus-tomer must grant the permission to the Siemens service engineer to connect to the unit for every session, a customer can unlock/lock his systems via the STA-RMS “Connectivity Layer” (cRSP), so that no physical activity is needed.

This is possible via the Access Management Service (AMS) of the STA-RMS platform where customers can also super-vise the access.

Access control For every service activity, the service contract can ensure that the customer grants access to his plant to the STA-RMS platform, and retains control of who is permitted access to the equipment. Access is only granted to iden-tify or correct errors. After a set period of time, during which no action has occurred, the Siemens remote ses-sion on the customer equipment automatically ends.

Remote access logging Siemens records access to the customer equipment and applies a time stamp. In addition, the Siemens service engineer who accesses the equipment is assigned a unique user identification, which is also recorded in this log. As a result, we can inform the customer within an appropriate period of time which service engineer had access to data, when, and what communication activities were performed on each piece of equipment. We typically retain these log reports for two years, but can retain them for a longer period if it is a customer contract requirement.

Maintenance and further development of the STA-RMS platform Maintenance and development tasks are based on dedi-cated processes. Suggested changes are discussed and assigned by a Change Control Board (CCB)/Change Advi-sory Board (CAB). After the realization of the changes, they are tested for failures or incompatibilities in a release environment to protect productive environments. After the approval at the end of the tests, the changes are implemented in the productive environment. This process is mandatory for all changes concerning the STA-RMS platform.

Organizational measures Our Siemens service engineers understand the need for data privacy and IT security, and are trained to have knowledge of the applicable requirements.

9

Authentication and authorization of Siemens service personnel The central access portal of the “Connectivity Layer” (cRSP) within the STA-RMS platform is located within the Siemens intranet, in a separate network segment, and requires a valid cRSP user ID and password to access it. A strong authentication method, such as PKI (Public Key Infrastruc-ture) using a smart card, is also available.

A multi-level service domain concept defines which users are permitted to access which equipment. This means that Siemens service engineers can only access customer equip-ment for which they have been authorized. Furthermore, only the Siemens “Connectivity Layer” (cRSP) access func-tions for which the engineer is explicitly authorized are released for viewing by that engineer. Other equipment in the customer’s network not maintained by Siemens are not configured for access by Siemens engineers.

Architectural overview of our security infrastructure

Business Partner Network

Customer Network

DMZ Business Partner

Optional Extension

Customer

Service Partner

Remote Service Center

Communication Link

Siemens Service Technician

AP Access Portal

AS Access Server

DS Data Server

AMS Access Manage ment Service

BP Access Portal

Internet VPN

Diallines ISDN / POTS

BTS Terminal Server

Service Router Customer Access Gateway

Siemens Intranet

Technical security conceptSecurity infrastructure of the STA-RMS platform

This section provides more detailed technical information on the following topics:

Authentication and authorization of – customer personnel – Siemens service personnel – authorized service partners

Privacy along the transmission route

The cRSP – DMZ: this is the “Demilitarized Zone” between the Siemens intranet and the Internet or public lines

Security measures for accessing the customer network

Protocols and services supported

DMZ cRSP

STA-RMS Platform

DB

DB

10

Authentication and authorization of Siemens service partners and customer personnel Comprehensive services for our customers sometimes require the involvement of service and engineering part-ners. To provide the same level of security in those cases, our Access Management Service (AMS), an optional add-on to our STA-RMS platform security infrastructure, is available.

The access portal for AMS users is located in the cRSP DMZ and is accessible through the Internet. The users and their rights are stored on the same server, in a separate network segment, as the Siemens intranet users.

The authentication of the AMS is realized with user ID, password, and mobile PIN.

When the customer needs access to the AMS, he/she enters his/her username and his/her password followed by a mobile PIN that has just been sent to the mobile phone number, stored in his user profile. The PIN has to be entered within three minutes, or the authentication pro-cess has to start from the beginning.

This type of access via the AMS may also be useful for cus-tomer personnel who are not on site, but who want to monitor certain critical service activities online. In that case, the authorization for the customer personnel can be configured in a way that certain remote service activities can be executed only if approved/confirmed by this individ-

ual. This form of secure access may also be useful for cus-tomer maintenance personnel working from home who want to perform certain remote service activities via the Internet.

Privacy along the transmission route We use state-of-the-art encryption to protect our custom-er’s data from unauthorized access during transmission.

Demilitarized Zone – DMZ To protect the customer and the Siemens intranet from problems and attacks, we have secured the “Connectivity Layer,” which is based on Linux servers, in a Demilitarized Zone (DMZ).

Connections by the Siemens service engineer to the cus-tomer equipment, and vice versa, are not “put through directly.” They terminate in the ”Connectivity Layer,” using a reverse proxy function. This means that a connection established from the Siemens intranet is terminated in the access server. This server then establishes the connection to the customer’s equipment and mirrors the communica-tion coming from the customer back to the Siemens intranet. This is configured to prevent any possibility of communication between the Siemens intranet and the customer’s network over any protocols that have not been specifically authorized. Mirroring occurs only for pre-defined protocols and only after successful authorization at the ”Connectivity Layer.”

11

Furthermore, all data streams coming from and to the customer or the Siemens intranet is led through firewalls featuring the latest detection methods.

This architecture is designed to prevent:

Unauthorized access (for instance, by hackers)

Fraudulent use of secure passwords, access data, etc.

Transmission of viruses or similar harmful programs from one network to the other

In addition, we do not store any critical data in the DMZ – including, in particular, customer access data.

Within the scope of our proactive remote services, data is periodically sent by the monitored equipment. This com-munication is also established only after successful autho-rization of the equipment that is requesting the connec-tion. Data sent through the VPN tunnels to the DMZ is then securely transferred onto the STA-RMS platform.

Securing the transmission route

Encrypted connections to the STA-RMS platform or AMS The connections from the customers’ equipment to the STA-RMS platform are HTTPS secured. All connections end in the browser window in which the STA-RMS platform or the AMS is opened. This is designed to prevent either the data sent by the customer equipment via the Internet or

the data send from the STA-RMS platform from being read by invaders.

Virtual Private Network (VPN) with Internet Protocol Secu-rity (IPSec) via the Internet: We recommend establishing a broadband, secure connection via the Internet. This can offer the following advantages: a high level of security, optimum data transfer quality and availability, and access to all STA-RMS platform-based services. A Virtual Private Network (VPN) is used for this, secured with IPSec between the Siemens DMZ and the customer’s network portal.

IPSec is designed to protect data against tampering and being read by others (optional). Siemens uses the estab-lished standard IP Security with pre-shared secrets for encrypted and authenticated data transmission. Pre-shared secrets comprise at least twelve randomly selected charac-ters. The Internet Security Association and Key Manage-ment Protocol (ISAKMP) is used to exchange encryption key information. The use of an Authentication Header (AH) is for data integrity by using the MD5 or SHA1 hash method. Encrypted Secure Payload (ESP) provides for the confidentiality of data by 3DES encryption. The Diffie-Hell-mann key, with a 1024, or 1536-bit key length, can be used as symmetrical session keys.

Siemens can assist and provide customers with the prereq-uisites (for instance, VPN router) to use the Siemens STA-RMS platform. The VPN endpoint on Siemens’ side is cur-

12

rently a Cisco router that is configured according to the customer’s infrastructure needs and security requirements.

Virtual Private Network (VPN) with SSL via the Internet: Additional to the VPN via IPSec the STA-RMS platform offers connections using SSL (Secure Socket Layer) to the Siemens DMZ.

To achieve this, a Siemens-SSL client has to be installed in the customer equipment/data collector. The client encrypts the data with certificates and sends them to the Siemens DMZ. This so-called SSL tunnel, which is based on SSL V3, provides communication privacy over the Internet to pre-vent eavesdropping, tampering, or message forgery between the client and the server.

Virtual Private Network via dial-up connectionsThis functionality is no longer supported by Siemens. Cus-tomers who do have a dial-up infrastructure can contact their local Siemens representative for further information.

Technical security measures for the transmission route We offer the following technical measures to provide added security:

Secure password transmission with CHAP To transfer passwords, we use the Challenge Handshake Pro-tocol (CHAP), which provides encrypted password transmis-sion. The CHAP password, as well as passwords for Telnet and configuration mode access, are randomly generated from

upper- and lower-case alphanumeric characters as well as special characters. The passwords are ten characters in length.

Enhanced control capabilities through debugging (optional) Customers who want to receive service router SNMP or syslog messages on their router, or who want to see the current service router configuration, should contact their local Siemens representative.

Security measures within the customer network

Access to the customer network In light of the security issues involved, external access to the customer network requires specific measures. The key security features depend on the specific concept and con-figuration of the service router (customer access gateway) chosen.

Access enabled by customer One general security measure that can be implemented is to block any external access when not explicitly authorized or initiated by a component within the customer network. This security measure is supported by the STA-RMS plat-form, but has some limitations – especially in cases where no on-site personnel are available. However, if this option is chosen, the “Connectivity Layer” of the STA-RMS platform supports various mechanisms such as single log-in pass-words or defined-service timeslots. All security measures – such as authentication, authorization, and logging –

13

described under “Authentication and authorization of Siemens service personnel” and “Authentication and authorization of Siemens service partners and customer personnel” are available without such limitations.

Customer-supplied access (COA) If a customer already has an existing remote access solu-tion in place, this system can, in most cases, be configured to work securely with the Siemens STA-RMS platform’s infrastructure. To clarify the required configuration and measures, customers should contact their local Siemens service representative.

Service VPN router/ Siemens-supplied access (SOA) The preferred solution – due to cost, performance, and security benefits – is our specified VPN-router solution with broadband Internet access, for example, DSL. This solution supports high-performance remote service solu-tions with lower communication costs and enables value-added remote services to be added in the future.

Specific customer demands for additional security mea-sures for certain applications, network segments, etc., or requested on-site firewall features, can be provided based on this access solution.

System accessWhen remote access to a customer’s equipment is released (either manually by the user/administrator or automatically, based on system configuration), Siemens recommends that the service engineer is authenticated at the equipment before being able to work on the equipment.

ProtocolsDepending on the capabilities of the software on a custom-er’s equipment, the following can be used to service the equipment:

the http – or preferably https – protocol, or

the Telnet, PuTTY, NetOp, pcAnywhere, WinVNC, Tera-TermPro, Timbuktu, Netmeeting, Tarantella; Citrix-/ MS Terminal Server; SNMP; X.11 service tools/protocols

and others (if customers need other protocols, they are welcome to contact their local Siemens representative for further information).

Data transmission from the customer’s equipment to the STA-RMS platformFor our diagnostic services, only mandatory technical data is sent from the customer’s equipment to the STA-RMS platform automatically (based on the customer’s equip-ment configuration).

Depending on the capabilities of the software, the follow-ing services are used:

ftp/sftp (file transfer protocol, secure file transfer protocol)

scp (secure copy)

or optionally, other services of a system management tool.

14

Data transmission from STA-RMS platform to the customer’s equipment (optional)Depending on the customer’s needs and product capabili-ties, an STA-RMS platform-based software update service is available if requested. In this case, data could be sent manually or automatically from the STA-RMS platform to the customer’s equipment in accordance with the custom-er’s preferences as set out in the contract. This includes, for example, Anti Virus Pattern and Microsoft Hotfixes.

The update service includes the delivery of the software packages and could include installation. For further infor-mation about available services for your specific equip-ment, please contact your local Siemens representative.

Features of Siemens equipments to protect against malicious attacks

STA-RMS platform protectionThe servers of the “Connectivity Layer” are Linux servers. Infection by worms, viruses, Trojan horses, or other viruses have not been reported as of the date of this publication. Nevertheless, we use state-of-the-art virus protection pro-grams to protect the STA-RMS platform.

Customer equipment

Threats from the STA-RMS platform The reverse proxy function, and the firewalls described on page 10, are intended to protect against a virus infection on the customer’s equipment from affecting the STA-RMS platform or the distribution of viruses in the direction of the customer’s equipment.

Threats stemming from Internet connection Equipments connected to the corresponding STA-RMS plat-form via the Internet are – as with any connection via the Internet – exposed to a certain level of threat. As discussed above, Siemens security infrastructure contains anti-virus protection solutions. However, if the customer uses their Internet connection for other purposes, we recommend that they take appropriate precautions to protect their equipment.

Threats from e-mail traffic Certain types of customer equipment can send e-mails (without attachments) to the corresponding STA-RMS plat-form and in this direction only. E-mails sent from customer equipment to the STA-RMS platform are forwarded to the appropriate Siemens mail server and then sent to the recipient. The Siemens mail server scans e-mails for viruses and reacts in accordance with the Siemens established guidelines to protect the Siemens intranet. Since no e-mails are sent to the customer equipment, infection of the customer equipment in this manner is unlikely.

Infection of serviced equipment through contact with infected customer equipment Infection of the STA-RMS platform through contact with infected customer equipment is unlikely as there is no direct IP routing betwixt and between.

Furthermore, all data streams coming from and to the customer or the Siemens intranet are led through firewalls featuring up-to-date anti-virus detection methods.

15

The following provides information about how a connection to a customer can be realized via the STA-RMS “Connectivity Layer” using cRSP.

An access router for the cRSP can be placed anywhere in the customer’s network – as far as a routable connection between the systems and the cRSP router is possible.

VPN Situation 1

VPN Situation 2

In this case, the Internet link is directly terminated by the cRSP access router. There is no additional gateway in the customer’s network.

Siemens cRSP SOA

In this case, the cRSP access router bypasses the entire firewall of the customer. This solution should only be chosen if the customer’s firewall is neither capable of forwarding IPSec traffic to a device in the customer’s LAN nor of owning a DMZ interface.

This is an easy but not a recommended solution since the customer’s firewall is bypassed.

Siemens cRSP SOA

Internet

Internet

Internet Access = Siemens cRSP Router

Siemens cRSP Router

Customer Site

Customer Site

Server System

Server System

n cRSP Tunnel Endpoint


Customer FirewallCustomer

Internet Gateway

Customer Internet Gateway

16

VPN Situation 3

VPN Situation 4

In this case, the Internet link is terminated by the customer’s equipment, but the IPSec tunnel is still termi-nated by the Siemens router. The Siemens router is placed within the customer’s DMZ beyond the firewall.

SSH (TCP port 22), ISKMP (UDP port 500/4500), ESP (IP protocol number 50), and AH (IP protocol number 51) are required to be forwarded to the cRSP access router (WAN address).

Siemens cRSP SOA

In this case, the Internet link is established by the customer’s equipment, the IPSec tunnel however is termi-nated by the Siemens router. The router is placed within a DMZ of the customer’s firewall, but the LAN inter-face is directly connected to the customer’s network.


Siemens cRSP SOA

Internet

Internet

Siemens cRSP Router

Siemens cRSP Router

Customer Site

Customer Site

Server System

Server System





Customer DMZ

Customer DMZ

Customer Firewall

Customer Firewall

17

Internet

Customer router or firewall, at which the tunnel will be terminated

Customer Site

Server Systemn cRSP Tunnel Endpoint

VPN Situation 5

VPN Situation 6

In this case, the Internet link is terminated by the customer’s equipment, but the customer’s equipment is not capable of terminating IPSec tunnels. Furthermore, the equipment does not feature a DMZ where the router can be placed. The Siemens router is placed within the network.


Siemens cRSP SOA

In this case, the Internet link and the IPSec tunnel is terminated by the customer’s equipment.

All necessary parameters will be verified between the contact persons.

Siemens cRSP COA

Internet

Siemens cRSP Router

Customer Site

Server System




Customer Firewall

18

VPN Situation 7

In this case, the Internet link is terminated by the customer’s equipment, but the tunnel is terminated directly on the customer equipment with a cRSP SSL client. TCP Port 443 from internal to external must be opened in the customer firewall.

Siemens cRSP SSL-VPN Client

For more details please contact https://sta-rms.siemens.com/remote-services-contacts.

Internet

Customer Firewall

Customer Site

Server System



Contacts

19

How can I prevent unauthorized access to my plant? The AMS provides the possibility to lock all equipment to prevent access. The customer can unlock the access for his/her equipments individually in case remote service is needed. The routers Siemens delivers are configured so that no other data transfer is allowed other than transfer from and to the STA-RMS platform.

How is the cRSP always available if I need remote support? The cRSP is highly redundant due to three data centers. The operation is designed for 24 hours/365 days.

Could I use the cRSP also for my own staff? It is also possible to include customer staff, as well as business partners, into the cRSP. Access for non-Siemens personnel can be granted by the customer via the AMS.

How do I keep the overview about what is happening in my plant? The cRSP offers comprehensive logging mechanisms, which can be accessed via the AMS. Additionally, an SMS or an e-mail can be sent if someone is trying to access a system of your site via the cRSP. E-mails can also be sent when the user is finished with the session, which can include a description of the work done.

Is it possible to supervise remote experts while they are working? Depending on the application used for the remote service, it is possible to supervise the remote experts. Which applications are allowed for remote service is a part of the planning and is included in the documentation of the cRSP connection.

How the STA-RMS platform answers possible customer questions?

Do I have to buy hardware to use the cRSP or could I use my corporate firewall? Siemens provides various connection methods, which include also the possibility to use a corporate firewall of a customer (if the customer equipment is capable of terminating the IPSec tunnel), as well as a software-based connection method.

Is it possible to use my authentication server additional to the strong authentication method provided by the cRSP? Yes, customers have the possibility to use their authentication server on the customer site in addition.

What are the major advantages of the cRSP compared to point-to-point connections? The cRSP can be accessed worldwide without specific software, this provides wide flexibility.

Additional to this, the heightened security level in the cRSP-DMZ, the user management based on different roles, and the given log level can not be reached by point-to-point connections.

Are there any certifications available for the cRSP? Yes, the operation of the cRSP is designed to be ISO 27001 certifiable.

I have many IPSec tunnel connections to my plant. Could I detach them with the cRSP? Yes, that is possible if all the other parties migrate to the cRSP.

Printed on paper treated with chlorine-free bleach.

All rights reserved. Trademarks mentioned in this document are the property of Siemens AG, its affiliates, or their respective owners.

Subject to change without prior notice. The information in this document contains general descriptions of the technical options available, which may not apply in all cases. The required technical options should therefore be specified in the contract.

Published by and copyright © 2013: Siemens AGEnergy SectorFreyeslebenstrasse 191058 Erlangen, Germany

Siemens AGEnergy SectorService DivisionOil & Gas and Industrial ApplicationsWolfgang-Reuter-Platz 47053 Duisburg, Germany

Siemens Energy Inc.4400 Alafaya TrailOrlando, FL 32826- 2399, USA

For more information, contact ourCustomer Support Center.Phone: +49-180-524-70-00Fax: +49-180-524-24-71(Charges depending on provider)E-mail: [email protected]/energy

Energy Service DivisionOil & Gas and Industrial Applications ServicesOrder No. E50001-G510-A219-X-7600Dispo 34806, c4bs 7447bdk 120273, P WS 1212

Printed in Germany

siemens.com/energy/remoteservices remote … – remote monitoring system (sta-rms) platform and...

Documents