Industrial Raspberry Pi 3 as Open Edge Connectivity Ecosystem

netPI - build, ship, run secure on the Edge!

  • Ruggedized Raspberry Pi 3 architecture based platform

  • With / without onboard Industrial Ethernet Controller

  • For IIoT and Industry 4.0 Edge Automation projects

  • Expansion slot for advanced networking modules

  • Cyber secured infrastructure for immediate industrial use

  • Docker host for container-isolated user software and apps


 

The Platform

 

netPI is a Raspberry Pi 3 architecture based platform for implementing Cloud, Internet of Things and Industry 4.0 customized Edge Automation projects safely over containerized software utilizing Docker. Hilscher designed it in cooperation with Element14, the Raspberry manufacturer, and upgraded it specially for industrial use. Its single-circuit board combines the Pi 3 circuitry, its standard interfaces, Hilscher's multi-protocol Industrial Network SoC netX plus two extra Industrial Ethernet ports. By design netPI's overall software architecture complies with the Cyber Security Standard IEC 62443 for Industrial Automation and Control Systems to counter threats such as unauthorized accesses, software manipulation and eavesdropping and relies on a security enhanced Linux. Default access for configuring and managing it is granted via a web-based GUI. Additional software and applications can only be applied by accredited users using the preinstalled Docker virtualization environment in isolated and safe containers to be inline with the security concept.


Industrial graded

netPI features hardware upgrades that vastly improve the platform for industrial use.

  • Design
    • 8 layer PCB design (6 with Pi 3) for best EMC compliance and heat dissipation
    • Cooling concept for full 1.2GHz quad-core CPU performance up to 50°C without throttling

  • Peripherals
    • 8GB industrial grade long-life FLASH memory with guaranteed constant BOM
    • Real-Time Clock (RTC) with 7 days maintenance-free supercapacitor based buffering
    • 8KB extra FRAM for storing data non-volatile at high frequencies

  • Connectivity
    • netX51 multi-protocol Industrial Networks Controller for Fieldbus and Industrial Ethernet
    • Two extra Industrial Ethernet ports for protocols such as PROFINET, EtherNet/IP and more
    • Expansion slot for additional plug-in modules such as RS485, RFID, Analog, Digital I/O and more
    • Top hat rail mountable robust metallic housing for longevity in industrial environments

  • Environments
    • On-board WiFi/BT radio antenna extended beyond chassis for best wireless coverage
    • EMC compliant to latest standards
    • Shock and vibration compliant to latest standards
    • Extended temperature range -20°C to 60°C
    • 24 Volt DC powering

Secured infrastructure

netPI features default system security to countermeasure today's cyber threats.

  • Design
    • Yocto project based customized Linux, Kernel 4.9.x or higher

  • Integrity
    • Constraint checking of the validity of the booted software through keys
    • Coordinated installation of system updates and patches through signed packages only
    • Ignoring removable media such as USB sticks prohibiting infiltration of malware

  • Authentication
    • Obligatory password authentication with key strength calculator
    • User and role management prohibiting unauthorized access to preinstalled software

  • Confidentiality
    • Protection of the transmission route to the web GUI by TLS 1.2 encryption (https)
    • NGINX application as reverse proxy for centralized SSL certificates offloading and handling
    • Not installed SSH server to prohibit accesses from remote
    • Not installed sudo command to prevent getting root privileges

  • Restricted Data Flow
    • AppArmor security framework restricted preinstalled components through access profiles
    • Physical segregation of IT and OT networks by two separated network controllers
    • Preinstalled Docker for additional container-isolated applications over web GUI client portainer.io

 Docker

 

netPI is a Docker host. Docker is a software that packs applications into containers and runs them as they would run on system-level but isolated in their private virtual environments. Any container is launched from a specific image template that is a software snapshot of everything the container needs to run autonomously such as operating system, directories, tools, applications, user-added files and configuration settings. When a container is created Docker virtualizes an instance of the self-contained image and adds dynamic aspects to it like an own drive volume, network stack, namespaces and control groups. This form of isolation allows to run multiple containers at a time without influencing each other or the Docker host. Image templates are portable and can be exchanged across registries. This enables distributing and shipping ones work to everybody either in privat or public manner. For easy on-board Docker management netPI provides the Docker web UI portainer.io as front end to the user.


Security by Design

With Raspberry the focus is "the affordable PC for everybody" with an open and customizable software ecosystem like Raspbian OS. The brilliant playground concept at platform's best price/performance ratio is encouraging the community to the day realizing even the most unusual computer projects with it. But openness embeds drawbacks. When applications are directed to the industry security is coming significantly to the fore. In the majority of today's Raspberry projects the provided software 1.) is a chaotic mix of multiple components embedding unpredictable security risks and 2.) has never been assessed and designed concerning security at all.

netPI however is different and its security concept was considered from the beginning. Docker plays a significant role in this concept.


In accordance with IEC 62443

Docker starts containers with a white list restricted set of capabilities to make the Docker host system immune to external exposures by default. But Docker is running as root and could pass this privilege and others on to a container. However the simple example of a containerized web server application binding just a specific port on providing its web content makes clear that in nearly 100% of all cases giving privileges is not needed at all. Security comes first here. Even if the web server is perfectly operating, an intruder would never succeed to become system root independent how vulnerable it is if the container is of type non-root. So with Docker security is just a matter of provided container privileges. The IEC 62443 claims to live a consequent asset life-cycle security and risk management in an administered way. It prescribes that only suitably trained and accredited personnel are entitled to manage as critically identified components such as Docker. So netPI's security rises and falls with the administrators responsible for its setup.

 


Containerized Software

There are two possibilities dealing with container images. Either you use already built images with ready-made applications or you build own images fitting your demands.

Building an own image is easy. An image needs a base and in best case it consists just of that. The base consist usually of an operating system like Ubuntu, Debian or CentOS. Those and many more are offered prebuilt on Docker's public registry Docker Hub ready for pulling. Naturally the well-known Raspbian is provided too. On top of this image you can add and install everything your application shall consist of. When ready you make the final commit of your customized image. You can keep it private or upload it to the registry for others.

 


Raspberry as Development Platform

netPI is a Docker host only. You can deploy images and run containers from them but you cannot build images on-board. netPI's security concept prohibits SSH servicing and hence you can't get access to Docker build commands. Since containers run the same on any compatible hardware use a Raspberry Pi 3 instead for image development. We feel $30 for the consumer Pi is a low and riskless invest for getting familiar with Docker, making usability and performance tests of applications before moving them onto the professional netPI. Try it out today and install Docker with a single command on your Pi as described here.

 Connecting Things

 

We believe Node-RED is today's best web-based tool for developing Cloud, Internet of Things and Industry 4.0 applications in an easy way. Clicking together logical data relations of heterogeneous devices and services widely distributed across the field by leveraging pre-built blocks of code named Nodes in a flow-based manner achieves such a high abstraction degree that even amateurs quickly understand the principle and develop impressive flows rapidly. Within seconds data from one source can easily be brought into a context and linked with any data from other sources such as TCP/IP, HTTP, MQTT, Email and more by simple mouse clicks. The Raspberry organization has recognized the simplicity of Node-RED as well and made it an integral part of their Raspbian (with PIXEL desktop). Renowned manufacturers such as IBM, Microsoft and Amazon have discovered Node-RED for their own use and offer free nodes establishing links to their Cloud solutions. These are just a few of a current total amount of more than 950 nodes offered in the community and underlines Node-RED's power. The widespread use of Node-RED, its secure JavaScript basis, its ease of use, the very minimal to no coding were reasons for us to offer all netPI specific features in the format of Node-RED nodes to reach a maximum of connectivity from scratch.


Industrial Ethernet

Two Fieldbus nodes provide an input and output channel to netPI's on-board Industrial Network SoC netX. A configuration node sets netX to run either as PROFINET IO device or EtherNet/IP adapter with a configurable number of cyclic I/O data to be exchanged with a bus master controller. The input node injects the latest received master data to the flow on changes, while the output node works the other direction and forwards data from the flow to the master.


FRAM for non-volatile storage

netPI features a FRAM to store high-frequency data non-volatile.Two FRAM nodes provide random read and write access to this memory. The input node reads data from a specific FRAM location and injects it into the flow. The output node writes data from the flow to a specific FRAM location.


Others

With both the Pi CPU and the netX SoC connectivity to many other systems can be realized. This is the reason why netPI comes with an expansion slot at its bottom where additional networking modules can be applied. The modules can be of type serial like RS485 or RS232, type CAN, type digital or analog I/O, type IO-Link master and more. For each of these modules we will be providing additional nodes if not supported by existing Node-RED default nodes to follow the idea of maximum connectivity. We expect the expansion modules sales starting December 2017. At this time we will start updating you with further details about the modules and nodes.

 


 Technical Details

 

 

Main Processor Broadcom BCM2837,
64Bit quad-core @1.2Ghz
RAM Memory 1 GByte
FRAM Memory 8 KByte
Flash Memory 8 GByte, MLC NAND (3000w/e)
Interfaces 4 x USB 2.0A (max. load 1A),
1 x HDMI, 1 x Wifi/BT
Real-time clock supercapacitor buffered
(7 days backup)
Industrial Network SoC netX 51

Ethernet 1 x RJ45 standard, 10/100Mbit/s
2 x RJ45 industrial, 10/100Mbit/s
Indicators 8 LEDs, 2 programmable

Trusted platform TPM 1.2 (inactive)
Dimensions  140 x 35 x 105 mm (H x W x L)

Enclosure Metallic, top hat rail-mountable, IP 20
Weight 400g
Power Consumption min. 4,2W (no USB),
max. 9W (USBs max. load 1A)
Temperatures -20°C ... +60°C operating,
-40°C ... +85°C storage
Approvals CE (FCC/UL pending)
EMC EN 55011:2009, IEC 61000-6-2/3:2005,
EN 61131-2
Shock and Vibration IEC 60068-2-27:2008-02,
IEC 60068-2-6:2007-12
Operating System Yocto based Linux, Kernel 4.9.x or higher
(AppArmor secured, applied RT-patch)
Docker 17.04.0-ce or higher with portainer.io web UI