Regulatory Compliance

Dispel’s Alignment with BSI Rules on Remote Maintenance in Industrial Environments (BSI-CS 108 1.0)

Security Guidelines

Regulatory Compliance

Dispel’s Alignment with BSI Rules on Remote Maintenance in Industrial Environments (BSI-CS 108 1.0)

Security Guidelines

Regulatory Compliance

Dispel’s Alignment with BSI Rules on Remote Maintenance in Industrial Environments (BSI-CS 108 1.0)

Security Guidelines

Introduction

The German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, or “BSI”) sets security standards and recommendations for federal agencies; corporations, institutions and foundations under public law; as well as public companies that are majority owned by the federal government and that provide IT services for the federal administration. Private companies often also use BSI recommendations for their own cybersecurity planning.

BSI, Industrial Control System Security, & Remote Access

The BSI has several documents focusing on remote access, divided into two primary categories: IT and OT.

The IT-focused BSI-CS 054 Grundregeln zur Absicherung von Fernwartungszugängen addresses allowing remote access within environments ranging across home networks, small businesses, enterprise, and government authorities. [1]

Because OT environments are unique in their device types, maintenance windows, network configurations, and the risk impact of an attack against critical infrastructure the BSI also issues two recommendations for OT access. The more broad ICS Security Compendium [2] draws heavily upon IEC 62443, VDI/VDE 2182, NERC CIP, and U.S. Department of Homeland Security Best Practices. Focusing specifically on remote access, the BSI has also issued particular recommendations in BSI-CS 108 Remote Maintenance in Industrial Environments. [3] Because of its singular focus on remote access, we address our alignment with BSI-CS 108 in this document. This complements Dispel’s other alignments with IEC 62443, NERC CIP, DHS TIC, and other cybersecurity frameworks.

BSI-CS 108 Categories

The BSI recommendations are broken into the following five categories: [4]

In this document we provide a 1:1 mapping of the technical requirements within each category against Dispel capabilities.

[4] Ibid, 1-3.

BSI-CS 108 - 1. Architecture

The following requirements should already be taken into consideration when planning and integrating a remote maintenance solution:

Part

Title

Requirement

Dispel Product / Feature

1.1

Consistent solution

Especially in larger infrastructures, a consistent solution should preferably be used. This reduces both the number of attack vectors and the complexity (no “uncontrolled growth”).

Dispel provides consistent, scalable workflows for the complete zero trust access lifecycle. This allows organizations to implement the same solution across their entire environment, in a way that easily and rapidly handles changes in scope.

Yes

1.1

Consistent solution

Especially in larger infrastructures, a consistent solution should preferably be used. This reduces both the number of attack vectors and the complexity (no “uncontrolled growth”).

Dispel provides consistent, scalable workflows for the complete zero trust access lifecycle. This allows organizations to implement the same solution across their entire environment, in a way that easily and rapidly handles changes in scope.

Yes

1.2

DMZ

The remote maintenance component should preferably be in an [sic] separate zone (DMZ) and not localised directly in the production network. Remote maintenance accesses must not lead to existing firewalls being bypassed. Rather, firewalls are suitable to define, for example, allowed IP address ranges for remote maintenance.

Dispel supports several deployment methods, including installation on the OT DMZ. The Dispel Wicket ESI acts as a zone boundary controller at the edge of the OT network and respects the rules of existing firewalls and other cybersecurity tools through narrow requirements and comprehensive integrations with third-party platforms.

Yes

1.2

DMZ

The remote maintenance component should preferably be in an [sic] separate zone (DMZ) and not localised directly in the production network. Remote maintenance accesses must not lead to existing firewalls being bypassed. Rather, firewalls are suitable to define, for example, allowed IP address ranges for remote maintenance.

Dispel supports several deployment methods, including installation on the OT DMZ. The Dispel Wicket ESI acts as a zone boundary controller at the edge of the OT network and respects the rules of existing firewalls and other cybersecurity tools through narrow requirements and comprehensive integrations with third-party platforms.

Yes

1.3

Granularity of the communication connections

The remote maintenance access should preferably not be performed generally per (sub)network, but rather it should be possible to control remote maintenance access per IP and port in a fine-grained manner. This minimises the “range” of remote maintenance accesses and thus also limits the consequence of compromising. One possible approach is for example to establish 1:1 connections by means of SSH instead of coupling entire networks by means of IPsec.

The Dispel Identity & Access Management module enforces fine-grained permissions. Dispel IAM allows administrators to assign per-user or pergroup level permissions down to individual devices on an IP, port, and protocol level, even in flat networks.

Yes

1.3

Granularity of the communication connections

The remote maintenance access should preferably not be performed generally per (sub)network, but rather it should be possible to control remote maintenance access per IP and port in a fine-grained manner. This minimises the “range” of remote maintenance accesses and thus also limits the consequence of compromising. One possible approach is for example to establish 1:1 connections by means of SSH instead of coupling entire networks by means of IPsec.

The Dispel Identity & Access Management module enforces fine-grained permissions. Dispel IAM allows administrators to assign per-user or pergroup level permissions down to individual devices on an IP, port, and protocol level, even in flat networks.

Yes

1.4

Connection establishment

Remote access should, if possible, only be initiated from the company (outbound). There should be no open ports for establishing a connection from outside. As an alternative, remote maintenance accesses can be activated temporarily. This requires adequately secure authentication and an up-to-date patch level as well as organisational processes to ensure subsequent deactivation.

Dispel only uses an outbound connection (outbound UDP 1197/1198) for remote access, and our Wicket ESI does not permit any open ports for establishing a connection from outside. Remote maintenance access is set temporarily during administrator-approved Access Windows, done under secure authentication. Remote sessions are sandboxed within isolated virtual desktops that are patched at build time--typically once per day--and deactivated automatically at the end of a session.

Yes

1.4

Connection establishment

Remote access should, if possible, only be initiated from the company (outbound). There should be no open ports for establishing a connection from outside. As an alternative, remote maintenance accesses can be activated temporarily. This requires adequately secure authentication and an up-to-date patch level as well as organisational processes to ensure subsequent deactivation.

Dispel only uses an outbound connection (outbound UDP 1197/1198) for remote access, and our Wicket ESI does not permit any open ports for establishing a connection from outside. Remote maintenance access is set temporarily during administrator-approved Access Windows, done under secure authentication. Remote sessions are sandboxed within isolated virtual desktops that are patched at build time--typically once per day--and deactivated automatically at the end of a session.

Yes

1.5

Dedicated systems

The components used for remote maintenance should only be used for this application purpose and not be mixed with other functionalities.

Dispel Zero Trust Access components are single tenant and dedicated exclusively for the application purpose. Client ZTA Region SD-WANs are not shared between clients or mixed with other functionalities unrelated to ZTA.

Yes

1.5

Dedicated systems

The components used for remote maintenance should only be used for this application purpose and not be mixed with other functionalities.

Dispel Zero Trust Access components are single tenant and dedicated exclusively for the application purpose. Client ZTA Region SD-WANs are not shared between clients or mixed with other functionalities unrelated to ZTA.

Yes

BSI-CS 108 – 2. Secure Communication

The security of the communication in the case of remote maintenance is primarily ensured by means of established standard solutions.

Part

Title

Requirement

Dispel Product / Feature

2.1

Secure protocols

Only established protocols such as IPsec, SSH or SSL/TLS in current versions are used in order to establish a tunnel between two end points or networks. Only the current versions of the respective protocols are to be recommended. Additional information in this respect can be found in the BSI’s minimum standard TLS 1.2. [5] Furthermore, up-to-date reports regarding vulnerabilities such as Heartbleed [6] or Poodle should be observed.

Dispel uses TLS 1.2 and 1.3 for establishing secure connections. All traffic within a Dispel SRA platform is encrypted using AES-256 with 4096-bit RSA for the initial key exchange. The connection from the user's endpoint to the VDI, through the SD-WAN, and down to the Wicket ESI is encrypted. Dispel's encryption terminates at the edge of Intermediate System at the Wicket ESI virtual appliance on the Client's premises. Up-to-date vulnerabilities are observed and updates made when new items are identified.

Yes

2.1

Secure protocols

Only established protocols such as IPsec, SSH or SSL/TLS in current versions are used in order to establish a tunnel between two end points or networks. Only the current versions of the respective protocols are to be recommended. Additional information in this respect can be found in the BSI’s minimum standard TLS 1.2. [5] Furthermore, up-to-date reports regarding vulnerabilities such as Heartbleed [6] or Poodle should be observed.

Dispel uses TLS 1.2 and 1.3 for establishing secure connections. All traffic within a Dispel SRA platform is encrypted using AES-256 with 4096-bit RSA for the initial key exchange. The connection from the user's endpoint to the VDI, through the SD-WAN, and down to the Wicket ESI is encrypted. Dispel's encryption terminates at the edge of Intermediate System at the Wicket ESI virtual appliance on the Client's premises. Up-to-date vulnerabilities are observed and updates made when new items are identified.

Yes

2.2

Secure procedures

Sufficiently strong cryptographic procedures are used for encryption, for example AES with a key length of at least 196 bits. [7] Using the recommended minimum key length, such as 128 bits for AES, is not recommended due to the typically long service life. The strength of the keys used should be checked at regular intervals as part of the security management and adjusted if necessary.

Yes, Dispel uses strong cryptographic procedures for encryption. Data in transit is encrypted using AES-256-CBC with 4096-bit RSA keys for the initial key exchange. For HTTPS traffic, AES-256-GCM encryption is employed. Data at rest is encrypted with AES-256, block-level storage encryption. The keys are regularly reviewed and updated to employ the latest cryptographically reliable cipher suites. All data, including regulated and sensitive data, is encrypted in-transit between all systems and atrest in accordance with our Data Protection Policy and Data Classification Policy. Access to sensitive information is restricted to specific, vetted personnel within maintained and monitored systems. For instance, Dispel contracts with Heroku to patch and secure its AWS database instances. Data in transit is encrypted. When clients connect to Dispel services through our client application or a hardware device, and for internal server-toserver transmissions, we use AES-256-CBC with 4096-bit RSA keys for the initial key exchange. Keys are typically generated by segmented compute systems designed with randomness in mind, and distinguished between clients. For HTTPS traffic, we employ AES-256-GCM encryption. These may be secured using SHA-256 with 2048-or 4096-bit RSA keys, depending on the security requirements of the application. Keys are generated using a CSPRNG. Data is encrypted at rest with AES-256, block-level storage encryption. Keys are managed by Amazon.

Yes

2.2

Secure procedures

Sufficiently strong cryptographic procedures are used for encryption, for example AES with a key length of at least 196 bits. [7] Using the recommended minimum key length, such as 128 bits for AES, is not recommended due to the typically long service life. The strength of the keys used should be checked at regular intervals as part of the security management and adjusted if necessary.

Yes, Dispel uses strong cryptographic procedures for encryption. Data in transit is encrypted using AES-256-CBC with 4096-bit RSA keys for the initial key exchange. For HTTPS traffic, AES-256-GCM encryption is employed. Data at rest is encrypted with AES-256, block-level storage encryption. The keys are regularly reviewed and updated to employ the latest cryptographically reliable cipher suites. All data, including regulated and sensitive data, is encrypted in-transit between all systems and atrest in accordance with our Data Protection Policy and Data Classification Policy. Access to sensitive information is restricted to specific, vetted personnel within maintained and monitored systems. For instance, Dispel contracts with Heroku to patch and secure its AWS database instances. Data in transit is encrypted. When clients connect to Dispel services through our client application or a hardware device, and for internal server-toserver transmissions, we use AES-256-CBC with 4096-bit RSA keys for the initial key exchange. Keys are typically generated by segmented compute systems designed with randomness in mind, and distinguished between clients. For HTTPS traffic, we employ AES-256-GCM encryption. These may be secured using SHA-256 with 2048-or 4096-bit RSA keys, depending on the security requirements of the application. Keys are generated using a CSPRNG. Data is encrypted at rest with AES-256, block-level storage encryption. Keys are managed by Amazon.

Yes

[5] Mindeststandard des BSI für den Einsatz des SSL/TLS-Protokolls in der Bundesverwaltung [Minimum standard of the BSI for the use of the SSL/TLS protocol in federal administration], https://www.bsi.bund.de/DE/Themen/StandardsKriterien/Mindeststandards/SSL-TLSProtokoll/SSL-TLS-Protokoll.html

[6] BSI stuft Heartbleed-Bug als kritisch ein [BSI classifies Heartbleed bug as critical], https://www.bsi.bund.de/DE/Presse/Pressemitteilungen/Presse2014/Heartbleed_11042014.html

[7] BSI TR-02102 Kryptographische Verfahren: Empfehlungen und Schlüssellängen [English version: BSI TR-02102 Cryptographic Procedures: Recommendations and Key Lengths], https://www.bsi.bund.de/DE/Publikationen/TechnischeRichtlinien/tr02102/index_htm.html

BSI-CS 108 – 3. Authentication Mechanisms

Only by complying with the following requirements for user authentication, an adequate security level can be reached for a remote maintenance solution.

Part

Title

Requirement

Dispel Product / Feature

3.1

Granularity of the accounts

Only one user per account should be provided. Group accounts must be avoided under all circumstances.

Dispel enforces unique logins for all users and has a pricing model to encourage only one user per account. Accounts in Dispel are further designed to prevent multi-simultaneous usage to discourage shadow group accounts. The Dispel Vendor SelfOnboarding feature allows administrators to whitelabel set domains with permissions for controlled onboarding to allow organizations to manage onboarding users when there is turnover instead of re-using old accounts.

Yes

3.1

Granularity of the accounts

Only one user per account should be provided. Group accounts must be avoided under all circumstances.

Dispel enforces unique logins for all users and has a pricing model to encourage only one user per account. Accounts in Dispel are further designed to prevent multi-simultaneous usage to discourage shadow group accounts. The Dispel Vendor SelfOnboarding feature allows administrators to whitelabel set domains with permissions for controlled onboarding to allow organizations to manage onboarding users when there is turnover instead of re-using old accounts.

Yes

3.2

Strong authentication mechanisms

The best security level is provided by two-factormethods in which not only knowledge (e.g. a password), but also ownership (e.g. X.509 certificate) has to be proven. In the case of hardwarebased solutions, such as generators for one-time passwords, smart cards or USB tokens, for which copying the hardware component is impossible, the security level is particularly high. In every case, using such mechanisms must be preferred to simple authentication using a password.

Yes, Dispel supports MFA. Dispel follows NIST SP 800-63 Digital Identity Guidelines for authentication. Dispel's SRA supports temporary one-time passwords (TOTP) and hardware tokens (e.g., Yubikeys) as MFA components. MFA can be enforced for all users. Dispel supports TOTP authentication tools (QR code style) such as Google Authenticator, Microsoft Authenticator, 1Password, Authy, etc. Dispel also supports FIDO U2F hardware tokens such as Yubikeys, RSA SecurID tokens, and Common Access Cards. Dispel integrates with Active Directory and Okta for additional federated authentication.

Yes

3.2

Strong authentication mechanisms

The best security level is provided by two-factormethods in which not only knowledge (e.g. a password), but also ownership (e.g. X.509 certificate) has to be proven. In the case of hardwarebased solutions, such as generators for one-time passwords, smart cards or USB tokens, for which copying the hardware component is impossible, the security level is particularly high. In every case, using such mechanisms must be preferred to simple authentication using a password.

Yes, Dispel supports MFA. Dispel follows NIST SP 800-63 Digital Identity Guidelines for authentication. Dispel's SRA supports temporary one-time passwords (TOTP) and hardware tokens (e.g., Yubikeys) as MFA components. MFA can be enforced for all users. Dispel supports TOTP authentication tools (QR code style) such as Google Authenticator, Microsoft Authenticator, 1Password, Authy, etc. Dispel also supports FIDO U2F hardware tokens such as Yubikeys, RSA SecurID tokens, and Common Access Cards. Dispel integrates with Active Directory and Okta for additional federated authentication.

Yes

3.3

Password security

Using password-based authentication requires a password policy which ensures the minimum level of the password quality. It must be possible to implement such a policy by the respective remote maintenance solution (e.g. use of special characters, password length etc.). A remote maintenance solution should preferably also be able to technically force a password policy. It must explicitly be pointed out that using only password-based authentication methods cannot provide more than a basic level of protection. In any case, the related organisational processes must be implemented (see below).

Dispel enforces password policies in alignment with NIST SP 800-63 Digital Identity Guidelines. These guidelines ensure a minimum level of password quality for password-based authentication including a minimum password length and the use of special characters, capitalization, and numbers. The Dispel platform enforces these rules, and allows for additional controls such as time-based log-outs and multi-factor authentication.

Yes

3.3

Password security

Using password-based authentication requires a password policy which ensures the minimum level of the password quality. It must be possible to implement such a policy by the respective remote maintenance solution (e.g. use of special characters, password length etc.). A remote maintenance solution should preferably also be able to technically force a password policy. It must explicitly be pointed out that using only password-based authentication methods cannot provide more than a basic level of protection. In any case, the related organisational processes must be implemented (see below).

Dispel enforces password policies in alignment with NIST SP 800-63 Digital Identity Guidelines. These guidelines ensure a minimum level of password quality for password-based authentication including a minimum password length and the use of special characters, capitalization, and numbers. The Dispel platform enforces these rules, and allows for additional controls such as time-based log-outs and multi-factor authentication.

Yes

3.4

Attack detection

Using mechanisms to detect attacks on password-based authentication methods (e.g. bruteforce or dictionary attacks) would be preferable. Precautions are necessary against repeated trying (online brute-force), such as by activating temporary blocking after a defined number of failed attempts. Unlike in conventional IT, such blocking, however, must be performed for example only after 20 instead of already after three failed attempts with regard to the special requirements in terms of availability and safety.

Using mechanisms to detect attacks on password-based authentication methods (e.g. bruteforce or dictionary attacks) would be preferable. Precautions are necessary against repeated trying (online brute-force), such as by activating temporary blocking after a defined number of failed attempts. Unlike in conventional IT, such blocking, however, must be performed for example only after 20 instead of already after three failed attempts with regard to the special requirements in terms of availability and safety.

Yes

3.4

Attack detection

Using mechanisms to detect attacks on password-based authentication methods (e.g. bruteforce or dictionary attacks) would be preferable. Precautions are necessary against repeated trying (online brute-force), such as by activating temporary blocking after a defined number of failed attempts. Unlike in conventional IT, such blocking, however, must be performed for example only after 20 instead of already after three failed attempts with regard to the special requirements in terms of availability and safety.

Using mechanisms to detect attacks on password-based authentication methods (e.g. bruteforce or dictionary attacks) would be preferable. Precautions are necessary against repeated trying (online brute-force), such as by activating temporary blocking after a defined number of failed attempts. Unlike in conventional IT, such blocking, however, must be performed for example only after 20 instead of already after three failed attempts with regard to the special requirements in terms of availability and safety.

Yes

BSI-CS 108 – 4. Organisational Requirements

Secure maintenance access can never be ensured by technical safeguards alone. Therefore, the following requirements are essential for the integration and operation phase.

Part

Title

Requirement

Dispel Product / Feature

4.1

Risk analysis

The designed solution is subjected to a formal risk analysis.

Dispel's solution designs are subjected to a formal risk analysis, independently reviewed by third party auditors, and certified through SOC 2 Type 2 and ISO 27001 assessments. The solution risk assessment process involves the identification of all assets, threats, and vulnerabilities. Consequences and likelihood of each risk are assessed and a risk owner is identified for each risk. The level of risk is calculated by adding up the values of consequence and likelihood.

Yes

4.1

Risk analysis

The designed solution is subjected to a formal risk analysis.

Dispel's solution designs are subjected to a formal risk analysis, independently reviewed by third party auditors, and certified through SOC 2 Type 2 and ISO 27001 assessments. The solution risk assessment process involves the identification of all assets, threats, and vulnerabilities. Consequences and likelihood of each risk are assessed and a risk owner is identified for each risk. The level of risk is calculated by adding up the values of consequence and likelihood.

Yes

4.2

Principle of minimalism

Only the absolutely necessary remote access options must be implemented. The necessity of a remote access must be documented by the respective person responsible (“business justification”).

Dispel provides onboarding documents for procurement and facility setup. Dispel also includes additional documentation tracking during every request access window.

Yes

4.2

Principle of minimalism

Only the absolutely necessary remote access options must be implemented. The necessity of a remote access must be documented by the respective person responsible (“business justification”).

Dispel provides onboarding documents for procurement and facility setup. Dispel also includes additional documentation tracking during every request access window.

Yes

4.3

Process

The operator of the system has established processes which for example govern the release of connections, locking (e.g. when employees leave the organisation), emergency procedures and the regular change of authentication data.

Dispel is built to align with processes laid out in a variety of cybersecurity frameworks including IEC 62443; NIST CSF, 800-53, 800-82; and NERC-CIP. These include workflows around new access requests, automatic removal of employees when they leave an organization, emergency disaster recovery/business continuity planning, and authentication cycling including automated session handling. By aligning Dispel workflows with industry standards, it's easier for organizations to meet new and establishes processes when implementing Dispel ZTA.

Yes

4.3

Process

The operator of the system has established processes which for example govern the release of connections, locking (e.g. when employees leave the organisation), emergency procedures and the regular change of authentication data.

Dispel is built to align with processes laid out in a variety of cybersecurity frameworks including IEC 62443; NIST CSF, 800-53, 800-82; and NERC-CIP. These include workflows around new access requests, automatic removal of employees when they leave an organization, emergency disaster recovery/business continuity planning, and authentication cycling including automated session handling. By aligning Dispel workflows with industry standards, it's easier for organizations to meet new and establishes processes when implementing Dispel ZTA.

Yes

4.4

Inventory

All remote access options are identified as part of a security management. This includes the type of the access, the affected systems, the authorised persons as well as the corresponding specifications and processes.

Dispel maintains detailed internal logs, granular access permission controls, and audit authorization trails. This includes clearly identifying all remote access sessions open across the entire organization in one panel.

Yes

4.4

Inventory

All remote access options are identified as part of a security management. This includes the type of the access, the affected systems, the authorised persons as well as the corresponding specifications and processes.

Dispel maintains detailed internal logs, granular access permission controls, and audit authorization trails. This includes clearly identifying all remote access sessions open across the entire organization in one panel.

Yes

4.5

Time window

Remote access is only enabled when needed or in a defined maintenance window (e.g. keyoperated switches). Activation and/or deactivation must be logged.

Access Request Windows define the schedule and time during which session access is permitted. When a Access Windows expires, the user's access is automatically revoked and logged.

Yes

4.5

Time window

Remote access is only enabled when needed or in a defined maintenance window (e.g. keyoperated switches). Activation and/or deactivation must be logged.

Access Request Windows define the schedule and time during which session access is permitted. When a Access Windows expires, the user's access is automatically revoked and logged.

Yes

4.6

Functional test

The proper functioning of the remote maintenance is checked at regular intervals.

As a SaaS service, Dispel's systems are continuously monitored 24/7 by automated and human checks. Dispel provides a status page showing the proper functioning of the ZTA platform which can be viewed at https://status.dispel.com/

Yes

4.6

Functional test

The proper functioning of the remote maintenance is checked at regular intervals.

As a SaaS service, Dispel's systems are continuously monitored 24/7 by automated and human checks. Dispel provides a status page showing the proper functioning of the ZTA platform which can be viewed at https://status.dispel.com/

Yes

4.7

Guidelines for persons performing the maintenance work

Especially in the case of remote maintenance by third parties (manufacturers, integrator etc.), guidelines are made for the IT used (e.g. no smartphones) and protection mechanisms of the remote clients (e.g. latest virus protection, firewall, system hardening, latest patch level etc.). These guidelines are contractually agreed upon.

Dispel supports enforcing protection mechanisms around third-parties through granular access control rules, request access forms, and device isolation. Dispel allows organizations to prevent an untrusted endpoint from ever making a direct connection to a target system through the use of isolated, hardened, single-use virtual desktops. VDIs contain virus protection, firewalls, DISA STIG hardening, and are patched on build time which usually occurs once every 24 hours.

Yes

4.7

Guidelines for persons performing the maintenance work

Especially in the case of remote maintenance by third parties (manufacturers, integrator etc.), guidelines are made for the IT used (e.g. no smartphones) and protection mechanisms of the remote clients (e.g. latest virus protection, firewall, system hardening, latest patch level etc.). These guidelines are contractually agreed upon.

Dispel supports enforcing protection mechanisms around third-parties through granular access control rules, request access forms, and device isolation. Dispel allows organizations to prevent an untrusted endpoint from ever making a direct connection to a target system through the use of isolated, hardened, single-use virtual desktops. VDIs contain virus protection, firewalls, DISA STIG hardening, and are patched on build time which usually occurs once every 24 hours.

Yes

4.8

Patch process

For functional industrial components (e.g. PLC), it is often not possible to install updates and patches. Notably remote maintenance components are exposed very much, eliminating the known vulnerabilities there in a timely manner is of central importance for security aspects. Since a remote maintenance component does usually not have a direct impact on aspects in terms of time, such as real-time capability or system availability, in most cases such updates are also possible as part of a defined patch process.

Dispel supports both a patch process for industrial components, and situations where devices cannot be patched and will "wither on the vine." Dispel's deployment architecture places the Wicket ESI zone boundary controllers adjacent to operational technology systems, without having any direct impact on systems.

Yes

4.8

Patch process

For functional industrial components (e.g. PLC), it is often not possible to install updates and patches. Notably remote maintenance components are exposed very much, eliminating the known vulnerabilities there in a timely manner is of central importance for security aspects. Since a remote maintenance component does usually not have a direct impact on aspects in terms of time, such as real-time capability or system availability, in most cases such updates are also possible as part of a defined patch process.

Dispel supports both a patch process for industrial components, and situations where devices cannot be patched and will "wither on the vine." Dispel's deployment architecture places the Wicket ESI zone boundary controllers adjacent to operational technology systems, without having any direct impact on systems.

Yes

4.9

Logging & alerting

Available logging functions must be used to track for example connection data and also failed login attempts. It must be ensured that the log data is evaluated automatically and an alarm is generated if necessary. Moreover, manual inspection should be performed periodically. To ensure auditing acceptability, it is absolutely necessary that the log data is collected at the operator instead of at the person performing the maintenance work.

Dispel provides extensive logging functions, including tracking of connection data and failed login attempts. These logs are automatically evaluated and can generate alerts as necessary. Manual inspection can also be performed. All log data is collected and stored independently for each client, ensuring auditing acceptability. Log editing functions are not available to client end users, and access to log files is restricted to only certain team members. User and admin activity on Dispel is documented and identifiable on a per-user basis, and is collected for operators, admins, and users.

Yes

4.9

Logging & alerting

Available logging functions must be used to track for example connection data and also failed login attempts. It must be ensured that the log data is evaluated automatically and an alarm is generated if necessary. Moreover, manual inspection should be performed periodically. To ensure auditing acceptability, it is absolutely necessary that the log data is collected at the operator instead of at the person performing the maintenance work.

Dispel provides extensive logging functions, including tracking of connection data and failed login attempts. These logs are automatically evaluated and can generate alerts as necessary. Manual inspection can also be performed. All log data is collected and stored independently for each client, ensuring auditing acceptability. Log editing functions are not available to client end users, and access to log files is restricted to only certain team members. User and admin activity on Dispel is documented and identifiable on a per-user basis, and is collected for operators, admins, and users.

Yes

BSI-CS 108 – 5. Miscellaneous

Depending on the specific application, further requirements can be useful. As it is hardly possible to make general statements in this respect, some examples are listed below:

Part

Title

Requirement

Dispel Product / Feature

5.1

Scalability

Primarily in larger infrastructures, the costs for operation, maintenance and servicing can be reduced significantly by a central management, bulk roll-out, bulk configuration, or bulk actions, such as executing scripts.

Dispel uses a centralized management and orchestration platform to manage large scale deployments serving ten of thousands of nodes. Deployments use automated, bulk scripts and actions for roll outs and configurations within minutes, not months.

Yes

5.1

Scalability

Primarily in larger infrastructures, the costs for operation, maintenance and servicing can be reduced significantly by a central management, bulk roll-out, bulk configuration, or bulk actions, such as executing scripts.

Dispel uses a centralized management and orchestration platform to manage large scale deployments serving ten of thousands of nodes. Deployments use automated, bulk scripts and actions for roll outs and configurations within minutes, not months.

Yes

5.2

Investment protection

By taking possible future requirements into account, such as the support of IPv6, it makes sense to choose products with regard to investment protection and sustainability.

Dispel invests significantly in future technologies, including areas such as IPv6 and post-quantum encryption. We use a continuous integration system which is designed around deploying tested, secure code on a highly regular agile basis. Dispel also works to meet sustainability goals, including the United Nations Sustainable Development Goals.

Yes

5.2

Investment protection

By taking possible future requirements into account, such as the support of IPv6, it makes sense to choose products with regard to investment protection and sustainability.

Dispel invests significantly in future technologies, including areas such as IPv6 and post-quantum encryption. We use a continuous integration system which is designed around deploying tested, secure code on a highly regular agile basis. Dispel also works to meet sustainability goals, including the United Nations Sustainable Development Goals.

Yes

5.3

High availability

Provided that there are corresponding requirements, functions for implementing high availability concepts, such as the redundant use of several mobile communication networks for the communication by means of Dual SIM, are useful.

Dispel uses several high availability methods for redundant deployments and communications channels. For example, Dispel integrates with multiple different public cloud providers, allowing redundant high availability failovers. Dispel Regional SD-WANs support redundant hot, warm, and cold standby communication tunnels. Dispel ZTA works across cable, cellular, and satellite uplinks.

Yes

5.3

High availability

Provided that there are corresponding requirements, functions for implementing high availability concepts, such as the redundant use of several mobile communication networks for the communication by means of Dual SIM, are useful.

Dispel uses several high availability methods for redundant deployments and communications channels. For example, Dispel integrates with multiple different public cloud providers, allowing redundant high availability failovers. Dispel Regional SD-WANs support redundant hot, warm, and cold standby communication tunnels. Dispel ZTA works across cable, cellular, and satellite uplinks.

Yes

We're raising the standard for factory security

See what makes Dispel better

Access Windows

Create Access Window

Access Windows (8)

Archived On

Requested on

Stephen Maturin

Approved

7/19/14

6/19/14

Jack Aubrey

Approved

7/19/14

6/19/14

2798

Savannah Nguyen

Approved

7/19/14

6/19/14

2798

Jacob Jones

Approved

7/19/14

6/19/14

2798

Kathryn Murphy

Rejected

7/19/14

6/19/14

2798

Albert Flores

Approved

7/19/14

6/19/14

2798

Jane Cooper

Approved

7/19/14

6/19/14

We're raising the standard for factory security

Discover the power of Dispel with a personalized demo and a free 30-day trial

Access Windows

Create Access Window

Access Windows (8)

Stephen Maturin

Approved

6/19/14

Jack Aubrey

Approved

6/19/14

2798

Savannah Nguyen

Approved

7/19/14

6/19/14

2798

Jacob Jones

Approved

7/19/14

6/19/14

2798

Kathryn Murphy

Rejected

7/19/14

6/19/14

2798

Albert Flores

Approved

7/19/14

6/19/14

2798

Jane Cooper

Approved

7/19/14

6/19/14

We're raising the standard for factory security

Discover the power of Dispel with a personalized demo and a free 30-day trial

Access Windows

Create Access Window

Access Windows (8)

Archived On

Requested on

Stephen Maturin

Approved

7/19/14

6/19/14

Jack Aubrey

Approved

7/19/14

6/19/14

Savannah Nguyen

Approved

7/19/14

6/19/14

2798

Jacob Jones

Approved

7/19/14

6/19/14

2798

Kathryn Murphy

Rejected

7/19/14

6/19/14

2798

Albert Flores

Approved

7/19/14

6/19/14

2798

Jane Cooper

Approved

7/19/14

6/19/14