SEGWAY – CYSEC
Edge computing – a distributed IT architecture in which client data is processed at the periphery of the network, as close to the originating source as possible – is developing rapidly, driven by next-generation connected devices and fast communication links. The technological research and consulting company Gartner[1] predicts that by 2025, 75% of enterprise-generated data will be created and processed outside the data centre or cloud. By adopting edge computing, companies move dedicated processing operations to the periphery, closer to the data source to improve performance, although this may lead to higher cyber exposures. In most cases, edge computing complements cloud services by transferring the processing power from cloud platforms in a decentralised way to where the data is created and consumed. This hyper-distributed enterprise infrastructure introduces new cybersecurity challenges.
In this context, the SEGWAY project led by the European SME CYSEC was one of the projects awarded by DigiFed’s first open call to develop a proof of concept (PoC) by deploying CYSEC’s cryptographic service on the CEA-LETI secure platform. This secure reference design integrates an STM32MP1 microprocessor based on the ARM TrustZone hardware isolation combined with the (Trusted Platform Module) STSAFE-TPM[2], which has been developed in the framework of the IRT Nanoelec PULSE program.
CYSEC had already successfully deployed the Trusted Execution Environment (TEE) ARCA – a trusted computing solution to protect the data in use – in production environments for critical infrastructures such as finance and space applications. Its goal is now to diversify its range of solutions, also encompassing the Internet of Things (IoT). Through the collaboration with CEA-LETI fostered by DigiFed, CYSEC has thus, extended its product portfolio from cloud solution to the edge through the development of an integrated version of its Linux-based container-specific Operating system called ARCA Trusted OS. The developed PoC has enabled CYSEC to provide a secure computing solution dedicated to “edge” use cases requiring small footprint processing units based on ARM architecture by deploying its full range of cybersecurity products through fully distributed IT infrastructures.
SEGWAY PoC addresses a generic use case where a secure gateway positioned at the edge can authenticate the connected devices of an IoT ecosystem and securely transfer the processed data to the cloud. The secure gateway hosts a cryptographic service handling all the required cryptographic operations (such as key generation, encryption, signature, etc.) for the secure collection and processing of the data of the IoT-connected devices.
The SEGWAY PoC allows deploying CYSEC’s cryptographic service on the STM32MP157c-DK2 and is used as a cryptographic back-end for Public Key Infrastructure (PKI) applications and other ones running on the edge infrastructure and requiring compliance with some security regulations. This project also allows CYSEC to familiarise itself with embedded security tools and features such as ARM TrustZone and Trusted Platform Module (TPM). The outcome of this project is serving as a baseline for the development of a version of ARCA Trusted OS, which is CYSEC’s flagship product, for ARM architecture-based processing units.
CYSEC has already applied the know-how acquired through DigiFed’s SEGWAY project to gain new customers in multiple fields. Most of all, to three ones, including different types of sales activity:
- Electrical vehicle charging end-points: CYSEC provides to its partner a hardened Operating System distribution to be loaded in end-points.
- Secure satellite communications: CYSEC is currently working on a PoC to demonstrate performant secure satellite communications meeting targeted governmental security standards. In this use case, the CYSEC device is not used as an edge device but as a standalone device.
- Fleet management: CYSEC is currently collaborating with a company providing services with drones and aiming at integrating ARCA Trusted OS for ARM in its drone fleet to simplify both the fleet management and the security of data collected by this fleet.
- Space: CYSEC is currently in contact with multiple satellite constellation launchers looking at security solutions to provide encryption from ground stations to space.
Furthermore, CYSEC joined DigiFed’s Generic Experiment (GE)[3] community led by CEA-LETI and will test advanced security features developed on the STM32MP1 secure platform, such as a Host-based Intrusion Detection System (HIDS). These could lead to further collaboration between CYSEC and CEA-LETI.
Contact :
CEA-LETI : Marie-Sophie Masselot marie-sophie.masselot@cea.fr
CYSEC: Yacine Felk yacine.felk@cysec.com
This work has received funding from the European Union’s Horizon 2020 research and innovation programme under grant agreement No 872088 and was supported by the French national program “Programme Investissements d’Avenir IRT Nanoelec” ANR-10-AIRT-05.”
[1] Gartner “Predicts 2022: The Distributed Enterprise Drives Computing to the Edge”, By Thomas Bittman, Bob Gill, Tim Zimmerman, Ted Friedman, Neil MacDonald, Karen Brown.
[2] D. Paulin, T. Franco-Rondisson, R. Jayles et al.. HistoTrust’s Ethereum-based attestation of a data history built with OP-TEE and TPM. The 14th International Symposium on Foundations & Practice of Security (FPS2021). 08-10/12/2021. Paris, France. https://dl.acm.org/doi/abs/10.1007/978-3-031-08147-7_9
[3] https://digifed.org/generic-experiment/generic-experiment-on-cybersecurity-secure-platform-for-iot/