By Bill Lydon, Editor, Automation.com
Roaming through the sea of exhibits and technologies at Hannover Messe 2018, it quickly became clear that many in the computing industry are focused on implementing a new holistic cyber security approach, which encompasses the entire architecture including cloud, enterprise, and edge devices. As cybersecurity protection is today being deployed independently at multiple levels of automation system architectures, this new holistic cybersecurity systems architecture is working to provide built-in cybersecurity protection at the most fundamental element of the system. This is designed to achieve integrated cybersecurity protection from the broader enterprise down into specific edge devices. These efforts are being driven by the increasing requirements of cybersecurity protection, due to the rise of intelligent edge devices including controllers, sensors, actuators, motor controls, etc. This article will explore some of these efforts and explain how they are shaping the future of cybersecurity in industrial automation.
Cyber Secure Systems on a Chip (SoC) – A Game Changer?
The introduction of Cyber Secure Systems on a Chip (SoC) is an architectural improvement designed to address the broad scope of cybersecurity challenges. The key building blocks include cybersecurity functions and features embedded in Systems on a Chip (SoC) incorporating microprocessors, communications, cyber encryption, cloud security services, secure update services, and other functions.
The goal is to incorporate this new breed of processors, in order to implement more cybersecure industrial and process automation components including PLCs, controllers, sensors, actuators, motor controls, and other intelligent devices.
Part of a Larger Edge Migration
These developments are in step with a growing demand for more reliable, responsive, and secure edge devices to implement Industry 4.0 and other advanced architectures in manufacturing. Fueled by dramatic cost reductions for embedded processors, this has led to a flood of new smart edge devices including sensors, actuators, contactors, and other industrial automation and control components. These developments fit well with the NAMUR Industry 4.0 for Process initiative which focuses on creating smart sensors for process automation. As stated previously however, as more PLC and process controller functions are distributed into edge devices the need for cybersecurity protection increases. Relatedly, it is worth noting the ISA99, Industrial Automation and Control Systems Security committee has established a new working group for Level 0,1 issues, ISA99 Level 0,1 Working Group, ISA99 WG4, TG7. The purpose of the new Technical Group is to identify if Level 0,1 devices are adequately addressed in the exiting IEC 62443 series of standards, particularly IEC 62443-4-2, Technical Security Requirements for IACS Components.
Microsoft Enters the Fray with Azure Sphere
Perhaps one of the more unexpected developments at the event was the news that Microsoft is making an unexpected push into the chip business. Announcing “Azure Sphere,” Microsoft is combining a chip design, a cloud security service, and a Linux kernel with the goal of better securing billions of IoT devices around the world. In 2016, Microsoft announced that it had co-designed a FPGA (Field Programmable Gate Array), in order to enhance the intelligence of its cloud servers. This was the first instance of a Microsoft designed chip. Expanding on this genesis, Microsoft’s representatives at Hannover Messe described how the Azure Sphere includes a microcontroller (MCU) design which the company is licensing, royalty-free. Other features include:
The Microsoft hardware security module Pluton Security Subsystem creates a hardware root of trust, stores private keys, and executes complex cryptographic operations to create secure devices.
A new crossover MCU combines the a Cortex-A processor with the Cortex-M class processor.
Built-in network connectivity provides secured, online experiences and ensures devices are up to date.
The first Azure Sphere chip will be the MediaTek MT3620 which incorporates Arm Cortex-A7, which Microsoft shared as the result of years of close collaboration and testing between MediaTek and Microsoft. Other early partners include ARM, who worked closely for the integration of Cortex-A application processors into Azure Sphere MCUs.
OPC UA – OPC UA Global Discovery Server (GDS)
Microsoft is also joining the open-source push for OPC UA. At Hannover Messe 2018, I discussed developments with Microsoft’s Erich M Barnstedt the Principal Software Engineering Lead for Azure loT/Industrial IoT. Barnstedt explained how Microsoft contributed an open-source, cross-platform OPC UA Global Discovery Server (GDS) to the OPC Foundation, that will be available on the OPC Foundations’ GitHub. This is designed to bring the greatest value of a GDS deployment, through cybersecurity certificate management capability, while the OPC UA GDS also manages OPC UA server configuration and handles centralized discovery.
Google Brings In CLOUD IoT CORE
Microsoft was not the only industry giant entering the fray at Hannover Messe. Google showed off their Google Cloud CLOUD IOT CORE, a system designed for the management of connected IoT devices, like sensors, with Google’s cloud. The platform also serves as a pipeline for securely getting data to and from those devices. This effort has been enhanced through Google’s Partner ecosystem, which offer devices and kits that work with the Cloud IoT Core. These partners include: Allwinner Technology, Arm, Intel, Marvell, Microchip, Mongoose OS, NXP, Realtek, Sierra Wireless, and SOTEC.
Microchip, specifically, provided a prime example of a Google chip partner delivering Trusted and Secure Authentication with the ATECC608A chip.
Amazon Counters with the FreeRTOS
Not to be outdone by Microsoft and Google, Amazon too is making moves into the industrial IOT space. At Hannover Messe, they promoted the Amazon FreeRTOS, an IoT operating system for microcontrollers that are qualified through The Amazon FreeRTOS Qualification Program (Amazon FQP). The Amazon FQP outlines a set of security, functionality and performance requirements that all microcontrollers (along with the associated hardware abstraction layers and drivers) must meet.
Open sourced and based on the FreeRTOS kernel, a real-time operating system for microcontrollers, Amazon FreeRTOS has a large ecosystem of existing tools developed for the system. Amazon FreeRTOS includes software libraries designed to help users program commonly needed IoT capabilities into devices, such as the configuration of devices to a local network using common connectivity options like Wi-Fi or Ethernet. Amazon FreeRTOS also includes an over-the-air (OTA) update feature to remotely update devices with feature enhancements or security patches.
In order to secure this operating system, the Amazon FreeRTOS comes with libraries to help secure device data and connections, including support for data encryption, key management, and Transport Layer Security (TLS v1.2) which helps devices connect securely to the cloud.
Partners today that fully supports Amazon FreeRTOS features and capabilities include Espressif, Microchip, NXP Semiconductors, and STMicroelectronics.
Cybersecurity Not Just for the Giants: The Arm Mbed IoT Platform
It was not just the global giants that were making waves in IoT cybersecurity. Mbed’s Arm TrustZone technology was shared as a System on Chip (SoC) and CPU system-wide approach to security. TrustZone is hardware-based security built into SoCs by semiconductor chip designers who want to provide secure end points and a device root of trust. The family of TrustZone technologies can be integrated into any Arm Cortex-A and the latest Cortex-M23 and Cortex-M33 based systems.
The Arm Mbed IoT Device Platform is made up of two sets of products: device software and cloud-based device management services. These products are designed to securely move data from sensor to server. The Arm Mbed IoT Device Platform is a fully integrated device management solution. It provides the operating system, gateway, device management services, and partner ecosystem to speed adoption and deployment of IoT solutions.
Further, the Arm Mbed IoT Platform provides connectivity and communication for constrained devices. Partner companies have enabled 6LoWPAN, Bluetooth Low Energy, Thread, LoRa, WiFi, NFC, RFID, Mobile IoT (LPWA), cellular and Ethernet on Mbed.
The Mbed IoT platform secures the device itself from untrusted or malicious code, the communications between device and cloud, and the lifecycle of the system itself using uVisor, Mbed TLS, and Mbed Client respectively.
Bill’s Thoughts & Observations
The introduction of industry giants to the push for end-to-end cybersecurity architecture from the integrated circuit building blocks for smart devices, through the enterprise and cloud, is making waves in the dynamic cybersecurity environment. In problem solving, it is always important to identify root causes. In a sense, the lowest level processors in industrial controllers, process controllers, smart instrumentation, and other devices are fundamental root points of cybersecurity exposure.
Yet still, these necessary efforts are in the early stages of development, without common threads of standards and short of unique solutions from vendors.
To date, many of the architectures implemented are using methods similar to those in military, and have been cost prohibitive. These recent efforts are a result of companies trying to leverage the significantly lower cost of SoC in order to meet commercial criteria for manufacturers, and it is clear that more innovation is sure to follow.
These efforts are leaving users with a simple question: Should we hold off on new purchases of industrial controllers, process controllers, smart instrumentation, and other devices until these new secure SoC and methods are integrated into those devices?
With the entry of the industry giants, that question may be answered sooner rather than later.