Skip to content

Industrial Edge App Security

The Industrial Edge Ecosystem provides certain features for secure Industrial Edge App operations.

Exposing an Industrial Edge App on an Industrial Edge Device

The Industrial Edge Device itself has an NGINX-based reverse proxy which can be used by Industrial Edge Apps. The reverser proxy is in this case responsible for TLS termination and secure HTTP header injection. Its certificate can be managed by the local Industrial Edge Admin web interface running on each Industrial Edge Device. Certain services provided by Industrial Edge Apps can be exposed by specifying metadata which is used to configure dynamically the NGINX webserver. This can be done by the Industrial Edge App publisher or by the Industrial Edge Management during the installation process.

Basically, it maps a unique redirect path on the NGINX instance to the running workload container.

Alternatively, apps can – if needed – directly expose their services via network ports on the device or local networks, e.g., for supporting other protocols than HTTP. The App Developer is in this case responsible for implementing secure communication and authentication/authorization measures as part of the app.

The exposure of a container within an Industrial Edge App can be further reduced using local Docker networks which are

  • Not exposed and/or routed publicly or
  • Not shared between different Industrial Edge Apps.

Evaluating Elevated Privileges of Industrial Edge Apps

Industrial Edge Apps are operated on a container runtime environment (Docker) on a local Industrial Edge Device. An Industrial Edge App can consist of multiple containers. The entire network design of an Industrial Edge App and its assigned privileges is in the responsibility of the App Developer. By choosing a suitable network design, the App Developer can decide which services of an app are exposed and which not.

In case an Industrial Edge App is requested to be installed on an Industrial Edge Device, the Industrial Edge Operator is informed about requested privileges and security-relevant resources by the Industrial Edge App. Such resources could be, e.g., critical host paths or device files. If a warning message is created, the Industrial Edge Operator can either accept or deny these privileges. Block messages result in not being able to install the Industrial Edge App on the target Industrial Edge Device at all. This mechanism is also provided for specific features required by an Industrial Edge App. For such use cases, the App Developer must specify the requested feature (e.g. the requirement of having a specific GPU type on the target Industrial Edge Device). In case the feature is available, an allow message is created, otherwise – depending on the feature – a warning or block message is created by the Industrial Edge Management.

Siemens Edge Apps are digitally signed by Siemens, and are presented to the Industrial Edge operator as trusted Industrial Edge Apps.

Apps - if they are unprivileged - have certain isolation boundaries. Standard apps are intended to have CPU limits assigned and not to share resources of the underlying host.

It is strongly recommended applying the principle of least privilege to Industrial Edge Apps, especially if Linux host namespaces are used which break the isolation of a container. App Developers should also avoid to use privileged users (like the root user). Additionally, minimizing the software footprint of an Industrial Edge App and applying a secure configuration helps to reduce the attack surface of an exposed app. App Developers are responsible to apply these measures and to mitigate vulnerabilities by updating app versions containing vulnerable components in the Industrial Edge Hub. The Industrial Edge Operator is responsible for installing updated versions on the corresponding Industrial Edge devices.

Some Industrial Edge Apps have elevated requirements for fulfilling their intended tasks and require special permissions breaking the isolation boundaries. Use cases for such apps are, e.g., to diagnose tasks of other apps or on the underlying device, or they could require layer-2 access for communication via industrial protocols. Elevated privileges are managed by the Industrial Edge Management and its integrated policy engine.

Component Purpose IE offering & app partner responsibility
Confidentiality Encrypted communication client / server side
  • Via Reverse Proxy (included, running component on the Industrial Edge Device) or as part of the app (app provider)
  • Central TLS termination for system and apps including authentication. Any app-specific termination must be implemented by the app-provider.
Encrypted communication for data in transit:
  • Data sent to the cloud
  • Data collected from PLCs or other devices
 To be done by App Developers.
Apps in the IE Hub are virus checked and signed, elevated privileges are only allowed for Industrial Edge Apps being provided by the customer or signed by the a privileged organization. The policy enforcement point for app isolation is represented by customer's Industrial Edge Management. See also [here](ie_management_security.md)
Secure storage of data and configuration (e.g cloud access credentials) IED disk encryption, access credentials shall be stored in the app-specific private directory ``.cfg-data`` directory which is not exposed to other non-privileged apps. Storing app-specific secrets (access credentials, private keys, ...) securely needs to be managed by the provider of the Industrial Edge App.
Rotation of Secrets / Key Material Rotating secrets being used by an Industrial app is on the responsibility of the App Developer.
Integrity App File Integrity Digital signing of apps in case they are consumed from the IE Hub. To ensure integrity of the app itself only dedicated apps being signed by a privileged identity (Siemens) can request privileges which break the app-isolation boundaries. The privilege management is done by using the Industrial Edge Management and it's [policy engine](./ie_management_security. md).
Availability Backup of App Provided by IE State Service
Backup of configuration Provided by IE State Service
Offline Operation IEDs and apps can operate completely offline except apps that require an Internet connection such as the IE Cloud Connector (this is described in the respective manual). Even when the administrative connection is lost, data is still collected and forwarded. Connection is only required for configuring the app and for maintenance purposes, for example for updates or new app deployments, and are fully controlled by the operator. Caching of application related data is on the responsiblity of the App Developer. Changing the set of installed apps on the device require the connectivity to the Industrial Edge Management.
Auditablity/Logging Creation of App-specific Log messages Generation of app-specific logs is on the responsibility of the provider of the Industrial Edge App. The Industrial Edge ecosystem itself does only log the installation and removal of the Industrial Edge apps.
Auditing changes in the app-configuration on a device. Auditlogs describing change requests on an Industrial Edge device are created by the Industrial Edge Management.