Secure IoT Gateway for Industrial Applications

Authors: Subodh Vikram SHUKLA, Indar Prakash SINGHAL, Prashant PRANDEY from STMicroelectronics, India

Introduction

This article discusses various aspects of designing an IoT gateway. A reference architecture is also discussed as a starting point for the reader. As the name suggests, the term Internet of Things (IoT) refers to physical objects connected to the internet, however connecting devices directly to the internet is not always feasible. Constraints on power consumption and processing power may limit the ability to host an IP/TCP stack. Additionally, there are security considerations as the public internet is inherently an unsafe place. Many IoT deployments use local networking using IoT specific technologies like ZigBee, 6LoWPAN, Bluetooth® Mesh etc. for cost and efficiency reasons. These technologies use efficient messaging formats appropriate for IoT networks. As a result, there is a requirement of a gateway to manage these local networks and to perform protocol translations to allow the nodes to talk to the internet securely. Additionally, gateways can also perform functions like local multiprotocol network routing, message caching, filtering, and edge processing etc.

Applications of an IoT Gateway

The primary objective of an IoT Gateway is to connect the IoT nodes to the internet. Additionally, gateways can perform local processing on the data received from nodes before sending it to the external service thus offloading the CPU of the nodes to allow them to be simple, cost effective and power efficient.  Gateway can also perform data aggregation and analytics (edge analytics) on the data from multiple nodes. Local analytics has many benefits like lower latency, reduced network bandwidth usage and preserving privacy. Some applications which require IoT gateways are listed below.

  1. Industrial Application: Industrial systems typically contain sensors (wired and wireless) which monitor various industrial processes, actuators which can change the state of the system, and controllers which controls the processes by collecting the data from sensors and sending command to actuator if any change in the state is required. to change state An IoT gateway operating in this scenario collects process data using various wired and wireless sensors, send it to monitor stations and can take corrective actions if required, thus helping maintain product quality, prevent possible damages to equipment and in some cases even prevent disasters from happening. Industrial applications have specific challenges related to reliability, harsh operating conditions, and stringent security requirements. Gateway operating in these networks may support specific industrial protocols like RS485, Modbus etc.
  2. Smart Lighting: Smart lighting solutions are being adopted for energy saving and enhanced functions like environmental monitoring. 6LoWPAN is one of the technologies used to connect lights to the gateway using a mesh network. The gateway can collect telemetry data and send application health data to the control room. The control room can remotely control the lights and dispatch staff if repair is required.
  3. Preventive Maintenance: Preventive maintenance is an old concept, revigorated by advances in sensor & connectivity technologies and artificial intelligence. This is a technology to predicts failure of machinery before it happens. This helps reduce costs and downtime in industrial environments by facilitating timey maintenance. Multiple Sensors connected to various parts of critical machines collect samples and send them to the gateway which can perform local processing of the streaming data received from sensors. Any problem detected can be indicated on the local control panel, while also being sent to a cloud dashboard where more sophisticated analytics can be performed.
  4. Smart Metering: Smart meters allow new use cases like differential tariffs and two-way metering. These meters are equipped to detect tampering and leakage from the system. These meters are generally equipped with RF interface operating in sub-1GHz band to enable remote meter readouts. An IoT gateway can help communicate with smart meters in a vast area thus reducing the need for drive by meter reading. It can capture and aggregate telemetry data to uncover usage patterns without exposing individual’s user data.
  5. Smart Agriculture: Smart Agriculture is a globally emerging concept that refers to managing the farms using electronic devices accessible remotely via the internet thus optimizing the human labor required for achieving the yield. The Gateway can be deployed along with IoT nodes with mesh networking capability onto a farm. The connected components could be sensors for collecting real time data related to soil, water, light, humidity, temperature etc. Moreover, post processing of this data can be done using specialized software that targets specific farm types and use cases.

Figure 1: IoT Gateway Applications

Why use Linux for IoT Gateway?

The designers of an IoT gateway are likely to be challenged with the selection of an appropriate operating system. There are many popular closed sourced platforms in the market. However, Linux is one of the best OS for this purpose. Linux is an exceedingly popular open-source operating system used across a variety of platforms ranging from set top boxes, mobile phones, computers, industrial systems to supercomputers. Given its large installation base it is well proven on several types of hardware and due to its open-source nature, it has been scrutinized under the microscope by a large research community. Due to these factors, Linux is a rock-solid foundation around which designers can write reliable gateway software.  Linux already provides most functionality required by an IoT Gateway like high-performance networking stack and a proven security suite etc. Additionally, a vast number of production grade 3rd party software available for Linux can be re-used. The Linux kernel is less than 100 MB in size and highly configurable, where developers can select the components as per their needs, thus making it possible to run Linux even on a platform with a modest spec. It already supports diverse computing platforms e.g., symmetric, and asymmetric multiprocessor systems. Being opensource allows it to be tailored to a custom hardware designed for a specific use case. Another important aspect is that Linux platform already has several great developer tools, thus making developers productive both during development and maintenance phase.

Features of an Embedded-Linux gateway

An IoT gateway essentially requires a micro-processing unit (MPU), connectivity interfaces and IOs to connect peripherals. Based on the purported operating conditions appropriate components should be used. For example, for industrial IoT gateways extended temperature ranges may be required. The hardware should have appropriate electrical and physical protection e.g., IP68 depending on the operating environment. Generally, IoT gateways are required to be operational for multiple years, thus long-term availability of the components must be ensured. For example, STM32MP1 MPU used as an example here comes with a 10-year longevity commitment from the manufacturer.

Another important component of the IoT gateway is connectivity. Here are some examples of wireless Connectivity technologies:

  • Sub-GHz: Sub-1GHz wireless technologies works on frequency bands below 1 GHz e.g., 433, 868 and 915 MHz and thus provides good transmission range as compared to 2.4GHz technologies such as Bluetooth® and Wi-Fi. IoT nodes using Sub-1GHz and be connected in various topologies like P2P, star and mesh network. If gateway is connected to cloud server, then user can monitor and control the IoT data from remote location. The figure 2 represents various network topologies possible with Sub-GHz technology. Both star and mesh topologies require a gateway (which generally is the root node) to communicate with cloud.

Figure 2: Network topologies

  • Wi-Fi: is without doubt one of the most popular local area wireless technologies. In addition to the existing 2.4 GHz UHF (Ultra High Frequency) band, now Wi-Fi also supports 5 GHz SHF (Super High Frequency) band which is less cluttered, supports higher bandwidth but lower range. Wi-Fi can be used as the primary technology to connect all nodes to a gateway (router in this case) or it can be used in conjunction with other technology like Bluetooth®, where Wi-Fi is used to connect gateway to internet, while the other technology is used for local networking.
  • Bluetooth Low Energy: BLE is wireless personal area network technology designed for applications in healthcare, fitness, security. It operates at the frequency of 2.4GHz. The range of communication is approximately 100 meters.
  • NFC: stands for Near Field Communication which operates at a frequency of 13.56MHz. The range of communication is 5-10 cm.

The IoT gateway serves as the connection point between the cloud and controllers, sensors, and intelligent devices. All data moving between IoT devices, and the cloud passes through an IoT gateway, which is a combination of robust hardware platform and associated software programs. Sometimes the gateway device can also be used to not only route data traffic but also process it at the (edge) gateway itself. So, it is important to choose hardware that can route the data at high speeds and do processing at the same time. The edge processing might involve removing redundancy and aggregating the data to reduce the volume of data forwarded to the cloud. This makes huge difference in response time and network transmission costs.  

A multi core microprocessor with a robust operating system would be the best choice of platform for such applications.  It would be even better if the microprocessor hardware backed security features. The IoT gateways need to work 24/7 and sometimes in harsh environments, thus choosing an industrial microprocessor with extended operating temperature ranges is important. Another aspect to consider is long term availability of the microprocessor especially when handling long term or larger deployments.  

ST IoT Gateway Solution

This section describes a reference IoT Gateway architecture. Figure 3 depicts an IoT Gateway which is an end-to end solution which connects to various sensor nodes on one end and a cloud-based monitoring and visualization system on the other. The complete system’s significant components are Gateway, RF based Sensor nodes, secure cloud application with a dashboard. The sensor nodes are the end points where sensing of data and actuation takes place.  For example, in the solution described, each node is equipped with motion and environmental sensors like temperature, pressure, humidity. The sensor reading is sent by the sensor nodes to the gateway, which collects and processes the data and sends it to the cloud dashboard.

Figure 3: Block diagram of STM32MP1 series microprocessor

The Gateway is developed using STM32MP157F-DK2 board as the hardware platform. It is equipped with STM32MP1 series industrial processor which has a dual-core Arm® Cortex®-A7 and one cortex-M4 core. The STM32MP1 devices are based on the high-performance dual-core Arm® Cortex®-A7 32-bit RISC core operating at up to 800 MHz.  The STM32MP157F devices also embed an Arm® Cortex®-M4 core operating at up to 209 MHz frequency. The presence of dedicated M4 core allows handling real-time applications along with the high-performance gateway tasks. These microprocessors come with a rolling 10-year longevity commitment from the manufacturer. The core also provides features like secure-boot and TrustZone peripherals which enable running the software in secure mode.

The board can be interfaced to a STMPU expansion board which carries a Sub-GHz RF transceiver module and LSM6DSOX motion sensor. The board has capability to run Linux on the dual-core Arm® Cortex®-A7 and at the same time it can run a separate real-time operating-system on the cortex M4 core. In this solution M4 core is hosting CONTIKI OS software which manages the 6LoWPAN network while acting as the root node. Dual-core Arm® Cortex®-A7 core of the STM32MP1 are hosting the Linux where the gateway software is running. The gateway software receives the data from 6LoWPAN nodes, processes it and sends it to the sensor dashboard hosted on AWS cloud via Wi-Fi interface. The local IoT network connectivity is provided by S2-LP radio transceiver which works on Sub-GHz and provide the programmable RF output power up to +16 dBm. S2-LP radio supports various modulation schemes and compliant with IEEE 802.15.4 standard. It supports “Antenna diversity” and has embedded CSMA/CA engine.

Figure 4: Block representation of the complete system with one S2LP node connected

 

Many IoT networks need mesh network technology it can be Bluetooth® mesh or sub-1GHz mesh network.

Security and Regulatory Issues

An IoT gateway monitors and controls the industrial processes or can be responsible for home or building automation. All these applications mandate strong security to be implemented. provisioning and communication: The security cannot be an afterthought. It’s important that the hardware is designed with security in mind. For example, to support state of the art security algorithms, MPU used for a IoT gateway should have crypto accelerators for AES, SHA, EC amongst others. A gateway must implement the following security features.

  • Confidentiality: The data transmitted by the gateway must be encrypted so that it is only accessible by authorized entities. It’s also important to protect the encryption keys against malicious extraction.
  • Integrity: The gateway must ensure that the data transferred is not corrupted or tampered, this can be ensured by use of secure hashes and digital signature algorithms
  • Authenticity: The gateway must be able to authenticate other devices on the network and vice versa, this can be achieved by security certificate for each device.

Just the use of best cryptographic algorithms running on a secure hardware platform is not enough, it’s important that these algorithms are used correctly. Additionally, each software and hardware component should be properly designed and thoroughly tested, as any security vulnerability in any of the component can make the whole system vulnerable. For examples, in 2020, a vulnerability known as Ripple20 was discovered in the TCP/IP library that is used by hundreds of millions of IoT devices.

One of the biggest responsibilities of an IoT gateway is to secure the local network against malicious attacks and intrusions. IoT gateway must protect the local IoT network by regulating incoming traffic to avoid exposing local nodes and the outbound traffic to prevent any leakage of data from the local IoT network. Gateway should also provide a mechanism to support firmware update of local devices. An IoT gateway itself should also be secured and should not become central point of attack for a malicious actor. Gateway must be protected against tampering of the firmware, unauthorized firmware upgrades and leakages of keys. The application vertical in which the gateway is operating may impose additional responsibility on the gateway designer. For examples, IoT gateway used in smart lighting as a part of smart city infrastructure must be protected against network attacks to prevent malicious parties from taking control of the lights.

Conclusion

The above discussion puts forward a strong argument to use Linux as a base for designing reliable IoT Gateway. Designing an IoT gateway is a balancing act that needs careful consideration of required features, processing power and head room for future expansion while keeping the cost down. Security and upgradability are indispensable features, which may be mandated by regulations. Security is a feature that cannot be added as an afterthought; thus, the security requirements should be kept in mind during design phase itself. As new security vulnerabilities are identified every day, mechanisms should put in place to provide regular security updates to the IoT gateway.