Smart deviation monitoring - the IoT basis to optimize smart machines and processesSchenck Process Europe GmbH
Secure Yocto edge device | customzied embedded Yocto system (Kirkstone LTS)
Schenck Process is the global market leader for sustainable, integrated measurement and process solutions. The company has been supporting customers in process optimization for over 140 years. Schenck Process has over 2,500 employees at locations in 20 countries and focuses on the market segments food, chemicals and high-performance materials, as well as infrastructure and energy. With Schenck Process and the CONiQ® Cloud, the company bridges the gap between machine and digital services.
Schenck Process products communicate and transmit alerts as well as current machine and process data. To ensure fully functional process operation, Schenck Process offers digital services for the company's own portfolio of machines and solutions as well as similar applications from competitors. The CONiQ® Cloud Service detects and reports deviations from normal machine and process operation even before existing alarm functions of the machines. The collected data is available to end customers via a dashboard. This enables companies to monitor workflows and processes, optimize them and make them more sustainable. This means a gain in reaction, planning and production time and the protection of machines and components.
Schenck Process aimed to achieve two goals in the development of the CONiQ® Cloud: Central to the project was the implementation of the Secure Boot concept based on the Zero Trust principle: A secure connection links Schenck Process machines and systems with secure data storage as well as secure user and device management. In addition, AWS Greengrass was to be integrated into an embedded Linux system as a connector for the Amazon Cloud - with the goal of complete controllability and hardware independence.
To achieve these goals, emlix brought development expertise to the project in the following fields:
- conceptual design, architecture design, requirements engineering
- customized embedded Linux Yocto system (Kirkstone LTS)
- docker runtime environment with configuration through AWS Greengrass
- Linux kernel development and configuration
- performance measurement and system optimization
- development and implementation of the security concept "Zero-Trust" (Trusted Boot Function (TPM) as basis for Secure Boot)
- development and implementation of an OTA update concept
- development and implementation of a production concept for initial start-up and series production
- license documentation of the open source components with SPDX 2
- project coordination and communication
In the one-year project, emlix advised and supported Schenck Process in all key areas of the project, from hardware bring-up and cloud connection to the production and update concept.
In the project, Schenck Process relied on robust industrial PCs with an x86 architecture. emlix customized the Yocto Board Support Package (BSP) according to the product-specific requirements in a bottom-up process on Yocto Kirkstone LTS. This achieved a hardening of the system with high transparency and minimal dependencies. This enabled Schenck Process to gain complete control over the security chain and the level of security became verifiable. Finally, the BSP was no longer a black box, but was composed transparently and hardened.
In addition, emlix supported the project team in defining a Linux-based system architecture with a view to the entire software lifecycle. Requirements regarding reproducibility, maintainability, security and certifiability were already taken into account at the beginning of the project.
The IoT edge device CONiQ® Monitor is functionally located between machine and cloud. Therefore, security-relevant aspects - also with regard to the IT Security Act 2.0 - immediately come to the fore. emlix created and implemented an end-to-end security concept in the project, including secure boot, disk encryption and read-only filesytem. This also included TPM-supported security for communication with Amazon Web Services (AWS) via PKCS11. In order to implement the system in the best possible way, both manual activation via a corresponding configuration of the TPM in the BIOS and automatic activation for configuration in large-scale production and in the update process were implemented during activation of the TPM on the edge device in addition to pure commissioning.
Schenck Process is increasingly informing end customers about software parts lists as well. Therefore, in addition to security-relevant aspects, legal issues with regard to open source licenses had to be taken into account. emlix implemented license documentation of the open source components with SPDX 2 for this purpose.
Schenck Process and emlix will continue their long-standing cooperation. emlix will support Schenck Process with regard to the entire software lifecycle in the implementation of CVE security and maintenance monitoring and will help to ensure that the product remains future-proof for entry into further markets.