Overview
Industrial Edge Hub
Industrial Edge Hub
- Setup
- Operation
  Operation
  - Sign Up
  - Log in and sign out
  - Home
  - Application Provisioning
    Application Provisioning
    
    Hub to Hub transfer
  - Product Management
    Product Management
    
    Overview
  - Library
    Library
    
    Library
    
    Copying an app to IEM instances
    
    Purchasing an app
  - License Management
    License Management
    
    Overview
    
    Purchased licenses
  - IEM Instances
    IEM Instances
    
    IEM Instances
    
    Managing IEM instances
  - Download Software
  - User Management
    User Management
    
    Overview
    
    Inviting a new user
    
    Managing user roles
    
    User roles
  - Hub Settings
    Hub Settings
    
    Overview
    
    Renaming hub display names
  - Notification Settings
  - Switching hub
  - Cancelling an IE Hub Subscription
  - Customer Feedback
Industrial Edge Management
Industrial Edge Management
- IEM Overview
- Setup and operate
  Setup and operate
  - IEM Virtual
    IEM Virtual
    
    Setup
    Setup
    
    General requirements
    
    Setup steps
    
    Download the OVA Package
    
    Deploy the Virtual Machine
    Deploy the Virtual Machine
    
    VMware Workstation
    
    VMware ESXi Server
    
    Provision the IEM Virtual
    
    Operation
    Operation
    
    Network configuration via console
    
    Service & maintenance
    Service & maintenance
    
    Overview
    
    Login
    
    UI
    
    Download log files
    
    Security considerations
  - IEM Cloud
    IEM Cloud
    
    Setup
    Setup
    
    Creating the IEM Cloud Instance
    
    Revealing the initial user passwords
    
    Operation
    Operation
    
    Update
    
    Delete
  - IEM Pro
    IEM Pro
    
    Introduction
    Introduction
    
    Overview
    
    Architecture
    
    General Requirements
    
    Setup
    Setup
    
    Setup Cluster
    Setup Cluster
    
    Using kOps
    Using kOps
    
    Introduction
    
    Prerequisites
    
    Creating pro Cluster
    
    Adjusting created Security Groups
    
    Using minikube
    
    Using Docker Desktop
    
    Using K3s
    
    Using openshift
    
    Deploying IEM Pro
    
    Extensions
    Extensions
    
    Logging & Monitoring
    
    Device Catalog
    
    Uninstalling IEM Pro
    
    Operation
    Operation
    
    Proxy Settings
    
    TLS Certificate
    
    IE Gateway
    
    Monitoring
    
    Planning capacity
    
    Backup & Restore
    Backup & Restore
    
    Industrial Edge Management
    
    Provisioning CLI
    Provisioning CLI
    
    Overview
    
    Installation
    
    Selecting an IEM Pro Instance
    
    Configuration Input
    
    Importing and Exporting Configuration
    
    Configuration Files
    
    Configuration Stored in Cluster
    
    Interaction with Helm CLI
    
    Configure Service Mesh
  - IEM OS (deprecated)
    IEM OS (deprecated)
    
    Setup
    Setup
    
    Setup steps
    
    Downloading the Industrial Edge Management OS
    
    Creating an IEM instance and downloading the configuration file
    
    VMware Workstation
    VMware Workstation
    
    Creating the VM
    
    Configuring the VM
    
    Installing the Industrial Edge Management OS
    
    Oracle VirtualBox
    Oracle VirtualBox
    
    Creating the VM
    
    Configuring the VM
    
    Installing the Industrial Edge Management OS
    
    VMware ESXi
    VMware ESXi
    
    Creating and configuring the VM
    
    Installing the Industrial Edge Management OS
    
    Configuring the Industrial Edge Management
    
    Activating & Installing the Industrial Edge Management
    Activating & Installing the Industrial Edge Management
    
    Activating the Industrial Edge Management
    
    Installing the Industrial Edge Management
    
    Settings
    Settings
    
    Settings
    
    Editing network settings
    
    Setting up a proxy server
    
    Configuring the Docker network
    
    Downloading system logs
    
    Adding an NTP server
    
    Certificate requirements
    
    Installing configurators
    
    Adding a relay server
    
    Operation
    Operation
    
    Overview
    
    Sign up
    
    Log in
    
    Reset password
    
    Home
    Home
    
    Home
    
    User profile
    
    Storage Manager service
    
    Catalog
    
    Statistics
    
    My User Groups
    My User Groups
    
    Overview
    
    Creating and editing an user group
    
    Roles
    
    Adding apps
    
    Inviting members
    
    Removing apps
    
    Settings
    Settings
    
    Settings
    
    Alerts
    
    Configuration
    
    Connectivity
    
    Storage
    Storage
    
    Storage
    
    Adding additional storage to the IEM
    Adding additional storage to the IEM
    
    IEM
    
    Oracle
    
    VMWare
    
    VMWare esxi
    
    System
    System
    
    System
    
    Adding and editing NTP servers
    
    Members
    
    Backup and restore
    Backup and restore
    
    Creating a backup of the IEM OS
    Creating a backup of the IEM OS
    
    via VM Workstation
    
    via Oracle
    
    Restoring the IEM OS from a backup
    Restoring the IEM OS from a backup
    
    via VM Workstation
    
    via Oracle
    
    Industrial Edge Management Services
    Industrial Edge Management Services
    
    Overview
    
    Service to Backup & Restore Edge Devices
    Service to Backup & Restore Edge Devices
    
    Overview
    
    Installation
    
    Update
    
    Configuration
    Configuration
    
    Configuration
    
    Storage size
    
    Monitoring service
    
    Backup devices
    
    Restore devices
    
    Compatibility
- Utilize
  Utilize
  - Launchpad
  - Navigation
    Navigation
    
    Top navigation
    
    Sign up & Navigation (Previous design)
    Sign up & Navigation (Previous design)
    
    Sign up
    
    Log in and sign out
    
    Reset password
    
    Home page
    
    Certificate Management
    Certificate Management
    
    Types of certificates
    
    Overview
    
    Communication relations
    
    Secure connections to the IEM
    Secure connections to the IEM
    
    Overview
    
    Importing certificates to the internet browser
    
    Alerts
    
    User profile
    
    Navigation
  - Homepage
    Homepage
    
    Discover a new experience
  - Applications
    Applications
    
    Management Applications
    
    Pre-Provisioned Applications
    
    Device Applications
    
    Install Device Applications
    
    Catalog (Previous design)
    Catalog (Previous design)
    
    Overview
    
    Importing Edge Apps
    
    Installing an app from the catalog
    
    My Installed Apps (Previous design)
    My Installed Apps (Previous design)
    
    Overview
    
    Managing an app
    
    Scheduling an app job
  - Devices
    Devices
    
    Device overview
    
    Device onboarding
    Device onboarding
    
    Overview
    
    Device configuration
    
    Device onboarding
    
    Device configuration (legacy user interface)
    Device configuration (legacy user interface)
    
    Creating the Edge Device configuration file
    
    New Edge Device - Parameters
    
    Layer 2 network access
    
    Configuring a Layer 2 network access
    
    Settings
    Settings
    
    Editing network and Layer 2 network access settings
    
    Setting up a proxy server
    
    Configuring the Docker network
    
    Downloading logs
    
    Adding an NTP Server
    
    Secure Connection
    
    Device details
    Device details
    
    Details
    
    Settings
    Settings
    
    Memory limit check
    
    Certificate
    
    Streaming logs
    
    Firmware Artifact Storage Management
    
    Logging
    Logging
    
    Overview
    
    Editing log settings
    
    Device logs
    
    Application logs
    
    Backup & Restore
    Backup & Restore
    
    Configuration
    
    Backup devices
    
    Restore devices
    
    Compatibility
    
    Monitoring Service
    
    Identity federation
    Identity federation
    
    Configuration
    
    Known Issues
    
    Edge Devices (Previous design)
    Edge Devices (Previous design)
    
    Overview
    
    Managing labels
    
    Checking statistics
    
    Removing an Edge Device
    
    Adding tags
    
    Downloading IEM CA certificate
    
    Managing logs
    
    Importing certificates
    
    Enabling and disabling remote access
    
    Storing an Edge Device state
    
    Restoring an Edge Device state
    
    Edge Device system commands
    Edge Device system commands
    
    Edge Device system commands
    
    Updating an Edge Device
    
    Storing multiple Edge Device states
    
    Restoring IED states of multiple Edge Devices
  - Data Connection
    Data Connection
    
    Overview
    
    Apps for Data Connection
    
    UI of Data Connections
  - App Projects (Previous design)
    App Projects (Previous design)
    
    Overview
    
    Authorized Apps
    Authorized Apps
    
    Overview
    
    Joining other projects
    
    Creating a project
    
    Editing a project
    
    Creating an app
    Creating an app
    
    Creating an app
    
    Creating an app - Parameters
    
    Assigning labels
    
    Enabling the external configurator
    
    App details
    
    App configurations
    App configurations
    
    Creating configurations
    
    Available app configurations
    
    Versioned configuration files
    
    Template based configurations
    
    File upload configurations
    
    Add configuration to app - Parameters
    
    IE Application Configuration Service
    IE Application Configuration Service
    
    Overview
    
    Installing the IE App Configuration Service manually
    
    Integration of the IE Acs compatible app configurations
    
    Downloading and checking app configuration
    
    Installing an app from my projects
    Installing an app from my projects
    
    Installing an app from my projects
    
    Installing an app via the IE ACS
    
    Updating an app configuration via the IE ACS
    
    Privileged and network mode
    
    Updating Edge Apps via the IE App Publisher
    Updating Edge Apps via the IE App Publisher
    
    Updating an Edge App
    
    Importing an Edge App to the IE App Publisher
    
    Uploading an Edge App to the IEM
  - User Management (Previous design)
    User Management (Previous design)
    
    My User Groups
    My User Groups
    
    Overview
    
    Creating and editing an user group
    
    Roles
    
    Adding apps
    
    Inviting members
    
    Removing apps
    
    My Admin Groups
    My Admin Groups
    
    Overview
    
    Creating and editing an admin group
    
    Roles
    
    Adding an Edge Device
    
    Inviting Members
    
    Joining other groups
    
    Removing and checking Edge Devices
  - Job status (Previous design)
    Job status (Previous design)
    
    Overview
  - Admin Management
    Admin Management
    
    Overview
    
    Dashboard
    
    Edge Devices
    Edge Devices
    
    Edge Devices
    
    Downloading logs
    
    Submitted apps
    Submitted apps
    
    Submitted apps
    
    Unpublishing apps
    
    Deleting apps
    
    Registered Users
    Registered Users
    
    Registered Users
    
    Transfer IEM access
    
    Manage Roles
    Manage Roles
    
    Manage Roles
    
    Creating a role
    
    My Admin Groups
    My Admin Groups
    
    My Admin Groups
    
    Creating an admin group
    
    Inviting members to an admin group
    
    Settings
    
    Security
    
    Device Catalog
    
    Licenses
    Licenses
    
    License Management in IEM Virtual / Pro / Cloud
    
    License Management in IEM OS (deprecated)
    License Management in IEM OS (deprecated)
    
    IE Licensing Service
    
    Creating and sending license report to IE Hub
    
    Installing the IE Licensing Service
  - Platform settings
  - Identity and Access Management
    Identity and Access Management
    
    Overview of IAM
    
    Authorization concept
    
    User management
    
    Security
    
    Adding identity provider
    
    Clients
    
    Guides
    Guides
    
    Verify users email address
    
    Known issues
    
    Technical overview
    
    Known issues
    
    Best practices
Industrial Edge Device
Industrial Edge Device
- Setup and operate
  Setup and operate
- Utilize
  Utilize
  - Apps
  - Management
  - Statistics
  - Certificate Management
    Certificate Management
    
    Overview
    
    Manage IED Gateway Certificates
    
    Manage Certificate Trust Store
  - App Developer Mode
    App Developer Mode
    
    Overview
    
    Advanced View
  - Identity And Access Management
    Identity And Access Management
    
    Roles
  - My User Groups
    My User Groups
    
    Overview
    
    Creating and editing a group
    
    Roles
    
    Adding apps
    
    Inviting users
    
    Inviting registered Users
  - Catalog
  - Settings
    Settings
    
    Configuration
    
    Connectivity
    Connectivity
    
    Network and Layer 2 network access
    
    Proxy settings
    
    Docker network settings
    
    Registered ports
    
    System
    System
    
    System
    
    Enabling app developer mode
    
    Members
    
    Registered users
    
    Logging & Monitoring
    Logging & Monitoring
    
    Overview
    
    Stream based Logging
    Stream based Logging
    
    Metrics Service overview
    
    Destination
    Destination
    
    Management
    
    Specs
    
    Examples
    
    Creating metrics configuration
    
    Export & Import configuration
    
    Global Settings & Limitations
    
    Metrics data
    
    Prometheus Support
    
    File based Logging
    
    Resource Manager
  - Edge Device Notifications
  - Storage manager service
  - Audit Event
Security
Security
- General Data Protection Regulation (GDPR)
- System Overview
- Certificates
- Operational environment - Example
- Contacted domain names
- IP protocols and ports
- Industrial Edge components - Security measures
  Industrial Edge components - Security measures
- Setup guidelines and recommendations
  Setup guidelines and recommendations
  - Setup guidelines and recommendations
  - General recommendations
  - Network security and segmentation
  - Identity and access management
  - Secure channels and encryption
  - Security logging and monitoring
  - Backup and restore
  - Attack Surface Reduction
  - Patch management
    Patch management
    
    Overview
    
    Information on updates
    
    Patch management
  - Malware protection
  - Secure app development
  - App security
Updates & Migrations
Updates & Migrations
- Overview
- Updating the IEM Pro
- Updating the IEM Virtual
- Updating the IEM Cloud
- Updating the IEM OS (end-of-life)
  Updating the IEM OS (end-of-life)
- Updating Configurators (end-of-life)
- Updating Device Applications
- Updating Edge Devices
- Relocating Edge Devices
- Migrate to Management Apps
Support

Operational Environment - An Example¶

The following figure shows the setup of the Industrial Edge system as an example.

Operational environment

The customer's IT security concept needs to define the setup and network protection concept, and adjust the reference architecture shown above to their specific requirements. The Industrial Edge Management and Edge Devices must NOT be operated in non-trusted networks. However, the IEM and IEH instances can be operated in networks exposed to the internet, e.g., if they are consumed as SaaS service by Siemens or the customer decides to run their IEM as an internet-exposed service. In case of operating internet-exposed Industrial Edge components, it is highly recommended protecting them by suitable protection measures, e.g., firewalls with block-by-default rulesets for in- and outgoing traffic.

In general, all system components are initializing connections from lower level to upper level using a secured communication channel (by using TLS encryption).

All components operated by the customer should be protected by a suitable perimeter protection.

This means especially protecting the communication

between the IEDs running in the cell level
between the IEDs and the connected IEM running in the Industrial Zone
between the IEM and any external component running on the internet

This can be achieved, e.g., by installing local firewall devices and tunneling the communication between the IEM and the IEH via a dedicated HTTPS proxy with valid access restrictions. In case the IEM is running in a public cloud, the communication between the IEDs and the IEMs can also be routed through a proxy.

One can look up here which domains the Industrial Edge ecosystem running in your environment is contacting.

Furthermore, the required network ports for communication between the Industrial Edge components on the corresponding firewalls are documented here.

A firewall should have always a block-by-default policy for in- and outgoing connections to prevent unauthorized communication from and to an Industrial Edge Device which was compromised by an attacker. Having also a block-by-default ruleset for egress traffic hinders an attacker from loading data and binaries from untrusted sources.

All required communication between the IEDs and the IEM and the IEM and the IEH are initiated only from one type of system. This implies that only an IED is initiating the communication to the IEM, but the IEM is NOT initiating the communication to IEDs. Similarly, only an IEM instance is the initiator of a connection to the IEH, but the IEH is NOT initiating the communication to IEMs.

In case Industrial Edge Apps are exposing their services on additional ports, i.e., not using the standard ones provided by the IED, one has to open the firewall to allow connections from these additional ports of the Industrial Edge Device to the app-specific backend services; same holds for additional app-specific incoming ports.

Administrative access (e.g., SSH) to the IEDs or orchestrator backends on which the IEM instances are running must NOT be exposed to untrusted networks - especially the internet.