IoT Security at the Edge with Eurotech
David is joined by Marco Carrer, CTO of Eurotech, to examine the emergence of edge devices. They discuss what we mean by edge devices, the crucial role the edge is playing across all industries, and the challenges of edge security. We also discuss the benefits of industry collaboration and IoT security frameworks.
What is the ‘edge’? What is its role? Why is security so important for this space?
The importance of industry collaboration and how Eurotech used their PSA Certified Level 1 certification as a building block for an IEC62443 Certification.
Eurotech’s predictions for what the IoT landscape will look like in 5 years? The emergence of edge workload consolidation.
Discover Key Talking Points in this Episode
- Introductions to Marco Carrer and Eurotech. [01:01]: “My name is Marco, as David mentioned, I am CTO of Eurotech. Eurotech is an edge company. We are based in Italy, but we actually operate worldwide and our customer base are in the USA, Europe, and Japan. In our product offering, we offer edge computing solutions in the form of edge computing nodes for different industries and different verticals- so that being for the industrial, energy, medical, or transportation sector. We complement those edge offerings with software components, both for data acquisitions and edge analytics, as well as for edge management. We work with our customers in integrating these building blocks in the form of hardware, software and in integrated hardware and software offerings as part of their IoT solutions. Collecting the data at the edge and in the field, enabling edge processing and managing the fleet of devices. As you can imagine security is of paramount importance in these types of applications. So I’m excited to be discussing that with you.”
- What do we mean by the edge and edge devices? [03:20]: “There are a lot of metaphors out there on IoT and the edge. We see often phrases like data is the new oil. And the new economy will be actually fueled by data rather than by oil. If data is the new oil, then IoT at the edge is the way to extract that oil and make some use out of it. That’s a good way to visualize that. So the new sources of data that enterprises will need to collect and analyze to actually be competitive in the space will be coming from outside the perimeter of their enterprise. So there is tons of data that are in the field, in their assets, in their customers. And that data carries enormous importance in the business operations of the enterprises themselves.”
We see often phrases like data is the new oil. And the new economy will be actually fueled by data rather than by oil. If data is the new oil, then IoT at the edge is the way to extract that oil and make some use out of it.
- Why have edge devices been developed? The four factors driving compute closer to the data source. [4:13]: “So if you look at that, there are four factors that have been driving more computer sources towards and closer to those data sources. That’s why edge comes about. We are trying to transfer some of the compute and for some of the analysis of this new data, closer towards where that data is originated. So closer to data sources and outside of the data center. And the four factors that are driving this are, in no particular order or priority, are resilience: I think we have seen that this applies to our society in general and many different factors- We want to make sure that we have a more distributed deployment scenario that can be resilient to center failures, that can be more autonomous and proceed in its own operation even when connections drops or when some of the endpoint servers are no longer available. The second one is performance: we mentioned that the data is exploding. There is much more data generated at these data sources and some of the applications may not afford the latency of transferring that data up into the cloud and back. If we talk about industrial operations, for example, a predictive maintain scenario may actually be sampling vibrations into the engines up to frequencies of a hundred milliseconds. So then at that point, the amount of data that you collect is just now feasible to go up into the cloud, do the analysis, and come back. Then Last but not least there is privacy and security: which is the topic of this podcast too. Some of the data that is generated at the edge may actually be governed by certain data governance principles that may require for that data to be processed and analyzed at the edge itself. So, within the plant, for example, or within a certain geography. So, you may not be able to afford to have a full consolidated repository of all your data back in the end. There is also cost: transferring data is expensive and therefore if you can avoid doing that, that would be more efficient.”
- Edge devices reduce our reliance on the cloud but the application will decide how much computing power you need at the edge. [06:27]: “I think it’s one way of describing it and then application by application will determine how much computing power you would actually need close to those data sources. There are certain accelerating factors, like Edge AI that would actually move a large part of resources from the cloud into the edge to be able to do artificial intelligence type of operations or a smart computer vision type. But that’s when I think the different characteristics of each of the applications and the vertical will determine which computer resources have to be moved and what kind of architecture you use to coordinate them.”
- Do edge devices still have a relationship with a data center? [07:44]: “Yes. That’s normally the case. So normally you go for a three-tier type of deployment where you have non-connected assets. Whether that is a public transportation vehicle, like a bus, or whether that’s a manufacturing facility where many different manufacturing devices are actually used. So those are generally non-connected devices. In a retrofit scenario, you actually attach a gateway to those that has the capability to interface with them and perform data acquisitions. The gateway will do the type of edge operations that we were discussing in terms of filtering, local alarming, aggregation, some kind of local monitoring. And then it will selectively have a communication to the cloud where some of the results of that edge processing, more in a summary version, will be sent up into the cloud. It will also become the endpoint for commander control patterns. So, applications in the cloud that are monitoring the fleet of these deployments could actually push commander control patterns down to each of the gateways, which in turn will activate it towards the field devices themselves. We have also seen the model evolving. And just going back to your question where different compute resources may be appropriate for different types of applications, We may go for a four-tier model. Where I have the asset, I may have some entry-level connectivity gateway, bigger edge servers. And then, in that case, they are more micro clouds, just as you described them, that are aggregating multiple gateways. And then the centralized cloud in the manufacturing space, this is particularly typical because you will have the cloud for all the different plants. Then you will have, if you want edge servers and MicroCloud for each plant basis and maybe multiple gateways attached to each of the different disconnected assets.”
- What kind of industries are adopting edge technologies? [10:24]: “I think it is interesting how this technology, that maybe a lot of people normally relates it to the industry 4.0 use case and industrial IoT, it’s actually an architectural paradigm that is being applied across many different industries. So as Eurotech, for example, we added connectivity to the transportation locomotors of Deutsche Bahn in Germany. So, all the cargo trains in Germany have a Eurotech edge controller that is interfacing with the field bus of the train itself, collecting 5,000 plus data points, enabling local alarming, local alerting in the locomotor itself, collecting and aggregating data, and then sending the summary of that data up into the cloud. So that data scientists may actually exploit that data for new efficiencies in the operation and maintenance of the fleet of locomotors. So the paradigm and the architecture are the same, even if the field of applications are very different.”
- How the edge is enabling the merging of IT and OT in the Industrial IoT space and how this complicates security further. [12:15]: “Edge is a way, not just in terms of architecture but technology, to bring the agility of IT development into the OT space. That’s one of the goals of the edge so that this digitalization process may actually lead to higher efficiency and maybe more services. That’s the goal: as you embrace IT technology and as you add the connectivity, of course the same difficulties that you get in the IT space and possibly amplified when related to security, that’s applied into these edge scenarios. Protecting an IT department may require physical protection and access to a single data center. Then you have ISO27001, an information security policy, and information security governance, but it’s a fairly contained world. If you start as a corporation, extending your deployment beyond the physical perimeter of your facilities, beyond the physical perimeter of your data center, to your customer’s fields and into your customers’ perimeters, by installing edge nodes, installing gateways that add in connectivity, then the number of attacks surfaces into your customer perimeter, but also into your corporate network continues to multiply. So, security must be, and certainly is, one of the imperatives. And one of the design principles that you take into account early on in your design phase, it cannot be an afterthought. It has to be something that you plan from the beginning of the digitalization journey.”
- The PSA Certified 2021 Security Report found that a lack of expertise was a major barrier when implementing IoT security, with that in mind how do customers describe their IoT security requirements to a company like Eurotech? [14:48]: “It does. I think we are seeing more awareness in the industry of these questions, for sure. I mean, you mentioned the surveys of PSA Certified. There are many industry surveys out there. As Eurotech, we’re also part of the Eclipse Foundation, steering members of the Eclipse IoT working group. We also, within that foundation, run industry surveys. Security is not just is a concern. It’s a barrier to adoption. We see that 90% of the decision-makers are actually insecure and unsafe and they actually hold their IoT digitalization process because of security concerns. So, they know it’s a problem. But they do not necessarily, especially coming from the OT space, have the internal knowledge on how to address it.
- IoT security knowledge varies greatly. [15:19]: “We see different industries and different customers with different levels of maturity and understanding of the IoT security problem. We also see customers in the OT space that are starting to appoint cybersecurity officers that are included and involved in the technology selection process. We’re starting to see more detailed security questionnaires, where we as technology suppliers have to show what the building blocks that we provide are and what are the assurances, and the technologies that we can provide to our customers so that they can extend their security and their solution.”
- We’re in a transition phase where early adopters are keen to implement security, but many people are still holding back. [16:07]: “So I think we are a little bit in a transition. We see people that are, just as with every change, that are waiting and seeing where things are going, and they don’t want to be early adopters. They just want to see some consolidation in the practices so that they can follow a well-marked down path. Then there are others that are taking a leadership position where they see ‘we can be first in the digitization process. Security is certainly one of the things that we need to address, but if we work with the right partners and within the right frameworks we can have an early start on this and take advantage of the digitization opportunity’.”
As part of the education, having frameworks like PSA Certified or IEC62443 setting up a terminology, breaking down the requirement into quantifiable bits allows us to have a common language with our customers. Allows us to have a common terminology and a common approach.
- The importance of industry collaboration and how Eurotech used their PSA Certified Level 1 certification as a building block for an IEC62443 Certification. [16:48]: “So that’s why we as Eurotech engage with PSA Certified, we engage with Arm, we have certified our product at PSA Certified level one. We actually extended that through IEC62443, which is the cybersecurity certification for industrial and control systems. We try to show our customers, not only that we have technical skills, but that those technical skills have been applied to a secure development process, to a secure life cycle of the product that we make, and with third party assessments of those skills.”
- How IoT security frameworks like PSA Certified and IEC62443 are helping Eurotech and their customers understand their security requirements. [17:39]: “Absolutely because I think there is just, as you mentioned, there are multiple things: There is an educational process. So, bringing them up to a level of understanding of what security implies. Something that is not just plain hardening but it starts from the development of the process itself and with the lifecycle management. As part of the education, having frameworks like PSA Certified or IEC62443 setting up a terminology, breaking down the requirement into quantifiable bits allows us to have a common language with our customers. Allows us to have a common terminology and a common approach. So, it’s so much easier to actually converge, understand their needs, their deployment scenarios, and align our offering with that.”
- IoT is fragmented even beyond security with many different architectures, protocols, and deployment scenarios. [19:10]: “I have to say I feel for my customers sometimes, right. I understand that when adopting security into operational technology and embedded space there are quite a few hurdles. It’s still a very fragmented industry. It was fragmented even beyond the security. There are many different architectures, many different protocols, many different deployment scenarios- you’re actually bridging between different technologies, even in networking. You have cellular, Wi-Fi, lower networks, and the traditional internet. So it’s a very complex deployment scenario. But the challenge for us, even internally going through that process, was that we had a few champions that had a higher awareness of these types of things, that use the specifications and the documentation that these organizations, like PSA Certified and IEC62443, have laid out as a way to actually collect all our ideas around these frameworks, and then lay down the product developments across these new principles.”
- IoT security needs to be embraced by the entire business, not just the engineering teams. [20:02]: “It’s a long journey. It’s a journey that is beyond the engineering team. Its requires involvement with the quality team, the production team, validation teams, the product management teams. It’s also a different type of monetization. There is value regarding these security certifications that you want to make sure it does get clearly communicated with your customers. So, I see cybersecurity for companies like us, providing the technology into the digital transformation process, it has to be embraced at 360 within the organization. It cannot just be led by the engineering team as a technical requirement. It is actually a full offering.”
- We need collaboration from the entire ecosystem, even those who are traditionally seen as competitors. [21:24]: “Absolutely I would say that, as Eurotech, we believe in collaboration across the whole edge and IoT space. I started from the point of fragmentation. IoT was called M To M before it was siloed connected applications. So, it was just machine to machine. You had a few sensors out there, you wanted to get visibility on the data. But it is just too big. The value of this is by integrating data from different device manufacturers, from different protocols. It has to be approached in a collaborative and open way. That’s the reason why Eurotech entered the Eclipse Foundation and actually founded the IoT working group in there. That’s why we continue to foster collaborations with companies like Arm and embrace your initiatives in raising the state of the art in security through PSA Certified. If there are standard processes out there, it will give us confidence. It will raise the state of the art to a new level that will give us a good solid foundation on top of which to put the next innovation.”
We continue to foster collaborations with companies like Arm and embrace your initiatives in raising the state of the art in security through PSA Certified. If there are standard processes out there, it will give us confidence. It will raise the state of the art to a new level that will give us a good solid foundation on top of which to put the next innovation.
- What do you think the IoT landscape will look like in 5 years?: The emergence of edge workload consolidation. [23:31]: “So, we discussed the edge as it is seen now, with the three or four gears. But there is certainly a new trend in the edge that we have to be aware of, and that may have an impact on the way we, and how deep we, actually integrate some of the security best practices. And it goes under this name of edge workload consolidation. If you take the industry floor, we discussed earlier, we may have a PLC that is taking care of the operational aspects of managing and controlling a machine. We may have a gateway with IT connectivity. We may have an accelerated edge server with a GPU card to do computer vision analysis at the end of the line quality inspection. So, the trend is actually to see that through virtualization and digitization and the more powerful CPUs that are becoming available- all these different boxes may actually be consolidated into one. And I may have a software-defined edge if you will. That allows me to consolidate IT, OT, AI, and possibly even functional safety type of workloads. If I take the same application into another industry, I would say take the automotive industry. I mean they’re attempting the same. They’re saying a single CPU that can both manage my infotainment but can also manage my emergency brake control, through proper virtualization of the different workloads. So, that’s certainly a trend in the edge. It will allow for cost efficiencies, but also faster time to market and also faster innovation because it will be easier to drop a new functionality through software-defined type of applications.”
- How edge workload consolidation will increase IoT security adoption. [25:19]: “Now that will push our security adoption even farther. A lot of what we’re concerned about right now in security at the edge is the perimeter protection of the single gateway. Yes, we do need network security, which is the typical IT part. We now need to add at the edge physical security, because somebody may actually be tampering with the box itself and may have access to debug ports. That’s normally something that the IT environment does not have to be concerned about because of the physical security of the data center. So, the edge already pushes that one level farther. But if we start talking about edge workload consolidation, then I need to actually start looking even more closely at what’s happening inside the edge node. So, isolation of workloads, isolation across isolated boundaries within those workloads. I think that’s going to be the next frontier for security at the edge. So that’s very exciting, I think because it will allow for more innovative applications, more innovative concepts of edge, more dynamic edge applications. But security, just as we mentioned at the beginning, has to be considered at the design phase of what’s the new wave of edge devices.”
- What advice would you give listeners when it comes to IoT security? [26:40]: “I think don’t be afraid – that would be my first answer. I mean, when I start hearing that 90% of decision-makers are slowing down their digitalization process cause of security concerns, my answer is that there are frameworks, there are references out there, there are blueprints and best practices that can be followed. You don’t need to do everything yourself. There are companies that can implement those blueprints and that can offer you building blocks that are already certified for this. And that gives you a solid foundation on top of which you can put your applications. IEC62443, in my opinion, it’s a great example of that. The ’-1-4-2’ part of that application applies to component suppliers. So starting from certified components, system integrators, and asset owners can extend the certification to the application level. That’s a great way to actually start looking at the problem that scares you, just breaking that down into smaller pieces and start from building blocks that give you the necessary part to start.”
More About Your Podcast Host David Maidment
David Maidment (Senior Director of the Secure Device Ecosystem at Arm- a PSA Certified Co-founder) leads our discussions on the latest trends and developments from the world of IoT security.
Based in Cambridge UK, David brings over 25 years of experience in the embedded and IoT industry. He specializes in the intersection between device security and business assurance to drive best practice security adoption across the electronics industry. In his role at Arm, David leads device security ecosystem activities including the widely adopted PSA Certified initiative.