Experts agree that the potential of the IoT is huge. However, this potential can only be fully exploited if a trustworthy infrastructure is in place. This includes the particularly vulnerable IoT gateway. It primarily serves as a wireless aggregation point that collects and forwards IoT sensor data. Nothing new in itself; wireless automation technology has been used in industrial applications for years. The difference is that, until now, it has been shipped into proprietary systems and deployed behind private wireless networks - within a factory, for example. The biggest threat came from the physical accessibility of the endpoints, which was often available to those who might want to tweak the outcome: End customers manipulating their smart meter to keep their electricity bill low or to reverse an electricity disconnection.

The vision of the IoT is to expand the scope of interoperability and extend connectivity to entire cities, and ultimately globally, to improve the efficiency and safety of systems such as electricity distribution and traffic control. As part of this scope expansion, endpoints are now connected to each other and to remote systems via the internet. This exposes them to any number of additional but less localized threats. Particularly in the safety-critical industrial sector, the trustworthiness of the gateways between the networks is therefore of greater importance than mere endpoint protection.

Requirements for an IoT gateway

If the objectives of the IoT are to be met while keeping its threats at bay, there are some key technical features that an IoT gateway must have:

The IoT infrastructure is generally made up of four classes of computer devices - sensors, gateways, servers and process control.

© Lynx

• A high level of interoperability with standard network protocol support to ensure maximum flexibility in connection support between different types of sensors from different manufacturers.
• Edge and mesh computing techniques should be applicable to bring data analysis closer to the sensors. Implementation is less complicated and less bandwidth is wasted than by distributing sensor data to the cloud.
• Use generic platform services for applications that require access to specific subsets of raw physical data coming from a diverse set of sensors. For example, information such as local heating, traffic speed or parking availability can be retrieved.
• Use of deterministic computing methods for time-critical applications such as robot production lines and robot-controlled industrial processes.
• Certification according to standards such as IEC 61508.
• The gateway should be autonomous, reliable and remotely maintainable to minimize physical handling.
• Flexibility through multiple interfaces and network protocols, exposed implementations, complex software and connectivity should not open the door to malicious attacks.

Problems of conventional designs

Such a combination of desirable features poses significant challenges to traditional embedded designs based on off-the-shelf (COTS) embedded operating systems, especially in terms of interoperability, high availability and high security. Traditional embedded designs rely on monolithic architectures where all applications are hosted by a single OS and all I/O support, management and security controls are integrated into this OS kernel.

However, monolithic constructions of this type have a fragile weak point (single point of failure). Hosting all applications, including I/O handling and management functions, in the same space means that any failure in security measures or kernel coding can jeopardize the security or availability of the entire system. What is necessary, but particularly difficult to implement, is a high degree of separation between applications installed in the same location (co-located) in order to guarantee the secrecy (data protection, confidentiality) and availability of other applications.

As the gateway has to be equipped with such a wide range of functions, it is impossible to find a single operating system that fits everything perfectly. In monolithic designs, for example, all sensor and network interface drivers, including I/O protocol stack support, must be built into the OS kernel. If no drivers are available for the desired OS, it will be difficult to support the sensor and network interfaces that may be desired, even if they are optimal in other respects.

Finally, due to the complicated functional interdependencies in monolithic operating systems, the ability to patch or update kernel functionality on the fly is extremely limited, especially if reboots are required after the update.

Modularity in the IoT gateway

Separation kernel hypervisors can be used to run different variants of guest operating systems or even bare-metal applications in parallel on the same platform.

© Lynx

Commercially available SKH software technology (SKH stands for Separation Kernel Hypervisor) focuses on managing physical resources while supporting their modular composition. The SKH approach allows applications, I/O, management functions and security controls to be partitioned and modularized. A SHA provides system architects with precise control over all forms of communication, time allocation and resource allocation, giving them the tools to address any security vulnerabilities and real-time issues.

Through virtualization, a gateway designed with a SHA can support multiple subjects. As an example of an imagined scenario:

• Time-critical applications such as load balancing and failover protocols run on a real-time operating system.
• Data handling is handled by a powerful general-purpose operating system.
• Trusted bare-metal applications with minimal application overhead provide very high performance or security functions.

Virtualization is a key function in overcoming interoperability challenges and plays a key role in supporting advanced computing and platforms as a service (PaaS) by allowing analytics tools and a group of users to use whatever operating system and application is most appropriate for the task at hand.

Virtualization of the hardware

Of the various virtualization techniques available, hardware virtualization is particularly attractive as it uses the capabilities of the CPU. This not only ensures the greatest possible degree of isolation, but also allows a SHA with very low memory consumption. As a rule, SHAs are ten to a hundred times smaller than monolithic operating systems.

Extremely low memory consumption is a considerable help for any kind of certification requirements such as safety certification according to standards like IEC 61508, especially when artifacts are available and implemented. A small footprint also means that the trusted code base of the overall system can be kept to a minimum, reducing vulnerability to malicious attacks.

Isolation and robustness reliably result from the SHA's ability to tightly control the partitioned hardware resources allocated to each subject and control unique execution schedules for guest operating systems and bare-metal applications. SHAs can therefore guarantee the availability of a system by ensuring that a critical application is never stalled or preempted by a competing application.

Separation kernel hypervisors are not a new concept. Some of them have been in use for almost a decade, where they have proven themselves and have also been certified in special cases - such as military security applications.

Several modules, one platform

Using the capabilities of virtualization and bare-metal applications and relying on the isolation and deterministic properties of a SHA, platforms can be built from multiple software modules, on which individual ones can be executed in independent partitions. Simple interfaces can be defined between the modules so that the state of the system is clearly defined and understandable.

Monolithic architectures still have their place in such configurations and embedded COTS operating systems can also find a place as subjects within a SHA framework. The important thing is to select the ideal architecture for each gateway element and still ensure isolation between them.

With a separation kernel hypervisor and modular design techniques, IoT gateway developers have many options to create highly interoperable, reliable, secure and sustainable solutions with COTS components.

Author:
Will Keegan is Product Manager at Lynx Software Technologies.