Security and Privacy
This document outlines the security measures, data privacy practices, and architectural considerations implemented in Industrial Asset Hub (IAH) to ensure a safe, trustworthy, and compliant environment.
Data Privacy and GDPR Compliance
Siemens strictly adheres to data protection principles, emphasizing data minimization and Privacy by Design.
Personal Data Handling
To provide access management, notifications, and auditing, the product processes and stores the following personal data:
- First and last name
- User ID
- Email address
- Timestamps of user actions
- IP addresses
- MAC addresses
Customer Responsibilities
Customers remain fully responsible for the data they upload or input into the service. This includes ensuring data is free from malware, viruses, or unauthorized content.
If you link the collected personal data to other operational data (e.g., employee shift plans) to create new personal references, or if you store additional personal information in custom user-defined fields, you are responsible for ensuring compliance with applicable data protection guidelines (e.g., GDPR).
While Siemens implements comprehensive security controls, including encryption and regular backups, we cannot be held liable for disruptions or damages caused by malicious or unauthorized customer-uploaded content.
Cybersecurity Information
Siemens designs products with industrial cybersecurity functions to support the secure operation of plants, systems, machines, and networks.
To protect your infrastructure against cyber threats, it is necessary to implement and continuously maintain a holistic, state-of-the-art industrial cybersecurity concept. IAH is just one element of this broader concept.
- Network Isolation: Systems and machines should only be connected to enterprise networks or the internet when strictly necessary, and only behind appropriate security measures like firewalls and network segmentation.
- Best Practices: For more information on recommended measures, visit the Siemens Industrial Cybersecurity page.
- Updates: We strongly recommend applying product updates immediately. Running unsupported versions increases exposure to cyber threats. Subscribe to the Siemens Industrial Cybersecurity RSS Feed to stay informed.
Asset Gateway Security Monitoring
Siemens continuously monitors both the latest and the previous release of the Asset Gateway application for potential security vulnerabilities.
When a vulnerability is identified, its severity and impact are assessed. Critical vulnerabilities are published via Siemens Security Advisories. Always run the latest released version of the Asset Gateway to ensure you have the most up-to-date security patches.
Network Security Architecture
Industrial Asset Hub is designed with a firewall-friendly architecture. All system components initiate outbound connections from lower network levels to upper levels using a secure, TLS-encrypted communication channel.
Perimeter Protection and Deployment
All components operated on-premises must be protected by suitable perimeter defenses. In typical manufacturing environments, a network cell protection concept prevents direct exposure of the automation layer to the outside world.
The Asset Gateway acts as the bridge. Because it needs to reach automation-level protocols, it is typically deployed on the boundary between the machine network and the enterprise network (e.g., hosted on a Siemens Industrial Edge Device).
Figure: Exemplary network sketch showing boundary deployment
Required Network Endpoints
For the Asset Gateway to communicate with the IAH backend services, your firewall must allow outbound traffic to the following access points.
| Environment | Backend URLs / IP Addresses |
|---|---|
Productive<tenant>.eu1.sws.siemens.com/industrialassethub/ |
Domain: cloud.eu1.sws.siemens.com IP Addresses: 3.163.252.234, 3.163.251.234, 3.163.250.234, 3.163.249.234, 3.163.248.234, 3.163.247.234, 3.163.246.234, 3.163.245.234, 3.163.244.234, 3.163.243.234, 3.163.242.234, 3.163.241.234, 3.163.240.234, 3.163.239.234, 3.163.238.234, 3.163.237.234, 3.163.236.234, 3.163.235.234, 3.163.234.234, 3.163.233.234, 3.163.232.234 |
Note
Additional network configurations, such as proxy settings, may be required depending on your IT policies. For Industrial Edge, these can be configured during device onboarding or in the system settings.
Operational Impact and Best Practices
Impact on Production Networks
IAH utilizes active scanning methods to discover asset-specific information. Active scanning is required to identify connected devices that communicate infrequently and would otherwise be missed by passive network monitoring.
Because active scanning generates additional network traffic, it can potentially influence communication processes within your production environment.
Best Practice: While IAH uses industry-standard discovery protocols, not all legacy field devices are fully compliant. We highly recommend running an initial test scan during a scheduled maintenance window, or on a dedicated test network, before executing a full discovery scan in a live production environment.
Secure Disposal of Local Components
When decommissioning on-premises IAH components (like the Asset Gateway), follow these steps to securely remove all application data:
- Stop Containers: Stop all running containers (e.g., using
docker-compose downor your Industrial Edge Management interface). - Remove Data: Delete all associated Docker volumes, images, and residual application data from the host device.
- Delete Credentials: Securely wipe any server user credentials or onboarding configuration files (
gateway-config.json) from the local client machines used during setup. - Audit: Document the disposal process, including the date and the specific hardware components wiped, to satisfy your internal compliance requirements.
Cookies
For information regarding how we handle cookies in the web application, please refer to the official Siemens Cookie Notice.