小眼睛的健康世界

Software partitioning has a role in making industrial infrastructure secure, writes Alexander Damisch, director for industrial markets at Wind River

Security issues in industrial markets have been receiving much attention in the media. The vast majority of devices that power infrastructures offer aging technology in many cases and are not well prepared for the latest cyber security threats.

Taking the energy grid as an example: one does not have to be a scientist to find the holes when approximately 70% of the infrastructure is more than 30 years old.

Devices that were never designed for a connected world in the first place are wide open for attacks. Utility providers and the dominating players that power this market are under intense pressure; critical infrastructure is supposed to be stable, robust and often certified for functional safety requirements.

While safety systems are left untouched following certification for risk, complexity and cost reasons, a secure system is only secure if it is able to withstand the latest vulnerabilities. The contradiction between the lifecycle of safety and security is a very expensive challenge today. However, the good news is that embedded virtualization can alleviate these security challenges.

To provide a solution that can be retrofitted to an existing infrastructure, new security devices are often integrated with existing devices. Firewalls, IPS, IDS or other boxes add to the CAPEX cost, but also increase the complexity of the supply chain management for installations that have may have a lifecycle of 25 years or more.

New systems are designed with both safety and security in mind. Functions that would be in separate boxes in the existing infrastructure can be consolidated to reduce the CAPEX burden and avoid even greater costs in supply chain management.

This idea is not new: consolidating workload into more intelligent systems by leveraging improved hardware architectures that support virtualization creates a significant opportunity to meet today’s architectural challenges.

One proven approach to security is to keep devices that need to be secure away from general access: for example, physically or virtually separated from networks such as the Internet.

The implication of this approach is that physically separate devices and networks need to be built for secure versus insecure devices. In general, this is impractical because of the expense and redundancy involved. A more cost-effective solution is to leverage embedded virtualization.

Virtualization for embedded systems that operates at the processor and board level is called a hypervisor. A hypervisor allows several virtual systems to run on a single piece of hardware efficiently. Hypervisors can be used to consolidate several systems into one, saving material costs; reducing size, weight and power; and reducing supply chain costs and complexity. Virtualization with a hypervisor can also allow developers to partition a system for functional, security and safety reasons.

Virtualization technology can also provide an OS-agnostic, safe and secure partitioning layer. This addresses a key concern of the market today: ensuring that different services on a device do not impact each other for security and safety.

This ability to securely combine different partitions not only reduces the development costs, but also the operating and capital costs. Using fewer chips and boards reduces the capital cost of the product.

OPEX is also reduced with less inventory and spares and a simpler process for upgrading hardware and software. Now, any new patches or updates to parts of the system software will not affect the real-time operation of the system, nor require lengthy testing and re-certification.

The move to virtualization extends the lifecycle of embedded products. Existing code can run on its own secure partition running an RTOS while new features can be added to the non-real-time partition running an OS such as Linux or Microsoft Windows for the user interface.

To implement this efficiently, virtualization uses hardware enhancements specific to a CPU architecture, enabling all the advantages with minimal impact on performance and latency, especially for the hardware-assisted isolation between partitions.

This strategy greatly extends the life of an embedded product without the expense of having to rewrite real-time embedded code, add and re-certify drivers or redesign hardware. This is a particular issue for systems that combine real-time capability and user interface in one operating system – when there are patches or updates to the OS, the whole design has to be re-tested and possibly re-certified to ensure there is no impact on the real-time operation.

The influence of machine-to-machine (M2M) networks is growing and many devices now need additional gateways, firewalls and other communication functions. Virtualization is an excellent way of adding these to the system through the non-real time operating system without having to change and re-certify the real-time elements of the software or change the hardware.

One proposed architecture that is fast gaining ground is to provide more localized and connected processing power close to where it is needed, often as a gateway to the wider Internet. Local traffic can be processed quickly and acted on, while the data is still available to the wider systems across the Internet, whether it is a train, a manufacturing floor or a power plant. This approach provides the ability to consolidate a number of functions from communications to data processing. This is costly and complex when implemented in separate boxes. The ability to consolidate a wide range of functions reliably and securely into an intelligent single unit is more cost effective and becoming increasingly popular.

This trend has implications for security. Consolidating workloads in a single device means communications are linked to real-time operations and the flow of data. This means there is a need to keep certain functions highly separated.

Safety-critical code must be protected and unchanged to retain its certification, and yet the security that protects the system has to be updated regularly to defend against ever changing attacks. At the same time, there are communications protocols and data capture in the system that need real-time performance alongside human interfaces that can be run at slower speeds.

All of this provides a potentially highly complex environment. The traditional approach has been to have separate devices for each of these functions, such as the communications and real-time elements.

However, security needs to be deeply embedded within the system to provide maximum protection; and physical separation leads to a number of architectural challenges that can be expensive to solve.

Virtualization has already opened up a wide range of new applications in IT, but the ability to provide true real-time performance alongside a mainstream OS opens up yet more embedded opportunities in new and existing markets.

Smart-grid networks, manufacturing systems, and transportation are all set to benefit from the consolidation of workloads and the separation of communication and security functions on to a single core. This allows cost-effective development of secure, reliable and future-proof embedded systems. Running the same operating systems on both a single- and multi-core Embedded System device opens up a platform of equipment that can scale from a single core to many, all with the same software base.

Consolidation of workloads also has a significant effect on the capital and operational expenditures. Building a single unit with a single board rather than multiple units with multiple boards reduces the upfront costs. Millions of M2M devices are being rolled out, connected to hundreds of thousands of gateway units, so this is a significant saving in the upfront cost.

Decoupling the software lifecycle of different elements and still being able to use a single device can reduce expenses. All of this can provide dramatic savings in development time and equipment cost, allowing more processing performance to sit closer to where it is needed in the network and support lower cost sensors and terminals in the home or on the factory floor.

While industrial markets are undergoing a revolution, safety and security are the driving forces behind new processes and standards. Increased regulations are subjecting more embedded devices to rigorous and expensive certification processes ensuring standards compliance. Wind River’s safe and secure partitioning solutions for industrial and automotive applications, further demonstrate this shift.

Wind River’s safe and secure partitioning capability is designed and implemented for safety certification and decoupling the lifecycle of certified and non-certified applications. This provides the option for increased innovation of the non-certified applications and reduces ongoing system certification costs while enabling the benefits of consolidation.

Exciting new opportunity, for an Embedded Engineer to join a very specialist company based in the West Midlands. This is a 9 month fixed term contract with the expectation you will remain permanent after this period of time.

You will be offered to chance to work with an award-winning company that design and manufactures industry leading products to global companies. They have a small and friendly R&D team that takes responsibility in designing and developing new products.

The successful Embedded Engineer Embedded System will be supporting the company's products as well as developing projects through design and development of Embedded and Windows systems.

You will be offered a 9 month fixed term contract, with all the perks of a permanent employee including pension, annual leave and such.

You will be responsible for design and development of Embedded Systems, as well as specifying and configuration from scratch. You will also offer testing resource and will have an impact on process'.

The successful Embedded Engineer will have experience with:

-Embedded Software Design and development

Oracle has announced two new Java products for embedded systems, with the aim of getting the object-oriented language running on as wide a range of devices as possible, including ones with very limited resources.

Tuesday's new addition to the database giant's Java Platform, Micro Edition (Java ME) lineup, Oracle Java ME Embedded 3.2 shrinks Java's footprint down to levels that are almost unthinkable in the modern PC era. Derived from the version of Java ME that runs on feature phones, it supports devices with ARM processors and as little as 130KB RAM and 350KB ROM.

What that means is that for the first time, Java is within reach of developers of small, low-power embedded devices, such as microcontrollers for industrial applications, home automation, environmental sensors, and machine-to-machine (M2M) systems.

Because of the unique requirements of such devices, Java ME Embedded allows developers to create systems that can be operated remotely, and software updates can be downloaded and applied on the fly, including adding new features without affecting the existing ones.

But the real advantage of using Java for embedded applications, Oracle says, is that its high-level code allows devices makers to be more flexible.

"With Oracle Java ME Embedded 3.2, applications for small embedded devices are no longer tied to a single hardware platform," Oracle said in a press release. "Customers can now develop software in parallel with their hardware development to help improve productivity and achieve faster time to market."

Naturally, Oracle has released an SDK Embedded System to go along with the new version of the platform, including plugins for Eclipse, and it says it will soon make available a standard binary that can be used for rapid prototyping on ARM development boards.

Meanwhile, Oracle also announced a second Java product for embedded systems with less rigid hardware constraints, including network appliances, healthcare devices, home gateways and routers, and devices such as multi-function printers.

Dubbed Oracle Embedded Suite, it's essentially a complete middleware stack designed to run on Java-powered embedded devices, including an integrated web server, the Glassfish for Embedded application server, the Java DB database, and the Jersey Web Services Framework.

The idea is that by integrating all of these application components in an embedded system, Java developers can use their existing skillsets to build devices that can both offer services and collect their own data, which can later be synchronized with enterprise systems.

Oracle's big embedded push comes mere days before it kicks off this year's JavaOne conference, set to take place from September 30 through October 4 as part of the database giant's massive OpenWorld event, which takes over entire blocks of downtown San Francisco each year.

This year's JavaOne will include over 60 conference sessions devoted to embedded Java technologies, Oracle says, including a new, business-focused track that offers executives and decision makers the full sales pitch. ®

Industry leading performance and VxWorks RTOS support for embedded applications

Taipei, Taiwan, - VIA Technologies, Inc, a leading innovator of power efficient computing platforms, today announced the VIA ETX-8X90 module which features a 1.2GHz VIA NanoTM X2 E-Series dual core processor and the VIA VX900 media system processor (MSP), providing industry leading performance in a power efficient design. The VIA ETX-8X90 module provides a highly integrated and compact platform for embedded applications in medical, test and measurement, industrial automation and transportation.

The modular design approach allows for short time-to market, application-specific customization, simplified development, high stability and long life cycles enabling customers to rapidly develop new and innovative devices. Customers can take advantage of a proprietary start-up kit including a multi-I/O baseboard reference, or can utilize extensive technical support from VIA in developing a custom baseboard. In addition to support for the embedded industry leading VxWorks RTOS, the VIA ETX-8X90 runs a wide range of Windows and Linux based operating systems.

“We continue to broaden the range of our Computer-on-Module portfolio with the addition of the ETX legacy form factor,” said Epan Wu Head of the VIA Embedded Platform Division, VIA Technologies, Inc. “The VIA ETX-8X90 module provides industry leading processing performance in the shape of the VIA Nano X2 E processor allowing existing ETX customers to quickly scale to today’s requirements.”

About the VIA ETX-8X90 Module
Measuring 114mm x 95mm, the VIA ETX-8X90 module is based on the industry standard ETX (Embedded Technology eXtended) legacy form factor and combines a 1.2GHz VIA Nano X2 E-Series dual core processor with the VIA VX900 MSP, providing hardware acceleration of the most demanding video formats including VC1, WMV9, MPEG-2 and H.264.

The VIA ETX-8X90 offers support Embedded System for up to 4GB of DDR3 memory as well as the latest display connectivity standards including 18/24-bit dual-channel LVDS, one VGA port with resolutions up to 2560 x 1600, four USB 2.0 and two mini USB ports, two PCI and one ISA bus, one SATA port, one IDE and two COM ports as well as one 10/100 Ethernet on module.

For more information on the VIA ETX-8X90, please visit:
http://www.viaembedded.com/en/product...

About VIA Technologies, Inc.
VIA Technologies, Inc is the foremost fabless supplier of power efficient x86 processor platforms that are driving system innovation in the PC, client, ultra mobile and embedded markets. Combining energy-saving processors with digital media chipsets and advanced connectivity, multimedia and networking silicon enables a broad spectrum of computing and communication platforms, including its widely acclaimed ultra compact mainboards. Headquartered in Taipei, Taiwan, VIA’s global network links the high tech centers of the US, Europe and Asia, and its customer base includes the world’s top OEMs and system integrators. www.via.com.tw

MIDDLETON, Wis., 14 Oct. 2012. Extreme Engineering Solutions (X-ES) in Middleton, Wis., is introducing the XPedite5650 conduction- or air-cooled Mini COM Express embedded computing module for military embedded systems, as well as for industrial and communications applications where size, weight, and power (SWaP) are primary design considerations.

The XPedite5650 single-board computer, which measures 55 by 84 millimeters, supports the Freescale QorIQ P2041 quad-core processor, four gigabytes of memory, a ruggedized design, and is designed and tested for harsh military, aerospace, and industrial environments.

The rugged computer board is designed and tested for operation from -40 to 85 degrees Celsius, includes additional mounting holes for increased structural integrity, provides extended shock and vibration, soldered-down memory, tin-lead soldering, and offers built-in test (BIT).
The XPedite5650 also has two Gigabit Ethernet ports (one 1000BASE-T and one 1000BASE-X), two serial ports, two USB 2.0 ports, and two SATA 3.0 ports. Linux, Wind River VxWorks, and Green Hills Embedded System INTEGRITY operating system software are available.

Related stories

-- 3U CompactPCI development system for conduction-cooled embedded computing introduced by X-ES

-- X-ES introduces new 3U CompactPCI module to line of Intel Core i7 processor-based products

-- Conduction-cooled PrPMC/XMC embedded computer based on Freescale QorIQ processor introduced by X-ES.
An XPand6000 series system can be bolted to almost any available surface of a small unmanned aerial vehicle (UAV), ground vehicle, or heavy equipment. In an extremely small and lightweight package weighing as little as 3.5 pounds and measuring 72 cubic inches, X-ES officials say.
XPand6000 series systems combine high-performance processing and application specific I/O added via PMCs/XMCs, such as MIL-STD-1553, CANbus, video input, RS-232/422, GPIO, A/D, and D/A for the most SWaP constrained applications.
For XPedite5650 development, X-ES provides the CX-DP desktop setup with standard I/O connectors. It provides basic COM Express I/O via fixed connectors, accessible through the back panel of its ATX chassis.