How edge hypervisors empower OT to manage security posture

Daniel Smith, senior product manager, PACSystems controllers, safety and motion control, Emerson Machine Automation Solutions: The short answer is all of it. The strongest security is implemented in layers and has overlapping mechanisms. It certainly must start with the hardware-validated root of trust, so that the following security layers have a strong starting point.

Secure boot is a good next step that helps protect lower software layers, such as UEFI and boot loaders. Measured boot is another mechanism that can be used in parallel with the secure boot; however, measured boot does not have an enforcement element in it. If the overall use case supports the remote attestation concept, then measured boot can provide required measurements. Otherwise, measured boot might be of less value.

Communications between devices should ideally be encrypted and secured using certificates.

What environmental and industrial certifications—temperature range, vibration resistance, IP rating, UL/CE compliance—does the hardware need for on-machine deployment on factory floors? What about inside machines?

Daniel Smith, senior product manager, PACSystems controllers, safety and motion control, Emerson Machine Automation Solutions: Certification needs typically depend upon the industry. For standard use across every industry, systems should have IP67-rated I/O for on-machine deployment and should also have any other certifications necessary for PLC operation.

It’s also important to remember that some environments might require additional ratings, such as marine service ratings and conformal coating.

Can Ethernet ports be physically or logically isolated, and how can you configure a demilitarized zone between the factory floor and the corporate WAN?

Daniel Smith, senior product manager, PACSystems controllers, safety and motion control, Emerson Machine Automation Solutions: This is really the point of edge control. Teams need tools to build out solutions they can use directly on the factory floor, rather than bringing in IIoT solutions that corporate IT must implement and maintain. The intention of edge solutions is to allow OT to do everything at the process, rather than go get everything from the cloud.

Teams can put firewalls in and lock down traffic to the control system, but the exposure to the cloud is still risky and complicates operations and lifecycle maintenance. It is much easier to use an edge device that gives flexibility of configuration, empowering OT teams to take full control of their security posture.

Use of the real-time hypervisor allows strict networking isolation, where a set of Ethernet ports is assigned to the real-time PLC side, and the other set is assigned to the edge side. Within the hypervisor configuration, a user can set up a specific and very limited virtual networking connection between the controller and the edge, such as to allow only OPC UA traffic on a specific port.

How do compute resources, such as CPU architecture, cores, RAM or storage, affect the ability to run analytics, vision or AI workloads locally?

Daniel Smith, senior product manager, PACSystems controllers, safety and motion control, Emerson Machine Automation Solutions: The higher number of cores in a CPU, the better it can manage parallel processing. The most advanced systems also support graphical processing unit (GPU) workloads and can be enhanced with specialized physical AI capabilities to drive a wide range of AI/ML processing needs without significantly increasing power consumption and temperature.

Get your subscription to Control Design’s daily newsletter.

High RAM is critical for advanced applications like machine learning algorithms. Typically, the more RAM the better, as vision and AI workloads are high consumers of volatile memory.

How easily can existing PLC logic or IEC 61131-3 programs be deployed or migrated to the edge controller environment?

Daniel Smith, senior product manager, PACSystems controllers, safety and motion control, Emerson Machine Automation Solutions: Hypervisor technology in the most advanced edge controllers makes it easy to support PLC logic on the PLC side of the edge controller. A Linux operating system for edge allows for ease of data manipulation. Simplifying the method of pushing data to the edge with OPC UA secure communications allows for the use of PLC logic and edge analytics.

What is the maximum number of concurrent industrial protocol tags that the internal OPC UA server can bridge to the edge side?

Daniel Smith, senior product manager, PACSystems controllers, safety and motion control, Emerson Machine Automation Solutions: This depends on the frequency users want to transfer data from the controller to the edge, but for all practical purposes it is unlimited. In general, teams should expect the edge side to be unlimited and the controller side to support 50,000 tags on a high-performance controller.

Tell us about one of your company’s state-of-the-art product that involves edge computing.

Daniel Smith, senior product manager, PACSystems controllers, safety and motion control, Emerson Machine Automation Solutions: Emerson’s PACSystems RX3i edge controllers use real-time hypervisor technology to run real-time deterministic control applications alongside PACEdge software for edge computing (Figure 1). The PACEdge software collects and preprocesses data close to the devices, enabling fast, low-latency distribution to local systems, reducing bandwidth usage. A hypervisor partitions two cores for the runtime and two cores for Linux. The system then uses Docker to containerize each of the applications on the PACEdge software, and a shared OPC UA data table manages communication between the two partitions. PACEdge software includes utilities to help users set up their own certificate authorities and issue their own certificates. This is helpful since in many cases controllers operate in an air-gapped environment and do not have the ability to utilize standard certificate authorities This is one of the easiest solutions for high-performance edge control.

Additionally, Emerson industrial PCs (IPCs) have built-in graphical processing unit technology which can be further enhanced with specialized physical AI compute designed to support more complex AI solutions at the edge.

As organizations increasingly rely on AI solutions at the edge, they need technologies to deliver those capabilities securely and locally, without the need to rely on cloud connectivity. Industrial PCs provide storage and processing capabilities required for heavy AI workloads of industrial data. The integration of physical AI capabilities in the Emerson IPCs turns them into an always-on, on-premise industrial intelligence platform to process data at high speed and unlock the latency-sensitive applications that will capture competitive advantage.