In the second part of the series, we discuss the software configuration with regard to edge computing, as well as how specific connectivity and security measures make the system robust.
To gain context on the same, do read the articles describing Edge Computing and its software.
The software on the edge computing device consists of the Board Support Package (BSP), Operating System (OS), and Application. The BSP is responsible for providing the kernel, the drivers, and firmware for the hardware on the edge device. The OS is responsible for providing the application and user with a working file system and set of utilities and libraries. The application is programmed in a way that all the hardware faculties of the edge device can be used to control the process in the plant. The application will also have algorithms that process the data gathered from the plant process and output what corrective measures need to be taken.
Software updates are required for feature additions, bug fixes, security updates, etc. It is possible to deploy these updates locally over a firmware update port or preferably using Over-The-Air(OTA) updates. Locally deploying the updates requires a person with technical know-how to be present on the field.
With OTA updates, delivering updates can be as easy as uploading the update package to a server and pushing the package to your fleet of devices. Your edge devices will typically have a client service running on them that checks for updates. Once an update is downloaded, the installation might be done on the live system without causing any interruptions, or your system might have to reboot for the installation to complete.
OTA mechanisms might also provide fail-safe options using A/B partitioning. The storage device has a copy of the working system files. When the update is installed, you always have a working copy. The update is installed over only one copy. In case the system fails to start up the updated firmware, there is a provision for the system to go back to the working copy.
When the Edge Device boots, we should have away to ensure that the software that is loading isn't tampered with. There are multiple ways an attacker might choose to tamper with your software. The attacker might try to access the device physically and install their own software, or try to update the device with a tampered package via the OTA mechanism. In case they are successful in doing the same, their software can boot instead of ours, and then they could get complete access to the edge device. To prevent this, SoC vendors add secure boot support.
Secure boot prevents the edge device from loading unauthorized software. It does this with the help of asymmetric cryptography. The authorized software to be flashed is signed with a private key. The private key is also used to create a public key which is stored on the edge device. This public key can be used during boot time to verify the authenticity of the software. If the verification using the public key passes, the software is authenticated and hence can boot. Else, the software won’t be allowed to boot.
Trusted Platform Module (TPM) can also be used alongside a secure boot to safely store the secure boot keys. TPM can also be used to make sure that your encrypted disk drives are unlocked only if certain conditions are met. It can also be used to securely store SSH authentication keys.
Even if the bulk of the processing is done on the edge, it makes sense to gather some of the process statistics and send them to the cloud. This data can then be securely stored and used for analytics, creation and deployment of ML Models, event detection and response, and creation of digital twins.
To upload the process information to the cloud, you need a reliable way to connect to the internet. While choosing the means of internet connectivity, the volume of data to be uploaded/downloaded, and the frequency of the same need to be taken into account.
The best case scenario is the plant having wired internet access that the edge device can plug into. In such a case, an ethernet cable can be routed from the edge device to the network switch/gateway of the plant. Although this might come with a higher initial cost, you end up having reliable connectivity.
It might not always be possible to route a cable from the edge device to the gateway. In such cases, Wi-Fi connectivity is an option. It is important to go for a Wi-Fi module for your edge device that can perform well in an industrial environment that might have Radio Frequency interference. Choosing one that has 2x2 connectivity with 2 antennas can help immensely to improve WiFi coverage and speeds.
In cases where you do not have wired or wireless connectivity options, you might choose to go for a cellular module. Cellular modules these days support technologies from the 2nd Generation (2G) to the 5th Generation New Radio (5G NR). With cellular modules, you will need a SIM card. It is possible to go for a local Cellular Network. But, with the rise of IoT devices, a lot of cellular network aggregation services have propped up. With these services, you do not have to worry about which cellular network service is available in the area of deployment.