Preface

Open Source Software

Table of Contents

SICAM GridEdge Introduction 1

Engineering Guide System Configuration 2
V2.0
SICAM GridEdge Configuration 3
Security 4
Manual

E50417-H7640-C641-A3
 NOTE

i For your own safety, observe the warnings and safety instructions contained in this document, if available.

Disclaimer of Liability Copyright

Subject to changes and errors. The information given in Copyright © Siemens 2020. All rights reserved.
this document only contains general descriptions and/or The disclosure, duplication, distribution and editing of this
performance features which may not always specifically document, or utilization and communication of the content
reflect those described, or which may undergo modifica- are not permitted, unless authorized in writing. All rights,
tion in the course of further development of the products. including rights created by patent grant or registration of a
The requested performance features are binding only when utility model or a design, are reserved.
they are expressly agreed upon in the concluded contract.
Document version: E50417-H7640-C641-A3.04 Trademarks
Edition: 12.2020
SIPROTEC, DIGSI, SIGRA, SIGUARD, SIMEAS SAFIR, SICAM,
Version of the product described: V2.0 and MindSphere are trademarks of Siemens. Any unauthor-
ized use is prohibited.
Preface

Purpose of the Manual

This manual describes the engineering steps to connect devices in the station network using SICAM GridEdge
with secure communication to the Siemens cloud platform MindSphere or any other cloud-based platforms.

Scope
This manual covers only the SICAM GridEdge-related settings and engineering steps.
For general engineering guidelines, refer to the corresponding documents.

Target Audience
System engineers, commissioning engineers, persons entrusted with the setting, selective protection and
control equipment, and operational crew in electrical installations and power plants.

Additional Support
For questions about the system, contact your Siemens sales partner.

Customer Support Center

Our Customer Support Center provides a 24-hour service.
Siemens AG
Smart Infrastructure – Digital Grid
Customer Support Center
Tel.: +49 911 2155 4466
E-Mail: [email protected]

Training Courses
Inquiries regarding individual training courses should be addressed to our Training Center:
Siemens AG Phone: +49 (911) 433-7415
Siemens Power Academy TD Fax: +49 (911) 433-7929
Humboldtstrasse 59 E-mail: [email protected]
90459 Nuremberg Internet: www.siemens.com/poweracademy
Germany

Notes on Safety
This manual is not a complete index of all safety measures required for operation of the equipment (module or
device). However, it includes important information that must be followed for personal safety and to avoid
material damage. Information is highlighted and illustrated as follows according to the degree of danger:

SICAM GridEdge, Engineering Guide, Manual 3

E50417-H7640-C641-A3, Edition 12.2020
Preface

! WARNING
WARNING means that death or severe injury may result if the measures specified are not taken.
² Comply with all instructions, in order to avoid death or severe injuries.

! CAUTION
CAUTION means that medium-severe or slight injuries can occur if the specified measures are not taken.
² Comply with all instructions, in order to avoid moderate or minor injuries.

NOTE

i Important information about the product, product handling or a certain section of the documentation
which must be given attention.

4 SICAM GridEdge, Engineering Guide, Manual

E50417-H7640-C641-A3, Edition 12.2020
Open Source Software

The product contains, among other things, Open Source Software developed by third parties. The Open
Source Software used in the product and the license agreements concerning this software can be found in the
Readme_OSS. These Open Source Software files are protected by copyright. Your compliance with those
license conditions will entitle you to use the Open Source Software as foreseen in the relevant license. In the
event of conflicts between Siemens license conditions and the Open Source Software license conditions, the
Open Source Software conditions shall prevail with respect to the Open Source Software portions of the soft-
ware. The Open Source Software is licensed royalty-free. Insofar as the applicable Open Source Software
License Conditions provide for it you can order the source code of the Open Source Software from your
Siemens sales contact – against payment of the shipping and handling charges – for a period of at least
3 years after purchase of the product. We are liable for the product including the Open Source Software
contained in it pursuant to the license conditions applicable to the product. Any liability for the Open Source
Software beyond the program flow intended for the product is explicitly excluded. Furthermore, any liability
for defects resulting from modifications to the Open Source Software by you or third parties is excluded. We
do not provide any technical support for the product if it has been modified.

SICAM GridEdge, Engineering Guide, Manual 5

E50417-H7640-C641-A3, Edition 12.2020
6 SICAM GridEdge, Engineering Guide, Manual
E50417-H7640-C641-A3, Edition 12.2020
Table of Contents

Preface.......................................................................................................................................................... 3

Open Source Software..................................................................................................................................5

1 Introduction..................................................................................................................................................9

2 System Configuration................................................................................................................................. 11
2.1 SIEMENS CP-8050............................................................................................................. 12
2.1.1 Updating the SIEMENS CP-8050 Firmware....................................................................12
2.1.2 Preparing SD Card for Installation.................................................................................13
2.1.3 Installing SICAM GridEdge with Prepared SD Card.........................................................16
2.2 SIEMENS IPC 227E.............................................................................................................18
2.2.1 Installing SIMATIC Industrial OS................................................................................... 18
2.2.2 Installing SICAM GridEdge............................................................................................20
2.2.3 Mounting the USB Drive...............................................................................................20
2.2.4 Example Installation.................................................................................................... 21

3 SICAM GridEdge Configuration.................................................................................................................. 23

3.1 Access to SICAM GridEdge Web Interface........................................................................... 24
3.2 General Settings............................................................................................................... 25
3.3 Application Configuration................................................................................................. 30
3.4 Connection Status.............................................................................................................35
3.5 Maintenance.....................................................................................................................36

4 Security.......................................................................................................................................................37
4.1 Security Requirements...................................................................................................... 38
4.2 User Management............................................................................................................ 39
4.3 Backup and Restore...........................................................................................................41
4.4 Diagnosis Log................................................................................................................... 43
4.5 Certificate Management....................................................................................................45
4.6 TCP-UDP Ports................................................................................................................... 47

SICAM GridEdge, Engineering Guide, Manual 7

E50417-H7640-C641-A3, Edition 12.2020
8 SICAM GridEdge, Engineering Guide, Manual
E50417-H7640-C641-A3, Edition 12.2020
1 Introduction

The Internet of Things (IoT) is poised to be a driver of growth in many business sectors in the coming years,
including the energy industry. In simple terms, IoT is about networking electronic devices over the Internet.
For power-supply systems, connecting to IoT enables all components within a station to make data available in
a cloud-based platform. Applications can then be used to consolidate, link, evaluate, and visualize the infor-
mation for application-specific purposes.
You can utilize the resulting benefits to:

• Enhance the transparency of the plant and equipment status and conditions (such as the availability of
electrical operating values and equipment)

• Plan predictive maintenance and optimize services and resources

• Increase the availability of the power-supply system

SIPROTEC and SICAM – products and solutions for protection engineering, station automation, power quality,
and measurement – can be connected easily using SICAM GridEdge to MindSphere and other cloud-based
platforms.
The connectivity is enabled by using SICAM GridEdge solution with the standardized OPC UA PubSub (MQTT)
protocol (to IEC 62541 requirements) – no firmware changes for devices in your station are required.
Using the IoT standard OPC UA PubSub (MQTT) protocol and applying the highest security standards makes IoT
connection of existing legacy installations a lucrative prospect.
Upgrading existing installations is simple:

• Continue using existing infrastructure and hardware

• Install SICAM GridEdge on your station

• Configure SICAM GridEdge

MindSphere – the IoT Operating System from Siemens

MindSphere is the open, cloud-based IoT operating system from Siemens offering data analysis, versatile
connectivity, tools for developers, applications, and services.
With all these functions, however, data security always takes highest priority. MindSphere fulfills the basic
rules of the industry-relevant security standards as well as recommendations from regulatory authorities for
handling data in cloud environments.

SICAM GridEdge, Engineering Guide, Manual 9

E50417-H7640-C641-A3, Edition 12.2020
10 SICAM GridEdge, Engineering Guide, Manual
E50417-H7640-C641-A3, Edition 12.2020
2 System Configuration

Hardware Requirements
Siemens recommends one of the following systems to run SICAM GridEdge properly:

• SIEMENS CP-8050 (MLFB: 6MF2805-0AA00)

– ARM32 CPU Architecture
– 512 MB RAM
– 2 LAN ports
– Additionally, the following hardware is necessary:
– SD card 2GB (MLFB: 6MF1213-1GA05-0AA0)
– Power supply PS-8620 24-60VDC 12W (MLFB: 6MF2862-0AA00)
– Power supply PS-8622 110-220VDC 12W (MLFB: 6MF2862-2AA00)

• SIEMENS IPC 227E (MLFB: 6ES7647-8BD31-0CA1)

– X86 CPU Architecture
– 240 GB SSD
– 8 GB RAM
– 2 LAN ports
– SIMATIC INDUSTRIAL OS (MLFB: 6ES7648-6LA81-0YA8)
– Single-license software
– License for download

2.1 SIEMENS CP-8050 12

2.2 SIEMENS IPC 227E 18

SICAM GridEdge, Engineering Guide, Manual 11

E50417-H7640-C641-A3, Edition 12.2020
System Configuration
2.1 SIEMENS CP-8050

2.1 SIEMENS CP-8050

2.1.1 Updating the SIEMENS CP-8050 Firmware

NOTE

i You need firmware version 04 on your SIEMENS CP-8050 device to run SICAM GridEdge properly.

If you do not have firmware version 04 running on your SIEMENS CP-8050, prepare an SD card and perform
the following steps to update your device.

NOTE

i Since delivery of SIEMENS CP-8050 does not include an SD card, the card has to be ordered separately (see
Hardware Requirements, Page 11).

NOTE

i The SD card has to be empty and formatted using FAT32 file system.

² Open the appropriate SIOS Web page:

https://support.industry.siemens.com/cs/document/109783989/sicam-a8000-cp-8050-package-v0440-?
dti=0&lc=de-WW
² Select SICAM WEB Update and download the SWEBUpdate.zip file to your computer.
² On your computer, create an IN folder on the empty SD card and copy the CPCI8504.F40 file from the
SWEBUpdate.zip into it.

[sc_sd_card_content_FW04, 1, en_US]

² Insert the SD card into the SIEMENS CP-8050 device.

The installation starts and will take approx. 4 minutes. Afterwards, the device will reboot automatically.
² Insert the SD card into your computer and check its content.
There should be 3 folders: RTUs, system, and IN.
If the folders IN and RTUs are empty and the system folder contains a few files as seen below, the
update has been successful.

[sc_sd_card_content_after_FW04_update, 1, en_US]

12 SICAM GridEdge, Engineering Guide, Manual

E50417-H7640-C641-A3, Edition 12.2020
 System Configuration
2.1 SIEMENS CP-8050

2.1.2 Preparing SD Card for Installation

In order to install the SICAM GridEdge system, it is necessary to prepare an SD card with the SICAM GridEdge
installation files and mount the SD card to the SIEMENS CP-8050 afterwards.

NOTE

i Since delivery of SIEMENS CP-8050 does not include an SD card, the card has to be ordered separately (see
Hardware Requirements, Page 11).

NOTE

i The SD card has to be empty and formatted using FAT32 file system.

Content of the SD Card

Extract the content of the setup bundle (ZIP file) to the SD card. It should look like this:

[sc_sd-card_content1, 1, --_--]

Make sure the IN folder only contains this file:

[sc_sd-card_content2, 1, --_--]

Underneath the folder lxp there is a folder named config which contains a default configuration.

[sc_sd_card_content, 1, en_US]

SICAM GridEdge, Engineering Guide, Manual 13

E50417-H7640-C641-A3, Edition 12.2020
System Configuration
2.1 SIEMENS CP-8050

The configuration files are:

• network/interfaces
Configuration of the IP addresses

• ntp.conf
Configuration of the NTP client for time synchronization

• resolv.conf
Configuration of the naming server
In order to configure the IP addresses and the connection to an NTP server, the content of the SD card needs
to be adjusted.

NOTE

i Each file can be adjusted according to the specific needs.

You can change the configuration by removing the SD card (after turning off the SIEMENS CP-8050) and
changing the files directly on the SD card using a computer. Afterwards, plug in the SD card again and
power on the SIEMENS CP-8050.

Configuring the IP Addresses

This configuration is done in the file network/interfaces. The SIEMENS CP-8050 comes with 2 Ethernet inter-
faces, eth0 (X2) and eth1 (X3).

[ge_cp-8050_eth, 1, --_--]

Figure 2-1 The 2 Ethernet Interfaces of the CP-8050

14 SICAM GridEdge, Engineering Guide, Manual

E50417-H7640-C641-A3, Edition 12.2020
 System Configuration
2.1 SIEMENS CP-8050

Prerequisites
SIEMENS CP-8050 is installed and wired properly.
SIEMENS CP-8050 is connected to station network on port X2 (eth0).
SIEMENS CP-8050 is connected to wide area network on port X3 (eth1).

Procedure
² In order to set specific IP addresses, adjust the file network/interfaces accordingly.
iface lo inet loopback

auto eth0
iface eth0 inet static
address 172.16.0.27
netmask 255.255.0.0

auto eth1
iface eth1 inet static
address 192.168.1.27
netmask 255.255.255.0
gateway 192.168.1.1

Configuring the Name Server (DNS)

This configuration is done in the file resolv.conf.
SICAM GridEdge needs a proper name server configuration for the cloud connection.
² The Google name server is configured by default. If required, adjust the file according to the needs of
your IT infrastructure.
nameserver 8.8.8.8

Configuring the NTP Client for Time Synchronization

This configuration is done in the file ntp.conf.
SICAM GridEdge needs a proper time synchronization for the cloud connection.
² Adjust the file ntp.conf according to your needs.
server 0.pool.ntp.org iburst
server 1.pool.ntp.org iburst
server 2.pool.ntp.org iburst
server 3.pool.ntp.org iburst

# Allow only time queries, at a limited rate, sending KoD when in excess.
# Allow all local queries (IPv4, IPv6)
restrict default nomodify nopeer noquery limited kod
restrict 127.0.0.1
restrict [::1]
If you have your own NTP time servers in the network, use them instead of the global default given.
If you do not have your own private NTP server within your network, consider using public severs in your area
(e.g. from https://www.ntppool.org/)

SICAM GridEdge, Engineering Guide, Manual 15

E50417-H7640-C641-A3, Edition 12.2020
System Configuration
2.1 SIEMENS CP-8050

2.1.3 Installing SICAM GridEdge with Prepared SD Card

The SD card slot is located behind a plug of the SIEMENS CP-8050.

[ge_cp-8050_card_slot1, 1, --_--]

(1) Plug of the SD card slot

² Remove the plug to get access to the SD card slot.

[ge_cp-8050_card_slot2, 1, --_--]

(2) SD card slot

² Insert the SD card into the slot, apply the plug, and start the SIEMENS CP-8050.

16 SICAM GridEdge, Engineering Guide, Manual

E50417-H7640-C641-A3, Edition 12.2020
 System Configuration
2.1 SIEMENS CP-8050

NOTE

i SICAM GridEgde is installing automatically. This may take several minutes.

SICAM GridEdge, Engineering Guide, Manual 17

E50417-H7640-C641-A3, Edition 12.2020
System Configuration
2.2 SIEMENS IPC 227E

2.2 SIEMENS IPC 227E

2.2.1 Installing SIMATIC Industrial OS

Prerequisites

• SIMATIC IPC 227E is installed and wired properly; refer to the SIMATIC IPC227E Quick Install Guide
(https://support.industry.siemens.com/cs/ww/de/view/109477819).

• Monitor is connected to IPC

• Keyboard is connected to IPC

• IPC is connected to station network and wide area network (required for connection to external cloud
platform and for fetching updates of operating system)

• Prepared USB Service Stick for installation of the operating system (for creation instructions refer to
Installation Manual of SIMATIC Industrial OS SIMATIC_Industrial_OS_Vxxxx_Installation_Manual.pdf)

Installing SIMATIC Industrial OS

² Connect USB Service Stick to switched off IPC
² Switch on IPC and open BIOS settings.

NOTE

i Follow the instructions in chapter 3 "Boot the target with SIMATIC Industrial OS" as written in the section
"Prerequisites". Especially see when and how long to press the <ESC> button to get into the BIOS.

² Open the Setup Utility (SCU) and enable USB Boot in the Boot submenu. Then exit SCU via Exit saving
changes.
² Execute the steps in section Procedure of the installation manual and boot from the attached USB
Service Stick.
² Select Install system.
² Verify that the installed SSD and the image-industrial-os-ipc-......wic.gz file are selected.

NOTE

i If you repeat the installation, the program might find backups. If you want to install completely new, select
Reboot and continue without restoring.

NOTE

i After the installation is finished, the IPC will reboot.

Do not unplug the USB Service Stick because packages will be partly installed from this medium during first
boot procedure.

Configuration of SIMATIC Industrial OS

After the first boot of the IPC, SIMATIC Industrial OS shows a setup menu which guides you through the first
boot.

NOTE

i A network cable for Wide Area Network must be connected to the X1P1 port.

18 SICAM GridEdge, Engineering Guide, Manual

E50417-H7640-C641-A3, Edition 12.2020
 System Configuration
2.2 SIEMENS IPC 227E

² Select enp2s0 and define the IP settings for the port X1P1 (DHCP/Static, IP Address, Subnetmask,
Gateway, DNS).

NOTE

i It is strongly recommended to use a static IP address.

NOTE

i If the network configuration between the commissioning and the operation environment differs, you can
reconfigure this using the tool industrial-setup later on.

² For network seperation between Wide Area Network and Station Network, configure the network
settings accordingly for network adapter enp3s0. For Gateway, use 0.0.0.0 here and leave the DNS
empty except there is an internal DNS server in your internal network.

NOTE

i It is strongly recommended to use a static IP address.

² Configure the localization settings (keyboard language, layout, region, etc.).

² Define the host name of the IPC.
² Setup the Time Synchronization for the IPC with NTP, for example:
0.de.pool.ntp.org,1.de.pool.ntp.org,2.de.pool.ntp.org,3.de.pool.ntp.org

NOTE

i If an NTP Server is available in your network, add this as first/primary NTP server.

NOTE

i Since a time synchronization is necessary for a proper connection between GridEdge and the cloud plat-
form, it is strongly recommended to configure NTP properly.

² Configure at least 1 APT mirror (Advanced Package Tool).

² Select an address from the list nearby the final location of the IPC.
² Enable Main and Contrib, but keep Non-free disabled to define which packages can be loaded from the
mirror.
² Do not disable the root login. For security reasons, set a password for the user root.
² Define the User Login Credentials and password.
² Enable sudo for this user.
² Define the frequency of the software updates, for example, daily or weekly.
² Define Proxy Settings if required.
² Enable the Firewall if required later on in the operation environment.
² Install the following additional package in the Development Tools menu:
Essential development tools (IPC)/Linux Containers/Docker CE
² Select no driver/support for PROFINET Settings.
The IPC now installs the selected packages and loads and installs packages from the Internet via the WAN
connection.

SICAM GridEdge, Engineering Guide, Manual 19

E50417-H7640-C641-A3, Edition 12.2020
System Configuration
2.2 SIEMENS IPC 227E

The installation ends with the message You have completed ... and some standard warnings about
possibly failed installations. These are checked in the next step. Confirm with OK and the IPC will reboot.
At the first login, check with the command docker version if the docker framework has been installed. If
no version is replied, check the installation of the Docker CE package.

NOTE

i If you need to configure or reconfigure some settings of the SIMATIC Industrial OS, you can use the
following command: sudo industrial-setup

2.2.2 Installing SICAM GridEdge

NOTE

i If you already have a running SICAM GridEdge system and want to upgrade to a newer version, you have to
create a backup of the current configuration and restore the backup after updating the system., see
4.3 Backup and RestoreGridEdge manual, chapter 4.3 Backup and Restore.

² Copy the complete content of the package to the IPC using SSH.
- or -
² Copy the complete content of the package to the IPC using a USB stick.

NOTE

i Keep in mind that the SIMATIC Industrial OS does not automatically mount the USB stick. This has to be
done manually, see 2.2.3 Mounting the USB DriveGridEdge manual, chapter 2.3 Mounting the USB Drive.

² Extract the package and change the directory to the extracted folder.
² Add execution rights to scripts: chmod +x *.sh
² Execute the script sicamgridedge_setup.sh with administrator rights.
² When prompted, enter the IP address of the interface connected to the substation network (X2P1) .
After the installation, the SICAM GridEdge system is up and running.

NOTE

i If you update the network settings of the IPC where SICAM GridEdge is running, it is necessary to re-create
the self-signed certificate used by the SICAM GridEdge Web Interface.
To do so, execute the following script:
sicamgridege_setup.sh -n

2.2.3 Mounting the USB Drive

To mount the USB drive, execute the following commands:

² Identify the USB drive:
edge@NANOBOX-3:~$ sudo fdisk -l
The result of this command may look as follows:
[sudo] password for edge:
Disk /dev/sda: 28 GiB, 30016659456 bytes, 58626288 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes

20 SICAM GridEdge, Engineering Guide, Manual

E50417-H7640-C641-A3, Edition 12.2020
 System Configuration
2.2 SIEMENS IPC 227E

I/O size (minimum/optimal): 512 bytes / 512 bytes

Disklabel type: gpt
Disk identifier: 21602A5F-D802-4696-B737-AC1F52D3F17A

Device Start End Sectors Size Type

/dev/sda1 2048 133119 131072 64M EFI System
/dev/sda2 133120 58626254 58493135 27.9G Linux filesystem

Disk /dev/sdb: 3.8 GiB, 4009754624 bytes, 7831552 sectors

Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: dos
Disk identifier: 0xc3072e18

Device Boot Start End Sectors Size Id Type

/dev/sdb1 * 63 7831551 7831489 3.8G c W95 FAT32 (LBA)

The last entry in this case is the USB stick (/dev/sdb1).

² Create a target folder for mounting:

edge@NANOBOX-3:~$ sudo mkdir /media/usb-drive
² Mount the USB drive:
edge@NANOBOX-3:~$ sudo mount /dev/sdb1 /media/usb-drive -o umask=000
² List the content of the mounted drive:
edge@NANOBOX-3:~$ ls /media/usb-drive
The content will look like this:
SICAM_GridEdge_1.1

² Copy the SICAM GridEdge setup data into the home directory:
edge@NANOBOX-3:~$ cp -r /media/usb-drive/SICAM_GridEdge_1.1 ~
² Unmount the USB drive:
edge@NANOBOX-3:~$ sudo umount /dev/sdb1

2.2.4 Example Installation

Below you can find an example of the installation steps.

edge@NANOBOX-3:~$ id
uid=1000(edge) gid=1000(edge) groups=1000(edge),1001(docker)
edge@NANOBOX-3:~$ cd setup_x86_64/
edge@NANOBOX-3:~/setup_x86_64$ chmod +x *.sh
edge@NANOBOX-3:~/setup_x86_64$ ls -la
total 21664
drwxr-xr-x 3 pi pi 4096 Dec 9 17:12 .
drwxr-xr-x 13 pi pi 4096 Dec 9 17:10 ..
-rw-r--r-- 1 pi pi 11747993 Dec 9 17:00 docker-compose-1.23.2-Linux-x86_64
-rw-r--r-- 1 pi pi 3885 Dec 9 17:00 docker-compose.yml
-rwxr-xr-x 1 pi pi 1831 Dec 9 17:00 dumpstats_cron.sh
-rw-r--r-- 1 pi pi 436 Dec 9 17:00 .env
drwxr-xr-x 2 pi pi 4096 Dec 9 17:01 images

SICAM GridEdge, Engineering Guide, Manual 21

E50417-H7640-C641-A3, Edition 12.2020
System Configuration
2.2 SIEMENS IPC 227E

-rwxr-xr-x 1 pi pi 178 Dec 9 17:00 open_valueviewer.sh

-rwxr-xr-x 1 pi pi 1579 Dec 9 17:00 show_syslogs.sh
-rw-r--r-- 1 pi pi 4550 Dec 9 17:01 SICAM_GridEdge_Changelog.md
-rw-r--r-- 1 pi pi 295 Dec 9 17:00 sicamgridedge.ini
-rw-r--r-- 1 pi pi 3925536 Dec 9 17:01 SICAM_GridEdge_Manual_en.pdf
-rwxr-xr-x 1 pi pi 13801 Dec 9 17:00 sicamgridedge_modules.sh
-rw-r--r-- 1 pi pi 590205 Dec 9 17:01 SICAM_GridEdge_PI_en.pdf
-rw-r--r-- 1 pi pi 5800729 Dec 9 17:01 SICAM_GridEdge_ReadmeOSS.html
-rwxr-xr-x 1 pi pi 14321 Dec 9 17:00 sicamgridedge_setup.sh
-rwxr-xr-x 1 pi pi 20722 Dec 9 17:00 sicamgridedge.sh
-rw-r--r-- 1 pi pi 13 Dec 9 17:01 version.info
edge@NANOBOX-3:~/setup_x86_64$ sudo ./sicamgridedge_setup.sh

22 SICAM GridEdge, Engineering Guide, Manual

E50417-H7640-C641-A3, Edition 12.2020
3 SICAM GridEdge Configuration

This section contains a guideline for configuring a SICAM GridEdge for use in combination with the Siemens
Grid Diagnostic Suite Applications.
3.1 Access to SICAM GridEdge Web Interface 24
3.2 General Settings 25
3.3 Application Configuration 30
3.4 Connection Status 35
3.5 Maintenance 36

SICAM GridEdge, Engineering Guide, Manual 23

E50417-H7640-C641-A3, Edition 12.2020
SICAM GridEdge Configuration
3.1 Access to SICAM GridEdge Web Interface

3.1 Access to SICAM GridEdge Web Interface

The SICAM GridEdge Web interface is available at https://<STATION_LAN_IP>:8900, for example https://
192.168.1.1:8900.

[sc_SICAM_GridEdge_WebInterface, 2, en_US]

Figure 3-1 Access to the SICAM GridEdge Web Interface

When you log on to SICAM GridEdge for the first time you need to set a password.

24 SICAM GridEdge, Engineering Guide, Manual

E50417-H7640-C641-A3, Edition 12.2020
 SICAM GridEdge Configuration
3.2 General Settings

3.2 General Settings

To configure the SICAM GridEdge basic settings for the SIEMENS Grid Diagnostic Suite Applications, the
following steps have to be executed:

• Configure the cloud connection

• Configure the data filter (optional)

• Configure the station settings

Configuring the Cloud Connection

[sc_SICAM_GridEdge_Cloud_connection, 3, en_US]

Figure 3-2 Cloud Connection

² Activate the Cloud Connection with the slider on the top.

² Enter the Station Name where your SICAM GridEdge is located (e.g. Station1_West).

NOTE

i The name should be unique in your cloud platform.

² From the Cloud list box select the cloud platform you want to send data to (MindSphere, Azure, On-
Premise). Depending on the selection or option you will have to choose different settings.

SICAM GridEdge, Engineering Guide, Manual 25

E50417-H7640-C641-A3, Edition 12.2020
SICAM GridEdge Configuration
3.2 General Settings

MindSphere Specific Settings

[ic_mindsphere_spec, 1, en_US]

² Enter the Region according to your MindSphere Tenant.

Example: You have to enter the region (bold text) of the complete address:
https://<MindSphere Tenant Name>.eu1.mindsphere.io.
² Enter the MindSphere Tenant Name according to your MindSphere Tenant.
Example: You would only have to enter the tenant name (bold text) of the complete address:
https://<MindSphere Tenant Name>.eu1.mindsphere.io.

Azure-Specific Settings

[ic_azure_spec, 1, en_US]

² Enter the IoT Hub Name according to your configuration visible in Azure portal.
² Enable MQTT Over WebSockets to send data via Websockets instad of native MQTT (this option can help
solving issues with firewall limitations in your network).

On-Premise Settings

[ic_on-premise_spec, 1, en_US]

26 SICAM GridEdge, Engineering Guide, Manual

E50417-H7640-C641-A3, Edition 12.2020
 SICAM GridEdge Configuration
3.2 General Settings

² Enter the IP Address or Hostname of your MQTT Broker.

² Enter the Topic Name for which you want to publish data.

NOTE

i For the Topic Name it is possible to use tags which are replaced later on in the GridEdge system for
publishing data.

• {ClientID}: Is replaced by the Publisher ID of the device

• {T:d/t}{TM:m/t}{F:d/f}{FM:m/f}{E:d/e}{EM:m/e}: Defines subtopics or subdirectories depending on the

message type

• Abbreviation Meaning
– T Time Series key and delta frame
– TM Time Series meta frame
– E Events key and delta frame
– EM Events meta frame
– F Files key and delta frame
– FM Files meta frame

Examples with c/{ClientID}/o/opcua/{VersionMS}/u/{T:d/t}{TM:m/t}{F:d/f}{FM:m/f}{E:d/e}{EM:m/e}

and Client ID = "Q100_7KG95_GF1609500232":

Resulting topic name for time series delta frames: c/Q100_7KG95_GF1609500232/o/opcua/v3/u/d/t

Resulting topic name for events meta frame: c/Q100_7KG95_GF1609500232/o/opcua/v3/u/m/e

² To upload a (intermediate) Certificate Authority in a PKCS#12 container format, click CA PKCS#12 File.
If your PKCS#12 container is encrypted with a password, enter the password in the import dialog. If your
PKCS#12 file is not encrypted, leave the corresponding field empty.
Click Open to proceed.
For further information on certificate handling refer to 4.5 Certificate Management.
² Upload the Certificate Authority of the MindSphere Broker.

² Apply the changes.

Configuring the Data Filter

In the section Data Filter, you can optionally enter a filter string to filter which data is to be transmitted to the
external cloud platform. For the SIEMENS Grid Diagnostic Suite Applications, it is not required to add a filter
here.

SICAM GridEdge, Engineering Guide, Manual 27

E50417-H7640-C641-A3, Edition 12.2020
SICAM GridEdge Configuration
3.2 General Settings

If no filter string is entered, all data will be published. Several filter keys can be entered separated by semico-
lons. The effect of the data filter on the data points can be viewed in the resulting table:

[sc_SICAM_GridEdge_data_filter, 2, en_US]

Figure 3-3 Data Filter

² Set the filter string, for example, to Hz;TotW.

All data points which either match Hz or TotW will be published.

NOTE

i As a help for selecting the filters properly, adding a semicolon (";") at the end of the filter string will show
all possible data points to be selected in the data table below.

28 SICAM GridEdge, Engineering Guide, Manual

E50417-H7640-C641-A3, Edition 12.2020
 SICAM GridEdge Configuration
3.2 General Settings

Configuring the Station Settings

[sc_SICAM_GridEdge_station_settings, 3, en_US]

Figure 3-4 Station Settings

² Add the IP address range of the devices in the station network or dedicated IP addresses in Target IP
Addresses.
Example:
Target IP Addresses = 192.168.11.*;192.168.10.85
If the corresponding client is active (e.g. IEC 61850 Client, see Configuring the IEC 61850 Client,
Page 30), SICAM GridEdge will automatically scan for devices in the IP Range 192.168.11.1 to
192.168.11.254 and will additionally communicate with the device 192.168.10.85.

SICAM GridEdge, Engineering Guide, Manual 29

E50417-H7640-C641-A3, Edition 12.2020
SICAM GridEdge Configuration
3.3 Application Configuration

3.3 Application Configuration

To configure the SICAM GridEdge application settings for the SIEMENS Grid Diagnostic Suite Applications, you
have to configure the IEC 61850 Client.

Configuring the IEC 61850 Client

IEC 61850 Client is used to fetch data from IEC 61850-capable devices and transfer them via SICAM GridEdge
to the external cloud platform.

[sc_SICAM_GridEdge_IEC61850_Client, 3, en_US]

Figure 3-5 IEC 61850 Client

² Activate IEC 61850 Client.

² If files (COMTRADE, COMFEDE) from devices shall be fetched and transferred to the external cloud plat-
form, enable Collect Files.
² Select Siemens Grid Diagnostic Suite Profile as Data Profile.
² Apply the changes.
The Siemens Grid Diagnostic Suite Profile describes data which is used by SIPROTEC Grid Diagnostic Suite
Applications. If used, only data needed for this is fetched from the IEC61850 devices.
SICAM GridEdge will transfer relevant data based on the determined device type (protection device, Power
Quality device) to the cloud platform.

Protection Devices

Table 3-1 Protection Devices – Grid Events

Grid Events Examples 61850 Path

Device not healthy: LDN Application/LLN0$ST$Health
Q0_Bay1/LLN0$ST$Health
Relay pickup: LDN Q0_Bay1/PTRC1$ST$Str

30 SICAM GridEdge, Engineering Guide, Manual

E50417-H7640-C641-A3, Edition 12.2020
 SICAM GridEdge Configuration
3.3 Application Configuration

Grid Events Examples 61850 Path

Relay trip: LDN Q0_Bay1/PTRC1$ST$Tr
Hotspot temp. warning: LDN PTS1_49HotSpot1/HTSP_PTTR1$ST$HSTWarn
PTS2_49HotSpot1/HTSP_PTTR1$ST$HSTWarn
Hotspot temp. alarm: LDN PTS1_49HotSpot1/HTSP_PTTR1$ST$HSTAlm
PTS2_49HotSpot1/HTSP_PTTR1$ST$HSTAlm
Changed settings n.a. (event is generated by GridEdge)

Table 3-2 Protection Devices – Measured Values

Measured Values Examples 61850 Path

Active Power (total): LDN TotW
Reactive Power (total): LDN TotVAr
Frequency: LDN Hz
Phase-to-phase voltage L12: LDN PPV$phsAB
Phase-to-phase voltage L23: LDN PPV$phsBC
Phase-to-phase voltage L31: LDN PPV$phsCA
Phase-to-ground voltage L1: LDN PhV$phsA
Phase-to-ground voltage L2: LDN PhV$phsB
Phase-to-ground voltage L3: LDN PhV$phsC
Calculated zero-sequence voltage: LDN PhV$res
Calculated zero-sequence current: LDN A$res
Phase current L1: LDN A$phsA
Phase current L2: LDN A$phsB
Phase current L3: LDN A$phsC

Table 3-3 Protection Devices – Condition Monitoring Values

Measured Values Examples 61850 Path

ΣIx L1: LDN CB1_CBWearMonitoring/PIx_SCBR1$ST$SumIxA
ΣIx L2: LDN CB1_CBWearMonitoring/PIx_SCBR1$ST$SumIxB
ΣIx L3: LDN CB1_CBWearMonitoring/PIx_SCBR1$ST$SumIxC
ΣI²t L1: LDN CB1_CBWearMonitoring/I2t_SCBR1$ST$SumI2tA
ΣI²t L2: LDN CB1_CBWearMonitoring/I2t_SCBR1$ST$SumI2tB
ΣI²t L3: LDN CB1_CBWearMonitoring/I2t_SCBR1$ST$SumI2tC
Make time: LDN CB1_CBWearMonitoring/MkTm_SCBR1$MX$MakeTime
2P Endur. L1: LDN CB1_CBWearMonitoring/P2P_SCBR1$ST$EnduA
2P Endur. L2: LDN CB1_CBWearMonitoring/P2P_SCBR1$ST$EnduB
2P Endur. L3: LDN CB1_CBWearMonitoring/P2P_SCBR1$ST$EnduC
Breaking-current sum CB1/XCBR1$ST$SumSwARs
Breaking-current sum L1 CB1/XCBR1$ST$SumSwARsA
Breaking-current sum L2 CB1/XCBR1$ST$SumSwARsB
Breaking-current sum L3 CB1/XCBR1$ST$SumSwARsC
Circuit breaker Operation Counter CB1/XCBR1$ST$OpCnt
Disconnector Operation Counter Dc1/XSWI1$ST$OpCnt

SICAM GridEdge, Engineering Guide, Manual 31

E50417-H7640-C641-A3, Edition 12.2020
SICAM GridEdge Configuration
3.3 Application Configuration

Table 3-4 Protection Devices – Protection Manager / Level 1 Information

Measured Values Examples 61850 Path

Circuit breaker position CB1/XCBR1$ST$Pos
Disconnector position Dc1/XSWI1$ST$Pos
79 successful CB1_79AutoReclosing/GEN_RREC1/Successful
Blk. by binary input CB1_79AutoReclosing/GEN_RREC1/BlkBinInp
Blk. by circuit breaker ready sup. CB1_79AutoReclosing/GEN_RREC1/BlkCBsup
Blk. by strtsig. superv. CB1_79AutoReclosing/GEN_RREC1/BlkStrtSup
Blk. by action time exp. CB1_79AutoReclosing/GEN_RREC1/BlkActTm
Blk. by max.d.t. expiry CB1_79AutoReclosing/GEN_RREC1/BlkDTexp
Blk. by max. d.t. delay CB1_79AutoReclosing/GEN_RREC1/BlkDTdlyEx
Blk. by evolving fault CB1_79AutoReclosing/GEN_RREC1/BlkEvolFlt
Blk. by no cycle CB1_79AutoReclosing/GEN_RREC1/BlkMatchCy
Blk. by protection CB1_79AutoReclosing/GEN_RREC1/BlkByProt
Blk. by dead-line check CB1_79AutoReclosing/GEN_RREC1/BlkDLC
Blk. by loss of voltage CB1_79AutoReclosing/GEN_RREC1/BlkVltFail
Blk. by max. cycles CB1_79AutoReclosing/GEN_RREC1/BlkMaxCyc
Direction PTRC1$ST$Str.dirGeneral
Direction L1 PTRC1$ST$Str.dirPhsA
Direction L2 PTRC1$ST$Str.dirPhsB
Direction L3 PTRC1$ST$Str.dirPhsC
Direction neutral PTRC1$ST$Str.dirNeut
Pickup L1 PTRC1$ST$Str.phsA
Pickup L2 PTRC1$ST$Str.phsB
Pickup L3 PTRC1$ST$Str.phsC
Pickup neutral PTRC1$ST$Str.neut
Fault distance Ln1/SE_RFLO1$MX$FltDis

Power Quality Devices

Table 3-5 Power Quality Devices – Grid Events

Grid Events Examples 61850 Path

Device Health LLN0$ST$Health
Battery Failure ZBAT1$ST$BatLo
Fault Record Stored PQA_RDRE1$ST$RcdMade
Frequency Variation Event Start PQA_QFVR1$ST$VarStr
Voltage Unbalance Event Start PQA_QVUB1$ST$VarStr
Voltage Variation Event Start PQA_QVVR1$ST$VarStr
Voltage Swell Event PQA_QVVR1$ST$SwlStr
Voltage Dip Event PQA_QVVR1$ST$DipStr
Voltage Interruption Event PQA_QVVR1$ST$IntrStr
Affected Phases by a Voltage Variation PQA_QVVR1$ST$AffPhs
Event

32 SICAM GridEdge, Engineering Guide, Manual

E50417-H7640-C641-A3, Edition 12.2020
 SICAM GridEdge Configuration
3.3 Application Configuration

Table 3-6 Power Quality Devices – Measured Values

Measured Values Examples 61850 Path

Voltage Variation Event Level PQA_QVVR1$MX$VVa
Voltage Variation Event Duration PQA_QVVR1$MX$VVaTm
Phase to Ground Voltage - Phase A PQA2MMXU1$MX$PhV$phsA
Phase to Ground Voltage - Phase B PQA2MMXU1$MX$PhV$phsB
Phase to Ground Voltage - Phase C PQA2MMXU1$MX$PhV$phsC
Phase to Phase Voltage - Phase AB PQA2MMXU1$MX$PPV$phsAB
Phase to Phase Voltage - Phase BC PQA2MMXU1$MX$PPV$phsBC
Phase to Phase Voltage - Phase CA PQA2MMXU1$MX$PPV$phsCA
Phase to Ground Voltage (Single Phase) PQA2MMXN1$MX$Vol
Phase to Ground Voltage - Neutral PQA2MMXU1$MX$PhV$neut
Average Phase to Phase Voltage PQA2MMXU1$MX$AvPPVPhs
Phase Current - Phase A PQA2MMXU1$MX$A$phsA
Phase Current - Phase B PQA2MMXU1$MX$A$phsB
Phase Current - Phase C PQA2MMXU1$MX$A$phsC
Phase Current (Single Phase) PQA2MMXN1$MX$Amp
Phase Current - Neutral PQA2MMXU1$MX$A$neut
Average Phase Current PQA2MMXU1$MX$AvAPhs
Active Power - Phase A PQA2MMXU1$MX$W$phsA
Active Power - Phase B PQA2MMXU1$MX$W$phsB
Active Power - Phase C PQA2MMXU1$MX$W$phsC
Total Active Power PQA2MMXU1$MX$TotW
Active Power (Single Phase) PQA2MMXN1$MX$Watt
Reactive Power - Phase A PQA2MMXU1$MX$VAr$phsA
Reactive Power - Phase B PQA2MMXU1$MX$VAr$phsB
Reactive Power - Phase C PQA2MMXU1$MX$VAr$phsC
Total Reactive Power PQA2MMXU1$MX$TotVAr
Reactive Power (Single Phase) PQA2MMXN1$MX$VolAmpr
Apparent Power - Phase A PQA2MMXU1$MX$VA$phsA
Apparent Power - Phase B PQA2MMXU1$MX$VA$phsB
Apparent Power - Phase C PQA2MMXU1$MX$VA$phsC
Total Apparent Power PQA2MMXU1$MX$TotVA
Apparent Power (Single Phase) PQA2MMXN1$MX$VolAmp
Power Factor - Phase A PQA2MMXU1$MX$PF$phsA
Power Factor - Phase B PQA2MMXU1$MX$PF$phsB
Power Factor - Phase C PQA2MMXU1$MX$PF$phsC
Power Factor PQA2MMXU1$MX$TotPF
Power Factor (Single Phase) PQA2MMXN1$MX$PwrFact
Cosinus Phi - Phase A PQA2MMXU1$MX$ActivePF$phsA
Cosinus Phi - Phase B PQA2MMXU1$MX$ActivePF$phsB
Cosinus Phi - Phase C PQA2MMXU1$MX$ActivePF$phsC
Cosinus Phi PQA2MMXU1$MX$TotActivePF
Cosinus Phi (Single Phase) PQA2MMXN1$MX$ActivePwrFact
Voltage Imbalance - Negative sequence component PQA2MSQI1$MX$ImbNgV
Current Imbalance - Negative sequence component PQA2MSQI1$MX$ImbNgA
Voltage Imbalance - Zero sequence component PQA2MSQI1$MX$ImbZroV
Current Imbalance - Zero sequence component PQA2MSQI1$MX$ImbZroA

SICAM GridEdge, Engineering Guide, Manual 33

E50417-H7640-C641-A3, Edition 12.2020
SICAM GridEdge Configuration
3.3 Application Configuration

Measured Values Examples 61850 Path

Frequency PQA4MMXU1$MX$Hz
Frequency (Single Phase) PQA4MMXN1$MX$Hz
Total Harmonic Distortion Voltage - Phase A PQA2MHAI1$MX$ThdPhV$phsA
Total Harmonic Distortion Voltage - Phase B PQA2MHAI1$MX$ThdPhV$phsB
Total Harmonic Distortion Voltage - Phase C PQA2MHAI1$MX$ThdPhV$phsC
Total Harmonic Distortion Voltage - Phase AB PQA2MHAI1$MX$ThdPPV$phsAB
Total Harmonic Distortion Voltage - Phase BC PQA2MHAI1$MX$ThdPPV$phsBC
Total Harmonic Distortion Voltage - Phase CA PQA2MHAI1$MX$ThdPPV$phsCA
Total Harmonic Distortion Voltage (Single Phase) PQA2MHAN1$MX$ThdVol
Total Harmonic Distortion Current - Phase A PQA2MHAI1$MX$ThdA$phsA
Total Harmonic Distortion Current - Phase B PQA2MHAI1$MX$ThdA$phsB
Total Harmonic Distortion Current - Phase C PQA2MHAI1$MX$ThdA$phsC
Total Harmonic Distortion Current (Single Phase) PQA2MHAN1$MX$ThdAmp
Short Term Flicker - Phase A PQA2MFLK1$MX$PhPst$phsA
Short Term Flicker - Phase B PQA2MFLK1$MX$PhPst$phsB
Short Term Flicker - Phase C PQA2MFLK1$MX$PhPst$phsC
Long Term Flicker - Phase A PQA2MFLK1$MX$PhPlt$phsA
Long Term Flicker - Phase B PQA2MFLK1$MX$PhPlt$phsB
Long Term Flicker - Phase C PQA2MFLK1$MX$PhPlt$phsC
Harmonic Voltage Array - Phase A PQA2MHAI1$MX$HPhV$phsAHar
Harmonic Voltage Array - Phase B PQA2MHAI1$MX$HPhV$phsBHar
Harmonic Voltage Array - Phase C PQA2MHAI1$MX$HPhV$phsCHar
Harmonic Voltage Array - Phase AB PQA2MHAI1$MX$HPPV$phsABHar
Harmonic Voltage Array - Phase BC PQA2MHAI1$MX$HPPV$phsBCHar
Harmonic Voltage Array - Phase CA PQA2MHAI1$MX$HPPV$phsCAHar
Maximum Harmonic Voltage Array - Phase A MAX_PQA2MHAI1$MX$HPhV$phsAHar
Maximum Harmonic Voltage Array - Phase B MAX_PQA2MHAI1$MX$HPhV$phsBHar
Maximum Harmonic Voltage Array - Phase C MAX_PQA2MHAI1$MX$HPhV$phsCHar
Maximum Harmonic Voltage Array - Phase AB MAX_PQA2MHAI1$MX$HPPV$phsABHar
Maximum Harmonic Voltage Array - Phase BC MAX_PQA2MHAI1$MX$HPPV$phsBCHar
Maximum Harmonic Voltage Array - Phase CA MAX_PQA2MHAI1$MX$HPPV$phsCAHar
Harmonic Voltage Array (Single Phase) PQA2MHAN1$MX$HaVol
Maximum Harmonic Voltage Array (Single Phase) MAX_PQA2MHAN1$MX$HaVol
Harmonic Power Array - Phase A PQA2MHAI1$MX$HW$phsAHar
Harmonic Power Array - Phase B PQA2MHAI1$MX$HW$phsBHar
Harmonic Power Array - Phase C PQA2MHAI1$MX$HW$phsBHar
Harmonic Power Array (Single Phase) PQA2MHAN1$MX$HaWatt
Total Real Energy Supply MMTR1$ST$SupWh
Real Energy Supply (Single Phase) MMTN1$ST$SupWh
Total Real Energy Demand MMTR1$ST$DmdWh
Real Energy Demand (Single Phase) MMTN1$ST$DmdWh
Total Reactive Energy Supply MMTR1$ST$SupVarh
Reactive Energy Supply (Single Phase) MMTN1$ST$SupVarh
Total Reactive Energy Demand MMTR1$ST$DmdVarh
Reactive Energy Demand (Single Phase) MMTN1$ST$DmdVarh
Total Net Apparent Energy MMTR1$ST$TotVAh
Net Apparent Energy (Single Phase) MMTN1$ST$TotVAh

34 SICAM GridEdge, Engineering Guide, Manual

E50417-H7640-C641-A3, Edition 12.2020
 SICAM GridEdge Configuration
3.4 Connection Status

3.4 Connection Status

Using the Connection Status menu, you can easily check the connection status for all devices to the cloud
platform and to the devices itself.
The table contains the following columns:

• Publisher ID: This is the ID which is used to transfer data to the cloud platform

• Protocol: The protocol used to connected to the device

• IP Address: The ip address of the device

• Device Connection: Shows if the device is currently connected, and also a timestamp when the status
changed the last time

• Cloud Connection: Shows if the device is currently connected to the cloud platform, and also a timestamp
when the status changed the last time

[sc_SICAM_GridEdge_conection_status, 1, en_US]

Figure 3-6 Connection Status

SICAM GridEdge, Engineering Guide, Manual 35

E50417-H7640-C641-A3, Edition 12.2020
SICAM GridEdge Configuration
3.5 Maintenance

3.5 Maintenance
Using the Maintenance menu, you can backup and restore the configuration of SICAM GridEdge and also
change the password of the Web interface.

[sc_SICAM_GridEdge_Maintenance, 2, en_US]

Figure 3-7 Maintenance

Configuration Backup & Restore

In the Configuration Backup & Restore tile, you can backup and restore configuration data of your SICAM
GridEdge system. Since the backup of the configuration data contains sensitive data, the backup will be
encrypted using the entered password with a AES128-SHA256 algorithm.

Password
In the Password tile, you can change the password of the current logged in user.

36 SICAM GridEdge, Engineering Guide, Manual

E50417-H7640-C641-A3, Edition 12.2020
4 Security

4.1 Security Requirements 38

4.2 User Management 39
4.3 Backup and Restore 41
4.4 Diagnosis Log 43
4.5 Certificate Management 45
4.6 TCP-UDP Ports 47

SICAM GridEdge, Engineering Guide, Manual 37

E50417-H7640-C641-A3, Edition 12.2020
Security
4.1 Security Requirements

4.1 Security Requirements

[sc_SICAM_GridEdge_security, 3, en_US]

Figure 4-1 Security Overview

The most important security requirements are:

• Authentication and authorization of the user

• Assurance of the integrity of the transmitted data

• Collecting and saving log files

• Operation of the system in a protected environment (physical security)

• Assure system restoration without or only with marginal data loss in case of a system failure

• Activation only of required services and ports

• Confidentiality of sensitive configuration data

SIMATIC Industrial OS
For security guidelines regarding SIMATIC Industrial OS, refer to the manual of SIMATIC Industrial OS.

NOTE

i Detailed information about securing a Linux system can be found in the manual from debian.org (https://
www.debian.org/doc/manuals/securing-debian-manual/index.en.html)

38 SICAM GridEdge, Engineering Guide, Manual

E50417-H7640-C641-A3, Edition 12.2020
 Security
4.2 User Management

4.2 User Management

In SICAM GridEdge only 1 user account is supported. For the first login a password for the user has to be set.

NOTE

i Only the salt and the password hash are stored in the database. Therefor the algorithm HMACSHA256 is
used.

Changing the Password

You can change the password in the Password tile of the Maintenance page (see Password, Page 36).

[sc_SICAM_GridEdge_sec_passwordchange, 2, en_US]

Figure 4-2 Change Password

Logging Off
For a proper logoff from SICAM GridEdge, either close all instances of your Web browser or log out using the
corresponding symbol in the upper right corner:

Also, if you leave SICAM GridEdge Web interface unattended the system will automatically log off your current
session after 20 minutes.

SICAM GridEdge, Engineering Guide, Manual 39

E50417-H7640-C641-A3, Edition 12.2020
Security
4.2 User Management

[sc_SICAM_GridEdge_logoff, 1, en_US]

Figure 4-3 Logoff

40 SICAM GridEdge, Engineering Guide, Manual

E50417-H7640-C641-A3, Edition 12.2020
 Security
4.3 Backup and Restore

4.3 Backup and Restore

SICAM GridEdge manages the components of a system and all project data associated to the system. Project
data is stored – encrypted with a machine key – in a database and can be exported/imported using the
3.5 Maintenance page of the SICAM GridEdge Web interface.
In order to save a project as a backup file and restore it later, you can archive the project created in SICAM
GridEdge with the current timestamp.

NOTE

i The backup will be encrypted with the entered password and AES128-SHA256 encryption.

NOTE

i Each time you update to a newer version of SICAM GridEdge, it is recommended to use the backup and
restore mechanism.

Archiving a Project

[sc_SICAM_GridEdge_sec_backup_pw, 2, en_US]

Figure 4-4 Archiving a Project with Password Protection

² On the Maintenance page, in the Configuration Backup & Restore tile, click Save.
² In the Save Configuration dialog, enter the Password to be used to protect your archived project.
² Click Save.

SICAM GridEdge, Engineering Guide, Manual 41

E50417-H7640-C641-A3, Edition 12.2020
Security
4.3 Backup and Restore

Restoring a Project
In order to restore a project you have to select your previously created backup file and enter the used pass-
word.

[sc_SICAM_GridEdge_sec_restore, 2, en_US]

Figure 4-5 Restoring a Project

² On the Maintenance page, in the Configuration Backup & Restore tile, click Restore.
² In the Restore Configuration dialog, enter the Password.
² Click Restore from file (.geconf).

NOTE

i After restoring all modules, SICAM GridEdge will be restarted with the restored configuration.

NOTE

i The password for the SICAM GridEdge user will also be stored along with the backup. After restoring, the
password which was present at the time the backup was created will be active.

42 SICAM GridEdge, Engineering Guide, Manual

E50417-H7640-C641-A3, Edition 12.2020
 Security
4.4 Diagnosis Log

4.4 Diagnosis Log

General
SICAM GridEdge provides a diagnosis log which chronologically acquires and categorizes system relevant
events according to their origin and severity. It can be accessed via Diagnosis.
Furthermore, the Diagnosis menu allows you to download all relevant log files from the SICAM GridEdge
system.

NOTE

i Per default, only the last 100 log entries will be shown.
To select the amount of log entries to be show, use the radio buttons in the upper right corner.

NOTE

i Per default, the diagnosis log will automatically be updated.

If you need to avoid scrolling, e.g. for a detailed investigation, the update mechanism can be paused by
using the Pause symbol in the upper right corner.

[sc_SICAM_GridEdge_sec_logging, 3, en_US]

Figure 4-6 Diagnosis Log

Structure of Events

Element Description
Date/Time (UTC) Date and Time when the event was received or logged
Time format: yyyy-mm-dd hh:mm:ss.tt (time when the event was created)
All events are written in UTC time.
Type Levels of the event: Info > Warning > Error

SICAM GridEdge, Engineering Guide, Manual 43

E50417-H7640-C641-A3, Edition 12.2020
Security
4.4 Diagnosis Log

Element Description
Source The name of the source that generated the log entry
Message The message part of an event
Depending on the event, the message text can contain additional information of
the affected component (for example Publisher ID, Device IP Address).

Download Log Information

For documentation purposes, you can easily download all available log information by clicking Download
Logs in the upper right area.

44 SICAM GridEdge, Engineering Guide, Manual

E50417-H7640-C641-A3, Edition 12.2020
 Security
4.5 Certificate Management

4.5 Certificate Management

SICAM GridEdge automatically creates a client certificate for each connected device with the configured inter-
mediate certificate authority.
The following figure describes the process.

[sc_SICAM_GridEdge_sec_certman, 3, en_US]

Figure 4-7 Certificate Management Process

With SICAM GridPass you can easily generate a intermediate certificate authority which includes all needed
information for SICAM GridEdge.
To enable a TLS secured connection to a cloud platform, SICAM GridEdge needs an intermediate certificate
authority (including public and private key; this certificate needs SHA-256 with RSA-4096 encryption)
uploaded to the Web interface as well as the root certificate authority of the cloud platform (refer to Config-
uring the Cloud Connection, Page 25).
In order to enable the mandatory end-to-end encryption (TLS) between the SICAM GridEdge and the MQTT
Broker of MindSphere, it is required to upload the (intermediate) certificate authority to SICAM GridEdge Web
Interface (including public and private key; this certificate needs SHA-256 with RSA-4096 encryption) as well
as the root certificate authority of the cloud platform.

NOTE

i The details how to create/get the required certificates are described in the MindSphere IoT Engineering
Guide.

Whenever SICAM GridEdge finds a new device in the station network (refer to Configuring the Station
Settings, Page 29) a certificate is created for the device which is used for the cloud connection and stored in
the SICAM GridEdge database.

NOTE

i The device certificates are created using SHA-256 with RSA-4096 encryption.

SICAM GridEdge, Engineering Guide, Manual 45

E50417-H7640-C641-A3, Edition 12.2020
Security
4.5 Certificate Management

NOTE

i If you need to update the intermediate certificate authority (e.g. because it is expired or revoked), you only
need to upload the updated intermediate certificate authority to the SICAM GridEdge system. SICAM Grid-
Edge will automatically update also the created device certificates based on the new intermediate certifi-
cate authority.

46 SICAM GridEdge, Engineering Guide, Manual

E50417-H7640-C641-A3, Edition 12.2020
 Security
4.6 TCP-UDP Ports

4.6 TCP-UDP Ports

Table 4-1 Overview of the SICAM GridEdge security features

Topic Description
HTTPS For access to the Web interface of SICAM GridEdge as well as for the transfer of files to Mind-
Sphere, the secure HTTPS communication protocol is used. Unencrypted HTTP access is not
supported.
SICAM GridEdge supports the following HTTPS features:

• The open source software OpenSSL is used for the TLS implementation.
• SICAM GridEdge generates a self-signed TLS-certificate and is therefore not signed and
confirmed by a certification authority. When using the SICAM GridEdge Web Interface,
all browsers will show a message regarding an unknown certificate warning about an
untrusted connection. Due to the authentication scheme used by browsers, Siemens
cannot provide certificates (for example, during assembly) to be used for HTTPS with
browsers. This is because either the DNS name or the IP address of the device has to be
part of the signed certificate, both of which are ultimately determined after installation
at the site of the customer. That is why the products generate a self-signed certificate
after the IP address has been set. This self-signed certificate has to be trusted in a secure
way on all clients used to access this device. You can find the recommended way of
trusting self-signed certificates in the document Certificate trusting in Web browsers.
You can find this document at http://www.siemens.com/gridsecurity, Downloads >
Downloads Cyber Security General > Application Notes.
The certificate is generated once during first startup of SICAM GridEdge and uses all
available IP addresses as well as the hostname.
• The transfer of files received from clients/devices to Mindsphere is encrypted. Therefor
the corresponding certificate is used.
MQTT • SICAM GridEdge establishes a TLS secured connection to the external cloud platform. To
do so, SICAM GridEdge automatically creates certificates for the connected clients based
on the configured certificate authority (refer to 4.5 Certificate Management)

NOTE

i Deploy in a secured environment only: Siemens recommends protecting network access to its energy auto-
mation products with appropriate mechanisms (for example, firewalls, segmentation, VPN). It is advised to
configure the environment according to the operational guidelines in order to run the devices in a
protected IT environment.
You can find the recommended security guidelines to Secure Substations at http://www.siemens.com/grid-
security, Cyber Security General Downloads > Manuals.

The following table lists the programs and services that communicate between members of the network. If 2
members are in different subnetworks, the ports and protocols must be opened in the firewalls between the
subnetworks.

Table 4-2 Used TCP-UDP ports

Communication Network Server/ TCP/UDP Port Description

Protocol Client
HTTPS LAN Server TCP 8900 TLS Connection to a Web browser for
configuration of SICAM GridEdge
HTTPS WAN Client TCP 443 TLS Connection to Mindsphere for
uploading files
IEC 61850 LAN Client TCP 102 Communication with a device using
IEC 61850 in station network

SICAM GridEdge, Engineering Guide, Manual 47

E50417-H7640-C641-A3, Edition 12.2020
Security
4.6 TCP-UDP Ports

Communication Network Server/ TCP/UDP Port Description

Protocol Client
OPC UA PubSub WAN Client TCP 8883 Publishing of OPC UA encoded data
(MQTT) to a MQTT broker for Internet of
Things (IoT)
DNS WAN Client UDP 53 Used by MQTT for domain name reso-
lution
NTP WAN/LAN Client UDP 123 Time Synchronization for the IPC
(depending with NTP
on configu-
ration)

NOTE

i If you have configured a proxy for filtering by URL, keep in mind that the URLs for Uploading Files and for
MQTT Connection differ.
Defaults for MindSphere:

• MQTT: mqtt.eu1.mindsphere.io

• File Transfer: https://gateway.eu1.mindsphere.io/

48 SICAM GridEdge, Engineering Guide, Manual

E50417-H7640-C641-A3, Edition 12.2020