General recommendations¶
Securing first setup of the Industrial Edge Management¶
The initial setup of the Industrial Edge Management must be performed in a protected private network to ensure that the initial credentials and settings are given by a trusted party (administrator). No default certificates are being used to ensure the identity of the servers and system during the first setup.
Customers are responsible for protecting and securing the first setup of the Industrial Edge Management and for preventing unauthorized access to it.
Securing Industrial Edge Management VMs¶
The installation procedure for the Industrial Edge Management VM is based on an installation medium (ISO image).
Customers are responsible for storing the installation medium in a secure environment prior to installation and for protecting the Industrial Edge Management and the VM by external measures and firewalls against direct access from the Internet.
It is strongly recommended to operate the the Industrial Edge Management VM in an access protected environment (e.g. locked in a cabinet).
Protection of USB flash drives¶
Onboarding Industrial Edge Devices to the Industrial Edge Management can be done through an USB flash drive. When onboarding the Edge Device to the Industrial Edge Management, unencrypted configuration data, sensitive system data and customer's network data (proxy password is encrypted) are stored on the USB flash drive. Customers are responsible for keeping the configuration data on the USB flash drive, and in general the configuration file, safe (confidential and integrity protected).
Customers are responsible to securely store the USB flash drive that contains the sensitive configuration data for connection of Edge Devices and prevent unauthorized access to the USB flash drive.
Customers are also responsible for applying the security guidelines regarding the use of USB flash drives in production facilities.
BIOS Password¶
In general, Industrial Edge Devices are not delivered with a BIOS password. Customers are strongly recommended to set a BIOS password.
Secure onboarding of Edge Devices¶
The onboarding process of Edge Devices must be according to the documentation of the specific device, as there might be unencrypted configuration data, sensitive system data and customer's network data exchanged in this process.
Network security and segmentation¶
Internet Exposure¶
Access to Industrial Edge Management must not be exposed directly to the Internet. Clients wishing to connect to Industrial Edge Management or Edge Devices must reside within the plant network or Supervisory LAN. If external access is required, it must be protected by appropriate security hardening measures, such as a Web Application Firewall (WAF) or other secure access mechanisms. Unprotected exposure to the Internet is strictly discouraged.
Network communication¶
When using Ethernet-based communication, customers are responsible for securing their data networks. Reliable operation cannot be guaranteed under all conditions—particularly in cases of targeted cyberattacks that may overload Industrial Edge Management PCs or Edge Devices. To mitigate such risks, the Industrial Edge Management system and its components should be deployed within a protected network zone. This zone should exclude any untrusted systems or software. All network segments must be safeguarded by appropriate perimeter protection measures, such as firewalls. The required services for various Industrial Edge components are documented separately. Perimeter configurations must enforce a default-deny policy, strictly limiting both inbound and outbound traffic to only what is explicitly permitted.
Identity and access management¶
The identity and access management is the process of granting authorized users the right to use a service, while preventing access to non-authorized users. Identity and access management can also be referred to as rights management.
The identity and access management ensures the right for users to be able to use a service or group of services. Access management is the execution of information security policies and actions. It also protects the Confidentiality, Integrity and Availability (CIA).
Access management on the IE Hub is centrally done by Siemens.
Industrial Edge provides an integrated user management including role-based groups and mail-based 2-factor authentication for the IE Management, for Edge Devices and for apps (if the integrated proxy is used).
Follow least privilege principle and need to use principles¶
A user with administrator rights has extensive access and manipulation options available in the system.
Therefore, customers must ensure that adequate security measures are applied for such accounts to protect them. Typically, secure passwords shall be assigned to the administrator account shared only with a limited set of users, and they should only be used in case of having an emergency. By default, personalized standard user accounts (having also secure credentials) should be used for normal operations. Using personal user accounts and not shared ones is required for tracing activities in case a security issue should occur. Other measures, such as the use of security policies, should be applied as needed.
Following the segregation of duties principle, only administrative tasks are done with privileged accounts whereas standard operation tasks are to be handled with non-privileged user accounts.
Requirements for Operations¶
| Requirement | Remark |
|---|---|
| Grant access to services, service groups, data or functions only if the entity is entitled to that access | Set up groups and users in the IEM and IEDs according to your organizational needs |
| Remove access when people change roles or jobs | - |
| Regular audits of the access permissions to ensure they are still correct | - |
Further specific Information¶
| Component | specific Component information |
|---|---|
| IEM | See also The documentation of Identity and Access Management for Industrial Edge Management and follwoing chapters. |
| IED | See also The documentation of Identity and Access Management in Industrial Edge Device and following chapters. |
Securing Communication and Transport Channels¶
Certificates¶
Out of the box, HTTPS endpoints of the IEM and IEDs are secured with a private certificate authority, generated during the installation.
Users should ensure a proper chain of trust is established in the operating system. Provide certificates from trusted sources to maintain the integrity and authenticity of secure communications.
For more information, refer to Certificate Management.
Security Observability¶
To maintain robust and secure IT systems, users must ensure observability across their environments. Observability enable visibility into system behavior, which is critical for improving availability, confidentiality, and integrity. By collecting and analyzing logs, metrics, and traces, users can detect anomalies, prevent unauthorized access, and ensure data consistency—forming the foundation of reliable operations and effective incident response.
Audit Logs¶
Audit logs are detailed records of user and system activities, capturing who performed what action and when. They are primarily used for accountability, compliance, and forensic analysis, helping organizations trace changes and access to sensitive data or systems.
Security Logs¶
Security logs focus on events that may indicate threats or vulnerabilities within an IT environment. These logs include data such as failed login attempts, firewall activity, and malware alerts, and are essential for detecting and responding to potential security incidents.
Monitoring¶
Monitoring involves the continuous observation of system performance and availability. It tracks metrics like CPU usage, memory consumption, and uptime to ensure systems are running efficiently and to alert administrators to any operational issues or anomalies.
Requirements for Operation¶
| Requirement | Remark |
|---|---|
| Log files need to be access-protected | Log files are access protected on all Industrial Edge components and can only be written by a privileged user. |
| Retention period of logs | Logs created by the IEM and the IEH are kept for x days in case of using the SaaS solutions provided by Siemens. |
| Central logging and monitoring | There is currently no possibility to forward generated logs for all components to a central logging (SIEM) solution which covers log aggregation for IEM, IEDs and the apps running on them. The IEMs running in the cloud forward their logs to AWS cloudwatch, logs being generated on customer infrastructure are persisted according to the specification of the customer. |
| Log information for support cases | In case one has a problem and needs support, log information for the corresponding devices can be collected centrally on the IEM. The generated information is an archive which can be forwarded to the Siemens support. |
Attack surface reduction¶
Physical access to IE components¶
If not operated in the cloud, the Industrial Edge Management, the connected Industrial Edge Devices and their underlying infrastructure must be installed in a protected environment that ensures physical access is limited to authorized personnel only.
Additionally, services exposed via the network shall only be accessible by the required communication peers.
Physical access protection can be applied by operating the hardware in access protected rooms or locked racks. Attached cables should be protected against unauthorized modification of the wiring being intended for the corresponding device.
Network protection must be implemented by security parameters like firewalls being configured by the customer.
Further information related to network security is documented in the Network security and segmentation chapter.
Application and Runtime Hardening¶
Hardening Industrial Edge Apps is in the responsibility of the creator of an Industrial Edge App; They need to apply the least privilege principle to their App.
Siemens is responsible for the container runtime hardening and its required components (on IEDs).
The Device Builder must harden the operating system of the Industrial Edge Device.