Addressing the challenges associated with IIoT requires an ecosystem with strong partners – especially in security

Eurotech is a company deeply rooted and experienced in the embedded and Operational Technology (OT) world. GlobalSign is a leading WebTrust-certified certificate authority and provider of Identity Services. Both companies have teamed up to address some of the fundamental challenges associated with a solid IoT security approach.

For both customers and system integration partners, it results in products, services and best practice blueprints, that reduce and contain the complexity, associated effort and costs for device attestation and device integrity.

Building a nearly impenetrable IoT security defense with unique, strong and trusted device identities that move through the supply chain, overcomes many security challenges to deliver protection throughout the life cycle of the device identity

GlobalSign

Eurotech delivers enhanced computing, communication technologies, and innovative IoT building blocks to provide competitive advantages for its customers. It’s rugged Multi-service IoT Edge Gateways are designed to offer a robust and secure foundation for developing and deploying edge to cloud IoT applications in demanding vertical markets, such as industrial/manufacturing, energy & utilities, medical, transportation, agriculture and mining.

That robust and secure foundation does rely on implementing and maintaining security best practices and leveraging proven standards from the beginning. Strong and protected device or asset identity, is a foundation building block for secure IoT solutions.

But for many organizations, a solid device and identity management throughout the lifecycle of a product (including the supply chain), is technically challenging. It results in Device Identity management being a substantial factor in the TCO (Total Cost of Ownership) of secure IoT infrastructures.

Combining the partners technology and best practice from a Security, IT and OT perspective allows to productize an integrated solution to address the above points most effectively.

Please fill the following form to request more information about products and services related to the Identity Services with GlobalSign.

Request information

Some fundamental challenges to be addressed

How to ensure the integrity of devices, that they can be trusted?
How to guarantee that only to trusted devices credentials are issued ?
How to ensure only trusted devices are accessing the IoT platform or network?
How to safeguard device keys and secrets?
How to simplify the secure on-boarding with IoT platforms?
How to do all of this efficiently, at scale?

The foundation for solid IoT device identity and attestation: PKI and Certificates, Hardware Root of Trust with Secure Storage and an IoT Device Middleware to Encapsulate a lot of the Complexities

Working with X.509 certificates leveraging a Public Key Infrastructure (PKI) is widely recognized as one of the the strongest authentication mechanisms and is the de facto best in class authentication mechanism for devices in an IoT infrastructure. Based on open standards, it is in many security sensitive applications a widely adopted and trusted set of technologies for strong identities and credentials that can be used for many applications, such as encrypting data, signing documents, logon and authentication or device attestation. GlobalSign is a trusted, globally-recognized Certificate Authority Root of Trust, delivering secure PKI and certificate provisioning on their IoT Identity Platform.

But device identities and credentials are only as secure as the methods used to create and to protect them. This is where TPM (Trusted Platform Modules) play their role. TPM (now in version 2.0) is a proven technology to protect secrets, certificates in hardware while providing additional cryptographic functions.

A TPM is a highly standardised security hardware module, designed to protect the integrity and authenticity of embedded devices. Infineon is a leading TPM chip manufacturing expert, delivering hardware Root of Trust and secure hardware storage on their OPTIGA™ TPM, which Eurotech has adopted as an integral building block in its IoT Gateways and Edge Computers.

The secure edge consists of proven, application optimized Eurotech hardware (Boards, Gateways, Edge Servers) with a TPM and a software stack, that includes a managed Linux operating system and a powerful IoT device middleware, Everyware Software Framework (ESF). This modular but highly integrated set of building blocks reduces the complexities and efforts for developing an edge solution significantly.

It is exactly this hardware and software integrated approach that is the basis for encapsulating the complexities and reducing the efforts for implementing a solid IoT security solution that extends form the world of IT to the far edge of the OT infrastructure.

IoT device identity and attestation

Strong device identity is an essential element of IoT security. But device identities and their management throughout the lifecycle of a product are technically complex and challenging in their implementation for many organisations. It makes effective device identity management a substantial factor in the Total Cost of Ownership (TCO) of secure IoT infrastructures.

Solid IoT device identity and attestation starts with the implemented Trusted Platform Module. The Infineon product utilised in Eurotech’s devices already comes with a unique, secret Endorsement Key (EK), which is used as the basis for authentication. It allows to validate the origin and integrity of the TPM.

As a platform manufacturer, Eurotech extends this trust by adding an Initial Device Identifier (IDevID), a secure, unique certificates-based identity to the device, leveraging the cryptographic and secure storage capabilities of the TPM. As an essential first step in the supply chain, this process attests the identity and integrity of the manufactured Eurotech device, including the software stack it is delivered with.

The secure “Zero-Touch” on-boarding with IoT platforms

These certificate-based identities also offer the necessary foundation for a secure zero-touch provisioning with different IoT platforms and cloud services.

For example, Eurotech has worked with GlobalSign, the leading security certificate authority, and Microsoft, with its Azure IoT Identity Service, to further extend the chain-of-trust to cloud connectivity. This is achieved through the enrolment of additional local certificates (LDevID) attesting device ownership by a customer and using these identities for automatic device provisioning and authentication to the cloud.

White Paper: Secure IoT begins with Zero-Touch Provisioning at scale

What’s the largest roadblock to realizing the promise of the Internet of Things? For many organizations, the obstacle delaying widespread deployments is the strategy for onboarding the necessary edge resources for a lifetime of secure operation. This paper presents the solution offered by Infineon Technologies, GlobalSign, Eurotech and Microsoft to address the complex task of the onboarding of edge devices to the cloud application infrastructure.

Download the white paper

Everyware Software Framework (ESF): tying the building blocks together

The IoT Edge Framework Everyware Software Framework (ESF), layered on top of its Edge Computers and IoT Gateways, enables customers and system integration partners to effectively build, deploy and manage assets in demanding environments.

Especially in the context of enabling and leveraging advanced security features, a solid middleware approach in combination with a managed operating system helps encapsulating the complexities associated with implementing and maintaining a X.509 (with TPM) certificate-based security approach. The security elements and features that are implemented in ESF simplify many security aspects, including the use and management of certificates.

ESF certainly provides benefits beyond the mentioned security aspects. ESF comes with a wide range of supported field protocols, addressing the development and connectivity challenges encountered in OT applications. Edge developers can deploy applications running natively or use ESF Wires to visually compose data pipelines for their Edge devices. ESF Wires functionality has been extended to include the aspects to integrate with IoT platform and services, including Everyware Cloud, Microsoft Azure and AWS IoT. With minimal configuration and setup, ESF users can interface with field devices and protocols and efficiently publish data from the world of operational technology with leading IoT platforms and cloud services.

The solid and proven edge node and gateway architecture (software and hardware) offers features to significantly lower many major aspects that contribute to the total ownership costs of an IoT solution. Examples are device software lifecycle management, logging, certifications (carrier and vertical) and security. Device abstraction on a middleware level does effectively address challenges associated with changing hardware requirements and end of life of components. Risk aspects of IoT Solutions are further mitigated by long product life support, extended warranty options and a broad professional services offering.

Eurotech’s value proposition extends beyond products and technology

For customers and system integration partners that require further support and services, Eurotech offers a comprehensive professional services portfolio. This offering includes, but is not limited to development and design services to have Edge Computers and IoT Gateways further customized and optimized for their specific use case, but also the implementation of new and legacy field protocols, project management, certifications, consulting and long product life support.

Please fill the following form to request more information about products and services related to the Identity Services with GlobalSign.

Request information