Installation of SINEC Security Guard Sensor app
Management of sensors
On- and Offboarding is described in Sensors. Usage of notices Security events is described in Attacks.
Prerequisites for the SINEC Security Guard Sensor app
An Industrial Edge Device with at least two network interfaces is required. One of the two interfaces must be connected to the mirror port of the switch that is to be monitored.
To operate, the Industrial Edge Device needs access to the following URLs at the gateway interface:
To be able to securely store the data of the SINEC Security Guard Sensor app on the Industrial Edge Device, Siemens recommends the use of a physical IED with a TPM module.
For the secure operation of the SINEC Security Guard, comply with the defense in depth and hardening guidelines for the Industrial Edge Device.
New SINEC Security Guard Sensor app Installation
Preparing the sensor device and network
The SINEC Security Guard Sensor app is deployed on SIMATIC IPC 227E or any other Industrial Edge Device of same or higher performance class ①.
- Configure the mirror port of the switch in the target monitored network
- Identify the communication port ② and mirror port ③ for sensor device network interface
- Plug the network cable to connect the DHCP switch with the sensor communication port
- Connect to a monitor to find the DHCP IP address ④, MAC ⑤ and interface name ⑥; it helps to note down this information as it may be required in later steps
| Number | Description |
|---|---|
| ① | Example of a device where the SINEC Security Guard Sensor app is deployed at |
| Number | Description |
|---|---|
| ② | X1 P1 - Communication Port |
| ③ | X2 P1 - Mirror Port |
| Number | Description |
|---|---|
| ④ | DHCP IP address |
| ⑤ | MAC for communication port |
| ⑥ | Network interface name for communication port |
Sensor device registration on Industrial Edge Management (IEM)
Add a new sensor device on IEM
- In the IE Management portal, 'Home' ① leads to the main functions of Industrial Edge; there, 'Edge Management' ② can be used to log into the Siemens IE management
- A button ③ in the tile 'Edge Devices' leads to the list of Edge devices for further management features
-
To manage a specific Edge device, it needs to be shown in the list of Edge devices; if the desired Edge device is not shown in here, it can be created ④
- On top left of the 'New Edge Device' screen, the steps to create a new device are shown ⑤; buttons on the top right provide navigation between the steps ⑥
- In 'Device', the corresponding device type ⑦ needs to be chosen, and the sensor name ⑧ and the user name and password for logging in the IE device ⑨ need to be defined
- When done, 'Next' ⑥ leads to the next step
- The add button ⑩ can be used to open the dialogue for the network interface data
-
The “Gateway Interface” checkbox ⑪ needs to be ticked; the field for the MAC address ⑫ requires data which had been presented when preparing the sensor device and network; then the static IP address, gateway and DNS need to be entered ⑬; the button 'Add' ⑭ will close the dialogue, create the network interface and show it in the main dialogue ⑮
Note The IP address can differ from the DHCP IP address.
-
An NTP server can optionally be added ⑯
- When done, 'Next' ⑥ leads to the next step
- If no proxy is needed, the settings in 'Proxy' ⑰ can be kept as they are; otherwise just customize
- When done, 'Create' ⑥ closes the dialogue and creates the new edge device
-
An edge device onboarding file will be downloaded automatically; to download it manually, click the newly created sensor edge device ⑱, open the menu ⑲ and select “Create Onboarding File” from the menu ⑳
| Number | Description |
|---|---|
| ① | Menu item 'Home' |
| ② | Tile 'Edge management' |
| Number | Description |
|---|---|
| ③ | Button to show the list of Edge devices for further management |
| Number | Description |
|---|---|
| ④ | Button 'Create' |
| Number | Description |
|---|---|
| ⑤ | Steps of the dialogue |
| ⑥ | Navigation buttons 'Back', 'Next', 'Create' (their visibility depends on the currently selected step) |
| Number | Description |
|---|---|
| ⑦ | Edge device type |
| ⑧ | Edge device name |
| ⑨ | Authentication information |
| Number | Description |
|---|---|
| ⑩ | Button to add a network interface |
| Number | Description |
|---|---|
| ⑪ | Checkbox 'Gateway interface' |
| ⑫ | Input field 'MAC address' |
| ⑬ | Form for IP address, gateway and DNS |
| ⑭ | Button to submit the network interface data |
| Number | Description |
|---|---|
| ⑮ | Depiction of created network interface |
| ⑯ | Button to add an NTP server |
| Number | Description |
|---|---|
| ⑰ | 'Proxy' settings |
| Number | Description |
|---|---|
| ⑱ | Sensor Edge device |
| ⑲ | Button 'Menu' |
| ⑳ | Menu item 'Create Onboarding File' |
Initialize the sensor device
- Access the IE Device portal with the DHCP IP address and show the “Activate Edge Device” dialog box. Add the edge device onboarding file ① and activate it ②.
- When the activation is successful, the display monitor will show the new static IP address ③.
- Then physically connect the communication port and mirror port of the sensor device with the target network.
- Access the IE device portal with the static IP address. On the 'Sign in' page, credentials can be entered ④ and submitted ⑤.
- When the sensor device is connected successfully to the IEM, the status indicator ⑧ switches to green and the IP address of the sensor device ⑦ is displayed.
- Continue with updating the Edge device OS
| Number | Description |
|---|---|
| ① | Upload field with 'Browse' button |
| ② | Button to activate the sensor device |
| Number | Description |
|---|---|
| ③ | Static IP address |
| Number | Description |
|---|---|
| ④ | Input fields for login credentials |
| ⑤ | Button to login |
| Number | Description |
|---|---|
| ⑥ | Device tile |
| ⑦ | IP address of the sensor device |
| ⑧ | Status indicator |
Update the Edge device OS
The SINEC Security Guard Sensor app requires IED-OS-v2.0 or a later version. For this an update of the OS of the Edge device may be required. It is recommended to always use the latest available version.
- Navigate to admin management by using the menu entry 'Admin Management' ①
- Navigate to 'Device Catalog' ④ to show all devices.
- Look for the corresponding device type IPC 227E ③; if the label is not fully visible, click the Info button ② to get the full information, including the type ⑤
- Click on the device ③ to see all available downloads
- Find the latest firmware version ⑥ and initiate the download ⑦
- After the download is completed, navigate to “Edge Management” ⑧
- Navigate to 'Edge Devices' ⑩
- Click 'System Commands' ⑨ and select 'Firmware Update' ⑪
- Select the edge device which needs to be updated ⑫
- Select the target firmware version ⑬
- Initiate the update process ⑭
| Number | Description |
|---|---|
| ① | Main navigation 'Admin Management' |
| Number | Description |
|---|---|
| ② | Info button |
| ③ | Device type IPC 227E |
| ④ | Main navigation 'Device Catalogue' |
| Number | Description |
|---|---|
| ⑤ | Information on device type |
| Number | Description |
|---|---|
| ⑥ | Example of a listed OS firmware version |
| ⑦ | Download button |
| ⑧ | Main navigation 'Edge Management' |
| Number | Description |
|---|---|
| ⑨ | Menu button 'System Commands' |
| ⑩ | Main navigation 'Edge Devices' |
| ⑪ | Menu item 'Firmware update' |
| Number | Description |
|---|---|
| ⑫ | Example of a listed Edge device |
| ⑬ | Dropdown field containing available update versions |
| ⑭ | Button to initiate the update process |
Ensure Device Connectivity
The SINEC Security Guard Sensor app requires a connection to the SINEC Security Guard Cloud. Please ensure that the device can communicate with the internet by following the guidance in the Industrial Edge User Manual. The manual also explains how to configure a proxy.
Create ticket in Service Desk
To provision the SINEC Security Guard Sensor app and register the sensor to SSG cloud, create a ticket in the Service Desk.
Provide the following information:
- IE Hub Tenant ID ① - this is needed to provision the SINEC Security Guard Sensor app to your IE Hub
Use this as template for your ticket:
- IE Hub Tenant ID: myIEHubTenant
Your IE Hub tenant will receive the SINEC Security Guard Sensor app.
| Number | Description |
|---|---|
| ① | IE Hub Tenant ID |
SINEC Security Guard Sensor app installation
- Deploy the SINEC Security Guard Sensor app to IEM; if the App is approved and deployed by your IE Hub Tenant Admin, you can find the App in IEM at “Catalog“ ③
- Install the SINEC Security Guard Sensor app to sensor device
- Click the app icon ② and initiate the installation ④
- Click 'Next' ⑤ to keep the 'Configurations' by default
- Select target sensor device ⑥ and click 'Install Now' ⑦
- In the popup window, click 'Install' ⑧ to confirm the installation
- In the popup window, click 'Job Status' ⑨
- Navigate to the “Job Status” page ⑩; when job status changes to 'Completed' ⑪, the SINEC Security Guard Sensor app installation is successful
- Access the IE device portal ⑫ and check the running status ⑭ of the SINEC Security Guard Sensor app
- Now the SINEC Security Guard Sensor app is ready for onboarding in the Sensors
| Number | Description |
|---|---|
| ② | Main navigation 'Catalog' |
| ③ | App icon |
| Number | Description |
|---|---|
| ④ | Button 'Install' |
| Number | Description |
|---|---|
| ⑤ | Button 'Next' |
| Number | Description |
|---|---|
| ⑥ | Target sensor device |
| ⑦ | Button 'Install Now' |
| Number | Description |
|---|---|
| ⑧ | Button 'Install' |
| Number | Description |
|---|---|
| ⑨ | Button 'Job Status' |
| Number | Description |
|---|---|
| ⑩ | Main navigation 'Job status' |
| ⑪ | Status indicator on Job status page |
| Number | Description |
|---|---|
| ⑫ | Main navigation 'Management' |
| ⑬ | SINEC Security Guard Sensor app |
| ⑭ | Status of SINEC Security Guard Sensor app |