Industrial Edge App security¶
The Industrial Edge Ecosystem provides certain features for secure Edge App operations.
The Edge Device provides a reverse proxy for apps which is responsible for TLS termination, secure HTTP header injection and central certificate management.
Apps can, optionally, expose ports directly to the network if needed to support protocols other than HTTP. The app provider is in that case responsible for implementing secure communication and authentication/authorization measures as part of the app.
Edge Apps are operated in a containerized environment. During the Edge App deployment, the operator is notified about privileges and resources requested from the Edge App. The operator can either accept or deny these privileges.
Siemens Edge Apps are digitally signed by Siemens, and are presented to the operator as trusted Edge Apps.
| Component | Purpose | IE offering & app partner responsibility |
|---|---|---|
| Confidentiality | Encrypted communication client / server side |
|
Encrypted communication for data in transit:
|
To be done by app providers. Apps in the IE Hub are virus checked and signed. | |
| Secure storage of data and configuration (e.g cloud access credentials) | IED disk encryption | |
| Integrity | App File Integrity | Digital signing of apps only from IE Hub |
| Availability | Backup of App | Provided by IE State Service |
| Backup of configuration | Provided by IE State Service | |
| Offline Operation | IEDs and apps can operate completely offline except apps that require an Internet connection such as the IE Cloud Connector (this is described in the respective manual). Even when the administrative connection is lost, data is still collected and forwarded. Connection is only required for configuring the app and for maintenance purposes, for example for updates or new app deployments, and are fully controlled by the operator. |