search.noResults

search.searching

saml.title
dataCollection.invalidEmail
note.createNoteMessage

search.noResults

search.searching

orderForm.title

orderForm.productCode
orderForm.description
orderForm.quantity
orderForm.itemPrice
orderForm.price
orderForm.totalPrice
orderForm.deliveryDetails.billingAddress
orderForm.deliveryDetails.deliveryAddress
orderForm.noItems
Embedded Technology Supplement


Device lifecycle management for fleets of IoT devices


By Xavier Bignalet, product line manager, Microchip Technology Inc., and Nicolas Demoulin, EMEA marketing manager – secure products, Microchip Technology Inc.


W


e hear a lot about device management, but what exactly is it, how do we implement it and how do we roll


over the device management during the roll out phase and when the products are in the field?


Some large companies have started doing it themselves, but they are essentially managing the lifecycle of the certificate. Looking at changes in the security standard industry, the major ones are EN 303645, the initial European security standard, OCPP and IEC15118 for EV charging, from the Open Charge Alliance, Matter and many more. All of these call for certificate revocation. This is good, but once we look at a certificate, there are a few things needed following this stage. You need to renew the certificate once revoked, and before anything goes wrong with it, you need to take action to audit the connectivity involving the certificates to make sure you’re not suffering from a DDoS attack for example. Some companies implement this better than others, but the standards are increasingly calling for certificate rotations, which is not an easy task.


If we regard it as a four-step process, the first step is onboarding the device. If you have an embedded device that’s composed of silicon devices that will connect to a cloud platform, how do you onboard your device identity, that’s represented by a certificate chain, into virtually any cloud platform? Step two, once that device represented by the certificate is in the cloud platform, how do you revoke the device? And once it’s revoked, you will want to renew the identity. Once you have that, you want to audit. This means that the four steps are onboard, revoke, rotate and audit.


32 July/August 2023


Onboarding before product launch Onboarding needs to occur before the product is launched to the market. If we take the example of thermostats for a house, before the customer buys the thermostat, the company that makes the product needs to onboard the device into its platform. Following this, the company needs to be able to transfer the ownership. To onboard the fleet into the platform, the product company needs to choose a certificate authority. There are multiple providers to choose from or alternatively they can be their own authorities. Companies that choose that route are


Components in Electronics


essentially becoming a customer of Microchip. Microchip initiates a secret exchange between its hardware secure module in its factories and in its secure element, and the customer itself. The customer signs a CSR and gives Microchip the authority to provision the secure element on their behalf with the credential associated to that chain of certificates. This sets up a chain of trust between Microchip and the customer.


Microchip conducts its secure provisioning using its HSM, provisioning the keys inside its secure element. What Microchip would recommend here is the TrustFLEX secure


element, because it is pre-configured to know exactly that actual use case implementation. Once we have a defined use case that uses the birth certificate and the key attestation, the next step is to load the birth certificate that is inside the secure element.


The birth certificate could be formed in two ways, either it’s built based on the custom PKI of the customer, or the customer is using the birth certificate already provided by Microchip. Once that birth certificate is loaded in the cloud platform, the fleet of devices, the thermostat or whatever product it is, is on-hold until the end customers purchase the product. The company then performs a


www.cieonline.co.uk.uk


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66