Building secure devices on the intelligent edge with Azure Sphere - Paul Foster, Microsoft Dr Hassan Harb, E.On
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
Building secure devices on the intelligent edge with Azure Sphere Paul Foster, Microsoft Dr Hassan Harb, E.On
Microcontrollers (MCUs) low-cost, single chip computers 9 BILLION new MCU devices built and deployed every year
Radio 2.4GHz WiFi MCU 192Mhz Cortex-M4 256KB SRAM 1MB NOR FLASH GPIO, I2C, I2S, etc. RTOS (no kernel)
Connected devices create profoundly better customer experiences. How does a consumer know the compressor in their fridge needs to be replaced? Option 1 Option 2 Melted ice cream Predictive maintenance
Mirai Botnet attack Everyday devices are used to launch an attack that takes down the internet for a day
SECURITY IS FOUNDATIONAL It must be built in from the beginning.
The 7 properties of highly secured devices Hardware Defense Small Trusted Root of Trust in Depth Computing Base Dynamic Certificate-Based Failure Renewable Compartments Authentication Reporting Security
Some properties depend only on hardware support Hardware Root of Trust Hardware Root of Trust Unforgeable cryptographic keys generated and protected by hardware • Hardware to protect Device Identity • Hardware to Secure Boot • Hardware to attest System Integrity
Some properties depend on hardware and software Defense in Dynamic Small Trusted Depth Compartments Computing Base Dynamic Compartments Internal barriers limit the reach of any single failure • Hardware to Create Barriers • Software to Create Compartments
Some properties depend on hardware, software and cloud Certificate-Based Failure Renewable Authentication Reporting Security Renewable Security Device security renewed to overcome evolving threats • Cloud to Provide Updates • Software to Apply Updates • Hardware to Prevent Rollbacks
Azure Sphere is an end-to-end solution for securing MCU powered devices The Azure Sphere OS with ongoing updates creates a Microsoft-secured software platform Azure Sphere certified MCUs, from our silicon partners, with built-in Microsoft hardware root of trust. The Azure Sphere Security Service guards every Azure Sphere device. It brokers trust, detects emerging threats, and renews device security.
Azure Sphere certified MCUs create a secured root of trust for connected, intelligence edge devices C O N N E C T E D with built-in networking Microsoft Network Pluton FLASH Security ≥ 4MB Connection S E C U R E D with built-in Microsoft silicon Subsystem WiFi in first chips security technology including the Pluton Firewall Firewall Firewall Security Subsystem ARM ARM C R O S S O V E R Cortex-A processing power Cortex-A SRAM Cortex-M optimized for ≥ 4MB for real time brought to MCUs for the first time low power processing C R O S S O V E R Cortex-A processing power Firewall Firewall Firewall brought to MCUs for the first time Multiplexed I/O GPIO PWM TDM I2S UART I2C SPI ADC
Azure Sphere MCUs create a secured root of trust for connected, intelligence edge devices Pluton features implemented in silicon include A hardware root of trust that -accelerates common cryptographic operations (ECC and AES) -generates public/private keypairs -implements secure boot (via ECDSA) A dedicated core and memory (TCM) that -resists side-channel attacks that focus on a single core A true random number generator that -defends against low-entropy attacks Measured boot and remote attestation that -uses a digest accumulator register and nonce register
Our Silicon Partners
The Azure Sphere OS is optimized for IoT, security, and agility Azure Sphere OS Architecture Secure Application Containers Compartmentalize code for agility, robustness & security OS App Containers for App Containers for Layer 4 POSIX (on Cortex-A) I/O (on Cortex-Ms) On-chip Cloud Services Provide update, authentication, and connectivity OS On-chip Cloud Services Layer 3 Custom Linux kernel Empowers agile silicon evolution and reuse of code OS HLOS Kernel Layer 2 Security Monitor Guards integrity and access to critical resources OS Security Monitor Layer 1 Hardware Azure Sphere MCUs
Application platform • Cortex-A • App runs in Normal World user mode • GPIO, UART and other interfaces • Communicate with Azure IoT Hub or other clouds SIDE BAR • Microsoft provides all but app • All signed by the Microsoft CA • App updates delivered by Microsoft secure pipeline • Sideloading during development • Manifest file defines capabilities
The Azure Sphere Security Service connects and protects every Azure Sphere device OS updates Your app from Microsoft updates Protects your devices and your customers with Azure certificate-based authentication of all communication Azure Sphere Other cloud or Detects emerging security threats through Security Service on-prem automated processing of on-device failures infrastructure Responds to threats with fully automated Online app and App data and telemetry OS failure reports on-device updates of OS App and App data and telemetry Allows for easy deployment of software updates OS updates to Azure Sphere powered devices Remote attestation & cert based authentication
Azure Sphere scenario Azure DPS SIDE BAR
Modernize MCU development with Azure Sphere and Visual Studio Simplify development Focus your device development effort on the value you want to create Streamline debugging Experience interactive, context-aware debugging across device and cloud Collaborate across your team Apply tool-assisted collaboration across your entire development organization
Demo
Deployment basics • SKUs • Components and applications SIDE BAR • Image and Image sets • Feeds • Device groups
Three components. One low price. No subscription required. An Azure Sphere certified MCU The Azure Sphere OS with ongoing on-device OS updates The Azure Sphere Security Service with ongoing on-device security updates
pen to any MCU manufacturer We are licensing our Pluton security subsystem royalty ee for use in any chip* Azure Sphere is open pen to any innovation CU manufacturers are free to innovate with our PL’d OSS Linux kernel code base pen to any cloud zure Sphere devices are free to connect to Azure or any her cloud, proprietary or public for application data
Home Energy Management System Hassan Harb #FutureDecoded, London, November 1st
E.ON at a glance 31m customers ~500k connected energy assets ~1m km power grids 02.11.2018 26
Trends in the energy sector Decarbonization Decentralization Electrification 02.11.2018 27
Trends in the energy sector Decarbonization Decentralization Electrification IoT 02.11.2018 28
Internet of energy: Security risk Decarbonization Decentralization Electrification IoT 02.11.2018 29
Challenges: Increasing electricity consumption 800.0 700.0 600.0 in Mtoe 500.0 400.0 300.0 200.0 100.0 0.0 1970 1975 1980 1985 1990 1995 2000 2005 2010 2015 2020 Industry Residential Residential (extrap.) 02.11.2018 30 Based on Key world energy statistics 2018 © OECD/IEA 2018, www.iea.org/statistics. Licence: www.iea.org/t&c; as modified by E.ON Solutions GmbH
Challenges: Discrepancy between local generation and consumption PV generation Demand 02.11.2018 31
02.11.2018 32
HEMS on azure IoT sphere HEMS edge intelligence 02.11.2018 33
HEMS in action: Increase self-sufficiency through load shifting Storage management PV generation Demand modification Demand 02.11.2018 34
Thank you! 02.11.2018 35
Get started with Azure Sphere today. Public Preview availability Azure Sphere OS Azure Sphere Security Service Visual Studio tools for Azure Sphere Available Now Azure Sphere development kits from Seeed studios For more information visit: www.microsoft.com/AzureSphere
Let’s secure the future.
Things to do next Session Feedback Please rate this session in the Future Decoded app! Microsoft UK AI Research Report Download the AI Report at http://aka.ms/UKAIreport Visit our Hands-on Labs on Level 3 Try technology out with on-demand labs and expert help Go deep with Documentation http://docs.microsoft.com
aka.ms/IgniteTourLND
You can also read
