netPI - build, ship, run secure on the Edge!
Industrial Raspberry Pi as Open Edge Connectivity Ecosystem
- Multi-protocol Industrial Ethernet support
- Web GUI maintained Docker ecosystem
- -20 - 60°C, full CPU speed till 50 °C ambient air
- Replaceable 8 or 32 GB industrial micro SD card
- Expandable with additional networking modules
- CE, FCC, UL, KCC, RED certified, MTBF available
Find place for your discussion in the netPI Forums
The Platform
netPI is a Raspberry Pi 3 B architecture based platform for implementing Cloud, Internet of Things and Industry 4.0 customized
Edge Automation projects safely over containerized software utilizing Docker. Hilscher designed it in cooperation with Element14,
the Raspberry manufacturer, and upgraded it specially for industrial use. Its single-circuit board combines the Pi 3 B
circuitry, its standard interfaces, Hilscher's multi-protocol Industrial Network SoC netX plus two extra Industrial Ethernet
ports. By design netPI's overall software architecture complies with the Cyber Security Standard IEC 62443 for Industrial
Automation and Control Systems to counter threats such as unauthorized accesses, software manipulation and eavesdropping
and relies on a security enhanced Linux. Default access for configuring and managing it is granted via a web-based GUI.
Additional software and applications can only be applied by accredited users using the preinstalled Docker virtualization
environment in isolated and safe containers to be inline with the security concept.
Industrial graded
netPI features hardware upgrades that vastly improve the platform for industrial use.
-
Design
- 8 layer PCB design (6 with Pi 3 B) for best EMC compliance and heat dissipation
- Cooling concept for full 1.2GHz quad-core CPU performance up to 50°C without throttling
-
Peripherals
- 8GB (384TBW) / 32GB (1920TBW) industrial grade long-life FLASH memory with guaranteed constant BOM
- Real-Time Clock (RTC) with 7 days maintenance-free supercapacitor based buffering
- 8KB extra FRAM for storing data non-volatile at high frequencies (model RTE 3)
-
Connectivity
- netX51 multi-protocol Industrial Networks Controller for Fieldbus and Industrial Ethernet (model RTE 3)
- Two extra Industrial Ethernet ports for protocols such as PROFINET, EtherNet/IP, EtherCAT, POWERLINK, Modbus/TCP and more (model RTE 3)
- Expansion slot for additional plug-in modules such as RS485, RFID, Analog, Digital I/O and more
- DIN rail mountable robust metallic housing for longevity in industrial environments
-
Environments
- On-board WiFi/BT radio antenna extended beyond chassis for best wireless coverage
- EMC compliant to latest standards
- Shock and vibration compliant to latest standards
- Extended temperature range -20°C to 60°C
- 24 Volt DC powering
Secured infrastructure
netPI features default system security to countermeasure today's cyber threats.
-
Design
- Yocto project based customized Linux, Kernel 4.9.x or higher
-
Integrity
- Constraint checking of the validity of the booted software through keys
- Coordinated installation of system updates and patches through signed packages only
- Ignoring removable media such as USB sticks prohibiting infiltration of malware
-
Authentication
- Obligatory password authentication with key strength calculator
- User and role management prohibiting unauthorized access to preinstalled software
-
Confidentiality
- Protection of the transmission route to the web GUI by TLS 1.2 encryption (https)
- NGINX application as reverse proxy for centralized SSL certificates offloading and handling
- Non-installed SSH server to prohibit accesses from remote through a console
- Non-installed sudo command to prevent getting root privileges
-
Restricted Data Flow
- AppArmor security framework restricted preinstalled components through access profiles
- Physical segregation of IT and OT networks by two separated network controllers (model RTE 3)
- Preinstalled Docker for additional container-isolated applications over web GUI client portainer.io
Docker
netPI is a Docker host. Docker is a software that packs applications into containers and runs them as they would run on system-level but isolated in their private virtual environments. Any container is launched from a specific image template that is a software snapshot of everything the container needs to run autonomously such as operating system, directories, tools, applications, user-added files and configuration settings. When a container is created Docker virtualizes an instance of the self-contained image and adds dynamic aspects to it like an own drive volume, network stack, namespaces and control groups. This form of isolation allows to run multiple containers at a time without influencing each other or the Docker host. Image templates are portable and can be exchanged across registries. This enables distributing and shipping ones work to everybody either in privat or public manner. For easy on-board Docker management netPI provides the Docker web UI portainer.io as front end to the user.
Security by Design
With Raspberry the focus is "the affordable PC for everybody" with an open and customizable software ecosystem like Raspbian OS. The brilliant playground concept at platform's best price/performance ratio is encouraging the community to the day realizing even the most unusual computer projects with it. But openness embeds drawbacks. When applications are directed to the industry security is coming significantly to the fore. In the majority of today's Raspberry projects the provided software 1.) is a chaotic mix of multiple components embedding unpredictable security risks and 2.) has never been assessed and designed concerning security at all.
netPI however is different and its security concept was considered from the beginning. Docker plays a significant role in this concept.
In accordance with IEC 62443
Docker starts containers with a white list restricted set of capabilities to make the Docker host system immune to external exposures by default. But Docker is running as root and could pass this privilege and others on to a container. However the simple example of a containerized web server application binding just a specific port on providing its web content makes clear that in nearly 100% of all cases giving privileges is not needed at all. Security comes first here. Even if the web server is perfectly operating, an intruder would never succeed to become system root independent how vulnerable it is if the container is of type non-root. So with Docker security is just a matter of provided container privileges. The IEC 62443 claims to live a consequent asset life-cycle security and risk management in an administered way. It prescribes that only suitably trained and accredited personnel are entitled to manage as critically identified components such as Docker. So netPI's security rises and falls with the administrators responsible for its setup.
Containerized Software
There are two possibilities dealing with container images. Either you use already built images with ready-made applications or you build own images fitting your demands.
Building an own image is easy. An image needs a base and in best case it consists just of that. The base consist usually of an operating system like Ubuntu, Debian or CentOS. Those and many more are offered prebuilt on Docker's public registry Docker Hub ready for pulling. Naturally the well-known Raspbian is provided too. On top of this image you can add and install everything your application shall consist of. When ready you make the final commit of your customized image. You can keep it private or upload it to the registry for others.
Raspberry as Development Platform
netPI is a Docker host only. You can deploy images and run containers from them but you cannot build images on-board. netPI's security concept prohibits SSH servicing and hence you can't get access to Docker build commands. Since containers run the same on any compatible hardware use a Raspberry Pi 3 instead for image development. We feel $30 for the consumer Pi is a low and riskless invest for getting familiar with Docker, making usability and performance tests of applications before moving them onto the professional netPI. Try it out today and install Docker with a single command on your Pi as described here.
Connectivity
Node-RED is today's best web browser-based toolsuite for developing Cloud, Internet of Things and Industry 4.0 projects in an intuitive way. "Clicking" together logical data relations of heterogeneous services by leveraging pre-built blocks of code named "Nodes" in a flow-based manner is achieving such a high abstraction degree that even amateurs quickly understand its principle and can develop impressive data flows rapidly. In seconds data from one source such as TCP/IP, HTTP, MQTT, Email, serial etc. can be brought into a context and linked together with data from any other sources to a destination by simple mouse clicks. The Raspberry organization recognized the simplicity of Node-RED as well and made it an integral part of their Raspbian (desktop version). Renowned manufacturers such as IBM, Microsoft and Amazon discovered it for their own use and offer nodes establishing communication links to their Cloud solutions free to download. The community counts over 1000 nodes meanwhile which underlines the power of Node-RED. Its widespread use, its JavaScript programing language basis, its ease of use, the very minimal to no coding were reasons for us to offer netPI's features in samples of Node-RED nodes inclusive their source code.
Industrial Networking
The netPI RTE 3 device features a multi-protocol controller netX supporting the most common Industrial Ethernet or Fieldbus protocols as a slave/device. A simple input and output memory buffer exchanges IO data between a bus master and an application program transparently. Switching between different protocols is just a thing of loading and starting the chip with a different firmware. For immediate use a reference implemenation of the protocols PROFINET IO device and EtherNet/IP adapter are available as Fieldbus nodes for Node-RED with a link to the source code. C code based running examples for the protocols PROFINET, EtherCAT, EtherNet/IP, Modbus TCP and POWERLINK are made public as well for supporting programmers dealing with own applications.
FRAM for non-volatile data storage
netPI RTE 3 features an FRAM (NVRAM) to store frequently changing data non-volatile where a normal NAND FLASH comes to its limits. A sample container with two FRAM nodes written for Node-RED in Javascript are providing random read and write access to this memory. With the linked container's source code programmers have an easy life in abstracting the FRAM access logic and transforming it to another programming language.
Expansion modules
For maximum connectivity netPI features an expansion slot at its bottom where different networking modules named NPIX (NetPIeXpansion) can be applied to. Sample containers with a Node-RED implementation mostly in focus enable their immediate use. The source code is always linked and serves as programming reference for other programming scenarios. The NPIX board/slot dimensions and connector pinout are public for everybody allowing the development of own designs with our help. Today's available modules are:
| RS232 serial interface | NIOT-E-NPIX-RS232 |
|---|---|
| RS485 serial interface | NIOT-E-NPIX-RS485 |
| CAN 2.0A/B | NIOT-E-NPIX-RCAN |
| 4 Digital Input/Output | NIOT-E-NPIX-4DI4DO |
| NPIX slot evaluation board | NIOT-E-NPIX-EVA |
Technology
| Main Processor | Broadcom BCM2837, 64Bit quad-core @1.2Ghz |
|---|---|
| RAM Memory | 1 GByte |
| FRAM Memory | 8 KByte (RTE 3 only) |
| FLASH Memory | 8 GByte, MLC NAND (384TBW) 32 GByte, pSLC NAND (1920TBW) |
| Interfaces | 4 x USB 2.0A (max. load 1A), 1 x HDMI, 1 x Wifi/BT |
| Real-time clock | supercapacitor buffered (7 days backup) |
| Industrial Network SoC | netX 51 (RTE 3 only) |
| Ethernet | 1 x RJ45 standard, 10/100Mbit/s 2 x RJ45 industrial, 10/100Mbit/s (RTE 3 only) |
| Indicators | 8 LEDs, 2 programmable (RTE 3) 4 LEDs, 2 programmable (CORE 3) |
| Dimensions | 140 x 35 x 105 mm (H x W x L) |
|---|---|
| Enclosure | Metallic, top hat rail-mountable, IP 20 |
| Weight | 400g |
| Power Consumption | min. 4,2W (no USB), max. 9W (USBs max. load 1A) |
| Temperatures | -20°C ... +60°C operating, -40°C ... +85°C storage |
| Approvals | CE, FCC, UL, KCC, RED |
| EMC | EN 55011:2009, IEC 61000-6-2/3:2005, EN 61131-2 |
| Shock and Vibration | IEC 60068-2-27:2008-02, IEC 60068-2-6:2007-12 |
| Operating System | Yocto based Linux, Kernel 4.9.x or higher (AppArmor secured) |
| Docker | 18.09.2-ce or higher with portainer.io web UI |
For Developers
Need help with netPI development? Find below the resources needed for starting your own projects.
Downloads
Buy here
All netPI models can be purchased via the netIOT Shop (shipps globally). If you want to order larger volumes, feel free to contact us
netIOT Shop
At the netIOT Shop you can order your netPI and accessories - globally
To the netIOT Shop