Industrial Edge Device Security¶
Industrial Edge Devices can be created by various Industrial Edge Device Builders. Depending on the intended operational environment, the various device builders are applying different security measures. Which measures are applied on an Industrial Edge Device must be clarified by the corresponding device builder.
This includes the software footprint of the operating system, applied hardening measures of the system config, and activating additional security measures described in the table below.
All app-isolation topics rely on having a valid security model in the app itself.
As described, Industrial Edge Apps are basically
docker-compose.yml-projects and may have elevated privileges.
At least some elevated privileges are breaking the container isolation and grant access to
the underlying operating system resources.
As described here, the admission control for such
Industrial Edge Apps is performed by the Industrial Edge Management.
In case the device builder provides ssh or any other console access to the device, it must be
ensured that only trustworthy users have access.
In case of having access, depending on the access privileges of the user, the admission control can
be bypassed by directly starting a container via the shell.
Also, the entire system configuration can be changed.
It depends on the device builder whether the Industrial Edge Device has a local firewall or not, and how it is configured.
The Industrial Edge Device web interface provides an administration interface (exposed via HTTPS) which can be used by registered Industrial Edge Management users if they have sufficient permissions.
Here, logs can be collected, the device can be upgraded and restarted, and local truststores can be configured; the local truststores are used for validating the connection to the Industrial Edge Management.
The same webserver exposing the admin interface exposes also Industrial Edge Apps in case they shall
be exposed via the local proxy_redirect network.
| Component | Purpose | Description |
|---|---|---|
| Physical Device | Physical access protection | Depending on the security requirements for the intended use-case, devices must be physically secured (e.g. by mounting it in a locked rack or other secured environment). |
| Disk encryption | Depending on the intended use-case, the disk must be encrypted (must be supported by the hardware via an appropriate TPM module and the device builder) to avoid that attackers can steal persistent storage of the Industrial Edge device and gain access to confidential data (certificate keys, access tokens or any other data being used for authentication) | |
| Access to firmware or bootloader menus | Depending on the intended operational environemnt, accessing the configuration menus of the firmware (e.g. BIOS, UEFI) and the bootloaders must be protected by assiging a secure, device-specific password. | |
| Trusted deployment | Trusted environment for first installation | The Edge Device is delivered with a fully installed Industrial Edge Device OS (IED‑OS), secured by default from the manufacturer site.* |
| Secure Boot | Verified boot artifacts | With Secure Boot, UEFI will only launch verified and unaltered Industrial Edge boot artifacts which are digitally signed by Siemens. |
| IMA | Linux Integrity Measurement Architecture | Industrial Edge implements the Linux Integrity Measurement Architecture (IMA) to guarantee the integrity of the loaded modules. |
| Measured boot | Measure trusted boot and update channels | The measured boot checks the integrity of the whole boot chain and compares it with the trusted initial deployment. The fingerprints are stored in crypto hardware. |
| Digital signatures for Industrial Edge software artifacts | Integrity and authenticity of the software artifacts | CMS (Cryptographic Message Syntax) signatures and dedicated Industrial Edge code signing certificates ensure that the code has not been corrupted and the origin of the software has not been altered. |
| Secure onboarding | Trust establishment from Edge Devices to the Industrial Edge Management | The onboarding process is secured by an one-time token which must be transferred from the Industrial Edge Management to the IED. The operator is responsible for protecting the token from unauthorized access during the transfer. The token expires after a defined time period. (2 hours) after being issued. |
| System update | Keep the system updated and secure. Software updates can only be initiated from the IEM and can be scheduled. | A remote system update functionality is provided by the Ecosystem. The operator of the Industrial Edge Management is notified on the availability of new updates. The operator is responsible for keeping the system up to date. This is an optional feature for device builders. |
| Advance view(App Developer Mode) | Enhances the developer experience by streamlining container management and debugging tasks | It enables port forwarding for internal Docker container ports, live logs for application containers, interactive terminal access for remote container management, file management for transferring files to mounted volumes, and detailed container metadata insights. Perform these operations cautiously, the operator is responsible for any disruptions, including potential container failures. Enabling advanced view allows all users with access to the app to potentially compromise the data specific to the app. It is the app developer's responsibility to ensure the confidentiality, integrity, and availability of this data. |
| *planned | ||