Siemens Industrial Edge Virtual Device User manual

Brand: Siemens

Model: Industrial Edge Virtual Device

Type: User manual

Siemens Industrial Edge Virtual Device is a Linux virtual machine based on Debian 11 and the Industrial Edge Device Kit that enables users to run Industrial Edge applications in a virtualized environment. It offers secure network segmentation, hard reset capability, secure logging, trusted deployment of updates, and authentication via Industrial Edge mechanisms. Use cases include running edge applications in a virtualized environment, prototyping and testing edge applications, and developing and deploying edge solutions in a secure and scalable manner.

Industrial Edge Virtual Device

Operating Manual

03/2023

Introduction

Documentation

Release notes

FAQ

Siemens AG

Digital Industries

Postfach 48 48

90026 NÜRNBERG

GERMANY

Ⓟ

03/2023 Subject to change

Legal information

Warning notice system

This manual contains notices you have to observe in order to ensure your personal safety, as well as to prevent

damage to property. The notices referring to your personal safety are highlighted in the manual by a safety alert

symbol, notices referring only to property damage have no safety alert symbol. These notices shown below are

graded according to the degree of danger.

DANGER

indicates that death or severe personal injury will result if proper precautions are not taken.

WARNING

indicates that death or severe personal injury may result if proper precautions are not taken.

CAUTION

indicates that minor personal injury can result if proper precautions are not taken.

NOTICE

indicates that property damage can result if proper precautions are not taken.

If more than one degree of danger is present, the warning notice representing the highest degree of danger will

be used. A notice warning of injury to persons with a safety alert symbol may also include a warning relating to

property damage.

Qualified Personnel

The product/system described in this documentation may be operated only by personnel qualified for the specific

task in accordance with the relevant documentation, in particular its warning notices and safety instructions.

Qualified personnel are those who, based on their training and experience, are capable of identifying risks and

avoiding potential hazards when working with these products/systems.

Proper use of Siemens products

Note the following:

WARNING

Siemens products may only be used for the applications described in the catalog and in the relevant technical

documentation. If products and components from other manufacturers are used, these must be recommended

or approved by Siemens. Proper transport, storage, installation, assembly, commissioning, operation and

maintenance are required to ensure that the products operate safely and without any problems. The permissible

ambient conditions must be complied with. The information in the relevant documentation must be observed.

Trademarks

All names identified by ® are registered trademarks of Siemens AG. The remaining trademarks in this publication

may be trademarks whose use by third parties for their own purposes could violate the rights of the owner.

Disclaimer of Liability

We have reviewed the contents of this publication to ensure consistency with the hardware and software

described. Since variance cannot be precluded entirely, we cannot guarantee full consistency. However, the

information in this publication is reviewed regularly and any necessary corrections are included in subsequent

editions.

Industrial Edge Virtual Device

Operating Manual, 03/2023 3

Table of contents

1 Introduction ........................................................................................................................................... 5

2 Documentation ...................................................................................................................................... 7

2.1 Before we start .................................................................................................................... 7

2.2 Import IEVD ......................................................................................................................... 8

2.2.1 How to import IEVD to VMware ESXi .................................................................................... 8

2.2.2 Verification & Adjustment of Resources ................................................................................ 8

2.3 Booting your IEVD .............................................................................................................. 10

2.4 Onboard your IEVD to your Industrial Edge Management (IEM) ........................................... 10

2.4.1 Web Onboarding................................................................................................................ 10

2.4.2 Local Onboarding .............................................................................................................. 11

3 Release notes ....................................................................................................................................... 13

3.1 Release Notes .................................................................................................................... 13

4 FAQ ...................................................................................................................................................... 15

4.1 General.............................................................................................................................. 15

4.2 Virtualization Platforms ...................................................................................................... 15

4.3 Connectivity ...................................................................................................................... 16

Industrial Edge Virtual Device

Operating Manual, 03/2023 4

Introduction

Welcome to the documentation of the Industrial Edge Virtual Device (IEVD).

This is a virtual machine image based on the Linux Debian 11 (bullseye) distribution and the

Industrial Edge Device Kit Version 1.12.0-3, that we minimized and shaped for serving a

virtual Industrial Edge Runtime.

Security information

Siemens provides products and solutions with industrial security functions that support the

secure operation of plants, systems, machines and networks.

In order to protect plants, systems, machines and networks against cyber threats, it is

necessary to implement – and continuously maintain – a holistic, state-of-the-art industrial

security concept. Siemens’ products and solutions only form one element of such a concept.

Customer is responsible to prevent unauthorized access to its plants, systems, machines and

networks. Systems, machines and components should only be connected to the enterprise

network or the internet if and to the extent necessary and with appropriate security measures

(e.g. use of firewalls and network segmentation) in place.

Additionally, Siemens’ guidance on appropriate security measures should be taken into

account. For more information about industrial security, please visit

http://www.siemens.com/industrialsecurity (https://www.siemens.com/industrialsecurity)

Siemens’ products and solutions undergo continuous development to make them more

secure. Siemens strongly recommends to apply product updates as soon as available and to

always use the latest product versions. Use of product versions that are no longer supported,

and failure to apply latest updates may increase customer’s exposure to cyber threats.

To stay informed about product updates, subscribe to the Siemens Industrial Security RSS

Feed under

http://www.siemens.com/industrialsecurity (https://www.siemens.com/industrialsecurity)

Introduction

Industrial Edge Virtual Device

5 Operating Manual, 03/2023

Security Measures

To fulfill "Security Guidelines for Device Builders" the following security measures were taken

during development of the Industrial Edge Virtual Device:

Network Segmentation

IEVD prohibits general routing or bridging between connected networks by default to prevent

it to operate as a bridge between two networks and therefore overrules existing subnet

segmentations that might ensure network security policies of the users' network operators.

Hard Reset

Whenever the hard reset is triggered, it is ensured that all security-relevant information is

deleted from the device to ensure that devices can be wiped for other use cases without

retrieving pre-existing information by the subsequent user.

Handling of Onboarding Credentials

Onboarding credentials are only transferred via secured connections and are not persistently

stored within the device to prevent intruders from catching files and gain access to devices or

IEM.

Time Synchronization

Time is synchronized with IEM after onboarding to ensure up-to-date information within the

device. Initial boot sequences get passed time via (virtual) RTC of the hardware.

Storage of Credentials

Credentials and certificates are stored in a secure manner as far as in scope of the device.

Secure Logging

Device emits logs via an API to be exported by IEM in case of auditing and operational

purposes.

Trusted Deployment of Updates

Updates are deployed and applied with the validation of integrity of the update package to

prevent the execution of malicious update images.

Authentication

There are no authentication mechanisms implemented by the device itself. User only

authenticates via Industrial Edge mechanisms.

Root privileges / Runtime protection

There is no authentication to the device given to the user and therefore no gain of root

privileges possible by accessing the device itself.

Miscellaneous

Due to the virtual execution of the IEVD a secured environment is assumed. Therefore, no

strong security measures in regards of physical intrusion are taken or may be achieved by the

user with hypervisor features (e.g., encryption).

In regard to intrusion from remote the device is secured and does not provide any remote

interfaces or open ports besides Industrial Edge platform dependencies.

Industrial Edge Virtual Device

Operating Manual, 03/2023 6

Documentation

2.1 Before we start

Please make sure you fulfill the following requirements:

•VMware ESXi: version ESXi 6.7 U2+ or higher

•Access to Industrial Edge Management:

For using IEVD, it needs to be onboarded to an Industrial Edge Management (IEM) by user

with rights to onboard new Edge Devices.

For more information, please refer to the Support Industry Siemens

(https://support.industry.siemens.com/cs/de/en/view/109782481).

•Network requirements:

–Network connectivity needs to be available for virtual machines

–DHCP-based IPv4 address assignment to IEVD instances is preferrable

–IEM must be reachable from assigned network (see Support Industry Siemens

(https://support.industry.siemens.com/cs/de/en/view/109782481))

•Minimum System Requirements of Virtual Machine:

–1 virtual CPU core

–4 GB RAM

–15 GB virtual disk

–1 virtual network adapters

Note

The requirements are defined to get the IEVD up and running. Depending on your planned

Edge Apps this requirements might not be sufficient. Adjusting the values is possible

(please refer to "Adjust VM Resources" in the chapter

Verification & Adjustment of

Resources (Page 8)).

Documentation

2.2 Import IEVD

Industrial Edge Virtual Device

7 Operating Manual, 03/2023

2.2 Import IEVD

2.2.1 How to import IEVD to VMware ESXi

How to import IEVD to VMware ESXi

1. Extract ievd-*.tar.gz

2. Navigate to your ESXi hypervisor management UI and log in.

3. Choose the cluster you want to create the IEVD in and click on Actions.

4. Click Deploy OVF Template and select Local File to browse to the extracted folder.

5. Select the *.ova file.

6. Choose a name, location and compute resource for IEVD.

7. Select storage and destination network for the instance.

8. Finish the process and wait for your import to be completed.

2.2.2 Verification & Adjustment of Resources

Verify Import

Please verify that the virtual machine matches the System Requirements of Virtual Machine.

Make sure that your virtual network adapters are connected to the right networks.

Note

Usage of two network interfaces:

The first interface is commonly used as northbound interface and connects to IEM.

The second interface is commonly used a southbound interface for connection to the shop

floor devices.

Documentation

2.2 Import IEVD

Industrial Edge Virtual Device

Operating Manual, 03/2023 8

Adjust VM Resources

If defaults are not sufficient, the resources may be adjusted to your needs in accordance with

the IEVD license conditions.

CPU & Memory

CPU & memory (RAM) may be configured and will be applied after reboot.

Enhanced usage of device memory

The number of installed apps is not limited statically but memory is allocated dynamically

based on usage by apps. Please observe the start-up behavior of IEVD after installation of

additional apps.

Disk size

Disk size may be increased and will be applied after reboot.

Note

Disk size may not be reduced.

Shrinking of the disk size might result in data loss/corruption.

Documentation

2.3 Booting your IEVD

Industrial Edge Virtual Device

9 Operating Manual, 03/2023

2.3 Booting your IEVD

Now it's time to fire up your IEVD.

1. Select and Power On the VM you've just imported

2. First boot sequence takes longer to expand disk to maximum capacity and make instance

unique.

3. Wait for login title screen.

The login title screen shows the IP address of connected interfaces (important for web

onboarding).

Additional you'll have a default linux login shell which can be used for local onboarding.

Note

Don't power off the VM after putting it into suspend state. Please shutdown the VM properly!

2.4 Onboard your IEVD to your Industrial Edge Management (IEM)

2.4.1 Web Onboarding

No need for hypervisor access but DHCP support within the connected network.

Prerequisites

Your IEVD instance is connected to a network with DHCP server to obtain it's IP address from.

You have access to a generated IEM Trust json-file for your IEVD instance.

You have access to a browser that can reach the IEVD instance via port tcp/443.

Process

1. Open your browser and enter the address of your IEVD instance (e.g. https://192.168.1.10) -

see login title screen if unknown.

2. Onboard your IEVD by uploading the IEM Trust json-file.

3. Wait for the onboarding process to be completed.

Result

You've successfully onboarded an Industrial Edge Virtual Device.

Documentation

2.4 Onboard your IEVD to your Industrial Edge Management (IEM)

Industrial Edge Virtual Device

Operating Manual, 03/2023 10

2.4.2 Local Onboarding

No need for DHCP support but access to the console of the virtual machine.

Prerequisites

You have valid credentials of a reachable IEM that you want to onboard to.

You have access to the console of the virtual machine instance.

Process

1. Use the provided credentials to log into your IEVD instance:

–User: onboarding

–Password: onboarding

–Password interaction is not visible on the screen.

2. Follow the instructions on the screen and choose the onboarding path you prefer:

–Basic: Just ask mandatory information to get you onboarded.

–Advanced: Configure every possible parameter that you may configure in the web-

based onboarding process.

Result

You've successfully onboarded an Industrial Edge Virtual Device.

Industrial Edge Virtual Device

Operating Manual, 03/2023 11

Release notes

3.1 Release Notes

Introduction

These Release Notes contain important information.

The information in these Release Notes has priority over that information in the manuals and

online help with regard to legal validity.

Please read these Release Notes carefully since it contains information which might prove

helpful.

Update IEVD

In case you already have an onboarded IEVD running under previous firmware version, you

can execute the firmware update via IEM as described in the IEM documentation.

Note

It is strongly recommended to make backup copy of device in case the power shortage or

other circumstances might unexpectedly interrupt the updating process. When the update

has been completed, please validate if your virtual machine still meets

the requirements

mentioned in section 2.1 "Before we start".

Note

Make sure that you have at least 4 GB of disk space available within your Edge Device to run

this update. Disk measured quantity can be easily increased by extending the virtual disk.

Industrial Edge Virtual Device

Operating Manual, 03/2023 12

FAQ

4.1 General

What is the IEVD for?

Whenever you want to use the Industrial Edge (IE) functionality without having a physical

Industrial Edge Device (IED), you can take into account the Industrial Edge Virtual Device

(IEVD).

What is different in IEVD from a "real" HW device?

The goal is to have the functional behavior as identical as possible. However some exceptions

could occur due to virtual nature of the IEVD.

4.2 Virtualization Platforms

Which virtualization platforms are supported?

VMware ESXi is the first supported virtualization platform currently (see Before we start

(Page 7) for more details).

Can I virtualize the IEVD on my laptop?

Yes. You can import and start it within VMware Workstation or Oracle VM VirtualBox (may

need some adjustments in VM configuration) in your local PC environment for non-

productive purposes as well.

My IEVD does not boot with "No bootable medium found!" in Oracle VM VirtualBox. How can I

boot?

By default the imported VM will not have EFI activated in Oracle VM VirtualBox. To make it

bootable you need to enable the "Activate EFI" option within the VM settings under "System".

FAQ

4.3 Connectivity

Industrial Edge Virtual Device

13 Operating Manual, 03/2023

4.3 Connectivity

How can I realize Layer 2 access through hypervisor?

If there is a vSwitch in place to handle connectivity between physical NIC and virtual NIC of

VM instance, the switch needs to be configured for "promiscuous mode" to allow L2 access if

required by Edge App.

Please note: Enabling promiscuous mode will expose your VM to every traffic within that

network.

Does IEVD support apps that require time-deterministic (Real-Time) behavior?

No. Ensuring of time-deterministic behavior would require special measures inside and

outside of IEVD. This has not been in scope of IEVD so far.

Siemens Industrial Edge Virtual Device User manual

Siemens Industrial Edge Virtual Device User manual

Siemens Industrial Edge Virtual Device User manual

Related papers

Other documents