Network security and segmentation

Client access to Industrial Edge Management

The Industrial Edge Management should not be accessed through the Internet. Clients that want to access the Industrial Edge Management or Edge Devices must be located in the plant network or the Supervisory LAN.

Network communication

With Ethernet-based communication, customers are responsible for the security of their data network because proper functioning cannot be guaranteed under all circumstances, for example, in the event of targeted attacks that result in an overload of the Industrial Edge Management PCs or Edge Devices.

The Industrial Edge Management and its components must be installed in a protected zone that does not include other untrusted systems and software.

Network segments must be protected by a valid perimeter protection (e.g., a firewall). Services being required by the different Industrial Edge components are documented here.

All perimeters shall have a block-by-default policy, and restrict in- and outbound traffic.

Protection of Relay Server

In the Industrial Edge Management, a relay server can be configured. This is required when Edge Devices are placed in a plant network that is separated for example by NAT Gateway from the control plane network in which the IEM is running. This relay server allows to access the Edge Devices from the control plane network.

Customers are responsible for protecting the relay server within the Industrial Edge Management and for preventing unauthorized access to the relay server by implementing valid access restrictions and a secure configuration.