How Edge Devices do not become a security vulnerability

OEE Dashboards: 4 Examples with Excel, PowerBI, Grafana & Co.

Deniz Saner

Deniz Saner

|

01.06.2023

01.06.2023

|

Wiki

Wiki

|

10

10

Minutes read

Minutes read

We are pleased to welcome you back! Since we have already reached Blogpost 5, let’s start with a short summary of the previous posts:

  1. OPC-UA is not a standard you can count on - If you want to collect machine data, you have to connect controls and peripherals directly.

  2. Nowadays, point-to-point connections create a confusing, fragile network of data integrations. IIoT platforms like the ENLYZE Data Platform, on the other hand, record production data and make it accessible to systems. Furthermore, integrating new data sources is incredibly simple.

  3. To build scalable applications and workflows based on machine and production data, harmonization of data is required - this way, systems can be developed that do not need to know every detail of the plant control.

  4. The process of harmonizing plant data can be very tedious and time-consuming. The ENLYZE Data Platform helps by using the Variable Selection module to search, visualize, and finally harmonize data from all controls uniformly.

But how do you connect the OT world with the IT world? The answer is Edge Devices - small, powerful industrial computers designed for continuous operation that record data from systems and on-premise systems at the edge. Today, we will discuss what to consider when selecting Edge Devices and how to ensure they enable digital transformation without becoming a security gap or a Trojan horse in your own network.

Overview Blog Series Connectivity & Machine Data:

  1. OPC UA: Blessing or Curse for Industry 4.0?

  2. Digitalization Dilemma: Work for the data or work with the data

  3. From Euromap, data blocks, and harmonized data

  4. Data harmonization, or: What's my throughput called?

  5. How Edge Devices don't become a security gap

  6. No more closed systems

  7. Ready for all challenges in production with ENLYZE and Grafana

  8. The Key to AI in Production

Lesson #5: Edge devices are not "just hardware"

Many manufacturing companies, which are already dealing with Edge Devices for the digitization of manufacturing, evaluate Edge Devices as a pure hardware product. Thus, we are often asked typical questions about the hardware specifications of the ENLYZE Spark during the onboarding phase:

  • How many CPU cores does the device have?

  • How much RAM do I have available?

  • What is the capacity of the hard drive?

From our perspective, however, the overall context is significantly more relevant for selecting an Edge Device in order to make a future-proof decision. The introduction of Edge Devices can be significantly accelerated if the IT department clarifies and documents several questions in advance. Below, we share the questions we have received from every customer’s IT. At the same time, we illuminate our system and the security measures that even the most security-conscious IT departments of our customers find convincing. We hope this contribution provides food for thought that accelerates your digitalization initiative.

🕸️ How is the Edge Device connected? 

 For Edge Devices to be used effectively in manufacturing, data from machine controls and production systems like ERP (Enterprise Resource Planning), MES (Manufacturing Execution Systems), and BDE (Operating Data Collection) must be collected and passed on to other systems. These systems run both on-premise and in the cloud.

Typically, Edge Devices are integrated into two networks:

  1. The machine network encompasses all facilities and peripheral devices and is operated as an isolated demilitarized zone (DMZ).

  2. A second network (Network 2), which provides access to the internet and the mentioned production systems.

To ensure that the Edge Device does not become a network bridge, thereby undermining the DMZ, it is crucial to ensure that it is not configured as a router. Otherwise, all devices in Network 2 could communicate with the machines in the machine network.

Our Edge Device, the ENLYZE SPARK, is equipped with three separate Ethernet ports. This allows it to simultaneously collect both machine and production data from MES, ERP, and BDE, even when they are in separate networks. Moreover, no routing over the SPARK is possible, ensuring that the DMZ remains intact and no device outside the machine network can communicate with the machines.

In case of a problem, a diagnostic server can be provided via the third Ethernet port. This allows individuals without deep IT knowledge to get a first diagnosis and contact us or the IT department.

🥏 How do I update my devices and the software running on them?

With the increasing connectivity of all areas of manufacturing companies, the strategy of separating devices from the network and internet while not installing updates is no longer tenable.

This applies to Edge Devices in production as well. Daily, previously unknown security vulnerabilities, known as “Zero-Days”, are published that pose a significant risk to companies. Without a mechanism for updates, one has to choose between the danger of a ransomware attack and stagnating digitalization.

Also, at the application level, a secure and reproducible method for updating software is required. The days when software was specified, implemented, tested, and then never modified again are history. Instead of the traditional waterfall model, an iterative approach that prioritizes rapid learning and the ability to adapt has become established. However, this approach only works if an update of the software running on the Edge Device, also called "Deployment," can be done easily.

Our Edge Device, the ENLYZE SPARK, is regularly updated at both the operating system and application levels as part of our Managed Service. This is done via Over-The-Air updates, that is, via the internet, which means our customers incur no costs for on-site appointments and personnel.

Each Over-The-Air update is cryptographically signed to ensure authenticity and minimize the risk of compromising the software update through DNS Spoofing or subsequent modifications.

To reduce the risk of defects caused by an update, ENLYZE SPARK uses A/B partitions for updates: The device reboots and boots into a different partition where the update was previously installed. If all system tests are successfully completed, the previous state is discarded. In case of errors, the device boots into the previous state and discards the update. Thanks to this mechanism, we have not lost a single device in operation so far.

🤔 Which operating system should I run on the Edge Devices?

The choice of the right operating system for Edge Devices in the manufacturing industry can be challenging: Many companies primarily work with Windows and have the corresponding expertise. On the other hand, Linux has long established itself as the operating system for servers - even Azure moved away from the exclusive Windows Server model a few years ago.

Regarding modern tools for managing (distributed) servers, Windows is often only rudimentarily or not at all considered. Companies then rely on costly software that often does not reach the functionality of open-source tools. Since Microsoft itself is increasingly focusing on Linux in some areas and modern server development primarily takes place on Linux, attractiveness as an employer also plays a role in the choice of the operating system.

Our Edge Device, the ENLYZE SPARK, is based on its own Linux distribution, built on the Yocto Project. This includes only the essential packages and drivers to minimize the potential attack surface. In combination with the aforementioned update mechanism, the SPARK OS forms an infrastructure that enables our engineers to deploy critical security updates to over 100 devices in the field within less than 24 hours and continuously develop and update the software running on the SPARK in the field. Furthermore, this structure allows for quick migration to other Edge Devices should unforeseen delivery difficulties occur.

👷 How do I maintain my devices in the field?

Maintaining Edge Devices differs fundamentally from software running in the cloud. While one can log in directly via SSH for troubleshooting in the latter case, Edge Devices are embedded in the network infrastructure and, for good reason, are not reachable via a public IP.

Thus, troubleshooting becomes a bit more complicated: In case of doubt, one must travel to a location, find the correct factory hall, and organize a ladder since the device is mounted high up on a cable channel. After that, one connects to the device 5 meters up and begins troubleshooting amidst loud machine noise.

To spare our customers and employees this hassle, the ENLYZE SPARK features SSH remote access. This saves our customers 90% of support costs. Access is provided through a Wireguard VPN, in which our devices are located. Thanks to strict firewall rules, all communication is blocked - only remote access, receiving configuration changes, and sending data are allowed.

Additionally, further internal security measures have been implemented to protect remote access. Only a limited number of system administrators have access to the keys needed for remote access, which are additionally protected by a hardware encryption module.

🔐 How do I authenticate and authorize devices with other services?

To fully exploit the possibilities of digital production, Edge Devices must inevitably interact with other services and applications: Machine data is sent to an MQTT or AMQP broker, another service provides predictions based on an AI model, and yet another service monitors the temperature of all Edge Devices. All these services run in the cloud and enable a comprehensive overview of the entire production across various locations.

Given this multitude of connection points, the question arises: How do Edge Devices authenticate and authorize themselves with these services? When using third-party services, the mechanism is preset: At Google Cloud IoT Core, a device authenticates itself by generating a JWT (JSON Web Token) and signing it with its private key. Microsoft Azure's IoT Hub offers a similar mechanism based on X.509 certificates as well as the use of a Trusted Platform Module and symmetric keys.

The ENLYZE SPARK follows a similar two-step process based on asymmetric encryption with ED25519 curves:

  1. SPARK initiates an authentication process and shares its ID

  2. Server generates a random string

  3. SPARK signs the random string with the private key

  4. SPARK sends the signed string to the server

  5. Server validates the signature with the public key of the SPARK

  6. Server hands over a JWT to the SPARK

To minimize the attack surface in our system, the topology and authorization mechanisms of the data pipeline are designed so that a SPARK can only report data for the data sources assigned to it. This ensures that a SPARK cannot simply bring data into the system on behalf of other devices.

☁️ How do I securely send data to the cloud?

Since the COVID-19 pandemic, we have seen a steady trend towards migrating on-premise systems to the cloud. Services such as Microsoft Teams, PowerBI, and Qlik have become widespread in the manufacturing industry.

To enrich these services with production data, this data must be transmitted securely and scalably to the cloud. Fortunately, events like the Snowden revelations have significantly accelerated the transition to encrypted connections. This means that every connection to services - whether in-house or third-party - should always occur via TLS (Transport Layer Security). Otherwise, data can easily be intercepted and read.

Although setting up this encryption entails a slight additional effort, thanks to free TLS certificates from Let's Encrypt, there are no costs for you.

The ENLYZE SPARK encrypts all communication with TLS and sends the data through the aforementioned encrypted VPN tunnel. This ensures that your production data is always secure, whether stored in the cloud or locally.

Even if these questions are only tangentially related to the physical Edge Device, they are often more relevant than the question regarding the hardware itself. If you can answer these questions together with your IT, you are already on the right track to digital manufacturing. We hope it was not too technical and that you still learned something from it. If you have questions while reading or suggestions for further articles, feel free to write to us: hello@enlyze.com