Hardware Security¶
Hardware intended to be used as a basis for Industrial Edge components is produced by different vendors, including Siemens. These vendors can incorporate different security measures into the hardware. Accordingly, it is possible to achieve different security levels with certain hardware components, and, therefore, fulfill different security requirements for different use-cases.
The security measures are explained in the respective manuals, for example the SIMATIC IPC Industrial Edge Device - Operation manual.
All hardware devices being operated in the field should be protected by applying various security measures. Recommended security measures are:
- Prevention of unauthorized changes on the wiring connected to the device. This can be achieved, e.g., by mounting the device in a secured (locked) rack and/or only in a protected, access-controlled area.
- Disable booting from an unauthorized storage device by applying a valid password protection to the UEFI and the bootloaders being in use.
- Disable external USB devices in the hardware configuration settings – unless they are necessary – by applying corresponding settings the BIOS/UEFI.
- In case of using terminal servers (serial console access): ensure that also such devices are having physical access-control measures applied.
- The operating system being provided by the device builder should support Secure Boot to avoid loading untrusted kernels and/or modules.
- Especially when NOT having the possibility to operate an Industrial Edge Device in a physical access-restricted environment: consider using disk encryption supported by the device builder.
Hardware components operated in the cloud (e.g., on AWS Infrastructure) are protected by security measures which are provided by the cloud provider itself. There is typically no possibility for customers to request additional measures for certain use cases. When operating Industrial Edge components in the cloud, the customer must check if the protection measures applied by the cloud provider meet the required level for the intended operational use case (e.g., 62443 or ISO 27001 compliance).
| Component | Purpose | Description |
|---|---|---|
| Intel® Boot Guard | Protect BIOS | Intel® Boot Guard provides hardware enforced boot controls and ensure that only authorized and unaltered BIOS code can be run on Edge Devices. |
| BIOS signature | Protect BIOS | The Edge Device BIOS is protected over the entire lifecycle through signatures. |
| Secure Boot | Verify boot artifacts | With Secure Boot, UEFI will only launch verified and unaltered Industrial Edge boot artifacts (bootloader components, kernels and their modules) which are digitally signed by Siemens and other trustworthy identities. |
| Crypto hardware | Disk encryption | Industrial Edge provides hardware modules to encrypt the storage. |
| Crypto hardware | Measured boot | The crypto hardware measures and supervises the boot chain. |
| Manufacturer device certificate | Hardware authenticity | The manufacturer device certificate provides a proof-of-origin of the Edge Device provisioned during the manufacturing process.* |
| Separate network interfaces | Separation of IT and OT networks | Industrial Edge hardware provides at least 2 separate physical network interfaces which may be used to segregate OT and IT networks. Network separation may be disabled by custom apps. |
| *planned | ||