Copyright © 2018 Arm TechCon, All rights reserved.

IoTエコシステムの構築と進化– ある開発者の話-

アーム株式会社

IoTサービスグループ

セールス & 事業開発ディレクター

春田 篤志

© 2

01

8A

rm L

imit

ed.

Pelion IoT Platform（ ぺリオンIoTプラットフォーム）

IoTのコネクティビティ、デバイス、データを包括的かつセキュアに管理するプラットフォーム

• あらゆる規模のIoTデバイスおよびデータを、シームレスかつセキュアに接続、管理

• パブリックおよびプライベートクラウド、オンプレミス、ハイブリッド、いずれの環境でも動作するよう設計

アプリケーション・エコシステム

(アプリケーション開発支援)

デバイス・エコシステムチップやモジュールに組み込まれたMbed OS

コネクティビティ管理サービス

デバイス管理サービス

データ管理サービス

デバイス・データ間セキュリティ

Pelion

エンタープライズ・データ＋

他のデータ

3Copyright © 2018 Arm TechCon, All rights reserved. 3

Device Management

4Copyright © 2018 Arm TechCon, All rights reserved.

Effective device management is the key to get value from dataEffective IoT device management ensures data is delivered securely and reliably from the right devices at the right time

• Device provisioning and onboarding

• Device life-cycle management

• Secure software update

• Access control

• Device health monitoring

Device Management

Equipment, process, environment, parts, materials, people

Application

Insightsoptimizations

responses Application

Application

dataApp

dataApp

dataApp

dataApp

dataApp

5Copyright © 2018 Arm TechCon, All rights reserved.

Market opportunity

The commercial and industrial sector, driven by building automation, industrial automation, and lighting, will account for nearly 50% of new connected devices between 2018 and 2030.

Source: IHS Markit

6Copyright © 2018 Arm TechCon, All rights reserved.

Heterogeneity enablers and blockers to scale

Heterogeneity in device classes

Multiple connectivity methods

Heterogeneity in service deployment

WiFi Cellular Ethernet LPWAN ZigbeeBluetooth & Bluetooth low energy

7Copyright © 2018 Arm TechCon, All rights reserved.

Standards in the context of IoT Application layer protocol

Commercial and technical drivers

A seal of approval

Defrag./Interop.

Domain specific challenges

Players’ level of interest

Propriety

Any standard

Specific standard

8Copyright © 2018 Arm TechCon, All rights reserved.

IOT security requires addressing complex challenges

Secure provisioning of cryptographic device identity at untrusted

factories

Managing public key infrastructure used by

device identities at scale

Device protection and security

Renewing device security by remote software updates

Controlling access to devices, services and

data by users and apps

Integration with enterprise IT

infrastructure

Regulation compliance and risk

management

9Copyright © 2018 Arm TechCon, All rights reserved. 9

IoT Scale

10Copyright © 2018 Arm TechCon, All rights reserved.

IoT Device ClassesA landscape of multiple verticals, wide range of use cases and wide variety of devices

11Copyright © 2018 Arm TechCon, All rights reserved.

IoT Device ClassesA landscape of multiple verticals, wide range of use cases and wide variety of devices

12Copyright © 2018 Arm TechCon, All rights reserved.

Solving connection and deployment challenges with standardsAccess to the reliable connectivity portfolio that developers need

IoT connectivity

Developers build applications that use REST APIs

communication

→ Simplified development

→ Hardware portability

→ Products can have multiple connectivity options

Application integration Options for deployment

NB-IoTCloud Architecture

Cloud

On Premises

OpenStack

HW DC IaaS

Other clouds

Using same SW technologies with cloud and on-premises

Identical features and capabilities

13Copyright © 2018 Arm TechCon, All rights reserved.

Gateways critical piece of IoT infrastructure..through 2020, 90 percent of IoT projects will use some form of IoT gateway

Not all devices can connect (directly) to the cloud

• Non-IP devices

• Legacy device with legacy protocols -Brown field devices

Not all data can or needs to go to cloud

• Latency

• Offline operation

• Security and privacy needs

• Data conservation

• Simplification

14Copyright © 2018 Arm TechCon, All rights reserved.

High-Level System Architecture: Cloud-hosted instancesTypical device management topology

Device Management

Cloud

CustomerCloud

GatewayCustomer

application server hosted in Cloud

Traffic to customer Cloud

kWh

139392

kWh

139392

Device + ClientStandard Cloud topology

Enhanced customer applications and services

15Copyright © 2018 Arm TechCon, All rights reserved.

Cloud orchestration

Cloud Components Deployment View

The components and deployment of Device Management services

Kubernetes

Identity & Access Mgmt

Update

Device Catalog

Message Bus

Connector

Billing

AP

I GW

Load

bal

ance

r

Co

ntr

olle

r

App #1

App #2

App #3

Co

ntr

olle

r

Load

bal

ance

r

Zone A Zone B Zone C

Kubernetes

Load balancer

controller controllercontroller

Load balancer Load balancer

Cloud computing HW

Micro services

16Copyright © 2018 Arm TechCon, All rights reserved.

Certain industries require data to be stored in private data centersRegulations

Private deployments may enable data to be stored more securelySecurity

Enterprises need total control of their systems, data and processesFull control

Maintain operation in locations with limited connectivityTechnical limitations

Enabling IoT device management business models for end-customersDifferentiation

Utilities, Smart gridUse cases

Usage regions

Deployment Choice - Public cloud and on-premisesSome use cases and geographies require other deployment options due to:

17Copyright © 2018 Arm TechCon, All rights reserved.

On-premises orchestrationOn-Premises perspective to device management

HW

OpenStack

Kubernetes

Identity & Access Mgmt

Update

Device Catalog

Message Bus

Connector

Billing

AP

I GW

Firewall & Load balancer

Co

ntr

olle

r

Core OSDocker registry

jumpbox

Application #1

DNS

HSM

External CA

NTP

SMTP

18Copyright © 2018 Arm TechCon, All rights reserved. 18

IoT Security

19Copyright © 2018 Arm TechCon, All rights reserved.

PSA principles A recipe for building a secure system from analysis to architecture

Identify key common principles

Software architecture

Common principles across multiple use cases

Device identity

Trusted boot sequence

Secure over-the-air

software update

Certificatebased

authentication Hardware requirements

Specifications

Threat models &security analysis

Analyze

Firmware architecture & hardware

specifications

Architect

Implement

Open source code

20Copyright © 2018 Arm TechCon, All rights reserved.

Matching the Vulnerability with the Right Mitigation

PSA Analysis StageAssess the potential vulnerabilities

Software• buffer overflows • interrupts• malware

Physical• non-invasive• invasive

Lifecycle• code downgrade• ownership

changes• unauthorized

overproduction• Debug hacks

Communication• man-in-the-middle • weak RNG• code

vulnerabilities

Physical mitigation Software mitigation

Lifecycle mitigationCommunication mitigation

Arm SecurCore,Arm Cortex-M35P,CryptpCell-312P,CryptoIsland-300P

Arm TrustZone, CMSIS-ZONEArm Keil MDK and Armprocessors with TrustZonesupport

Arm CryptoCell & CryptoIsland,Arm Pelion IoT Platform,Arm CoreLink SDC-600

Arm CryptoCell & CryptoIsland,Arm Pelion IoT Platform

21Copyright © 2018 Arm TechCon, All rights reserved.

Device life-cycle security

Manufacturing

On-boarding

Regular Use

Configuring devices with trusted verifiable unique cryptographic identity (“birth certificate”) at the time of manufacturing

Commissioning – securely configuring network credentials and operational parameters

Bootstrapping –Authenticating and configuring devices with operational keys (“driver’s license”)

Decommissioning

Securely updating device software remotely

Monitoring device health

Controlling access to devices in the field

Removing devices from the network

Security wiping sensitive key material from the device

22Copyright © 2018 Arm TechCon, All rights reserved.

Device access control and security: How, when and who can access devices?

Devices are often installed outside of security perimeter, but are part of an enterprise network

Device passwords are typically used to control access to devices

Device passwords are virtually impossible to manage

• Often shared across devices and people• Create easily-exploited security backdoors

23Copyright © 2018 Arm TechCon, All rights reserved.

Delegated access controlOvercomes inherent vulnerabilities of using passwords for device access control

Solve the problem with implementation of IETF ACE standards

• Authentication of users– Controls permissions of specific users based on

their current status in the company

• Granular authorization– Grant very detailed permissions to specific users

e.g. single configuration parameter

1 2

AuthorizationServer

24Copyright © 2018 Arm TechCon, All rights reserved. 24

Pelion Device Management

25Copyright © 2018 Arm TechCon, All rights reserved.

Pelion Device ManagementでIoT導入・管理を容易に

非IPデバイス

IP接続デバイス

IoTデバイス・アプリケーション

Mbed OS Device Management クラアント

デバイス内蔵のセキュアなroot-of-trust

Zigbee

Bluetooth & Bluetooth low energy

LPWA(Low Power Wide Area) ネットワーク

接続方式

ゲートウェイ接続

WiFi セルラー イーサーネット

エッジコンピューティング

ゲートウェイ管理

マルチプロトコルデバイスとアクセス管理

データプロトコル変換

マネージド・ネットワーク

LPWAN

デバイス管理

アセット/IDのセキュア・ プロビジョニング

高エネルキー効率のコネクティビティ

エンドホイント/ ゲートウェイのデバイス管理

ファームウェアのデプロイ/更新キャンヘーン

エンドホイント/ ゲートウェイコンピューティング/ アクセス管理

•サーバー•ストレージ•ルールエンジ•Web解析•インテグレーション•独自アプリケーション

ユーサー企業のアプリケーション/

サービス

26Copyright © 2018 Arm TechCon, All rights reserved.

Pelionデバイス管理サービス

ネットワークにつながるすべてのIoTデバイスを、そのライフサイクルを通して、安全に管理

すべてのIoTデバイスを一元管理することが可能

どんなデバイスも接続可能

パブリックからオンプレミスまであらゆるクラウドに対応

安全なアセットやIDのプロビジョニ

ング

エネルギー効率の高い通信接続

エンドポイントとゲートウェイ両方に

対応

ファームウエアアップデート

エンドポイント/ゲートウェイアクセス管理

（開発者用管理画面）

© 2

01

8A

rm L

imit

ed.

多様なユースケースを支えるリッチな

プラットフォーム

Pelion: データを活用し新たな収益機会の創出へ

デバイスとコネクティビティの管理がデータサービス採用の増加を促進

データ管理サービス• あらゆるユースケースに対応する、信

頼できる統合・管理されたデータ• 解析のためのリッチなデータセット

デバイス管理サービス• 制約のある環境化でのハイブリッドクラ

ウドへの対応• 分散したデバイスプロファイルのための

統一されたクライアントの抽象化

コネクティビティ管理サービス• さまざまな地域のIoTエコシステム内の

事業者に対応するオールインワンサービス

• 統一されたコネクティビティ管理

Pelion

制御

データ

2828 © 2018 Arm Limited

Thank You!Danke!Merci!谢谢!ありがとう!Gracias!Kiitos!감사합니다धनयवाद