15
July 2013
S
AFETY
& S
ECURITY
Secured IPC, technology partners Innominate
and TenAsys showcase a joint solution to
demonstrate that embedded virtualization and
cyber security are ready for production use.
TenAsys eVM for Windows embedded virtual
machine manager is used to integrate an origi-
nal Windows operating system with a virtual
mGuard security appliance on a standard
industrial PC.
Network communication between the Win-
dows system and the external environment
has to pass through and is controlled by the
virtual mGuard security appliance which pro-
vides firewall, virtual private network (VPN),
and integrity monitoring services to the PC
system. The internal communication between
the Windows system and the security appliance
is done through a virtual Ethernet interface.
The hardware used for the exhibit is an off-
the-shelf Valueline IPC from Innominate parent
company Phoenix Contact featuring an Intel
Core 2 Duo CPU with VT-x support, 2 GB
RAM, and dual Gigabit Ethernet ports.
The TenAsys eVM embedded virtual machine
manager is a very compact package installed
and administered through Windows. It parti-
tions the CPU into two cores and system do-
mains for Windows and the mGuard guest
system. Both Windows and the mGuard guest
system boot natively, exactly as if they were
running stand-alone. Peripheral components,
in particular the Ethernet interface, are exclu-
sively assigned to one of the systems.
Thanks to TenAsys eVM, no para-virtualization
and modification of the mGuard system is
necessary on Intel platforms with VT-d support.
The original Linux-based mGuard firmware
image runs on a dedicated core of the shared
x86 CPU. The virtual mGuard ensures com-
prehensive protection of the PC network com-
munication, as the physical Ethernet interface
to the external environment is exclusively
assigned to it. Its DoS protection against denial-
of-service attacks will be effective, too, thanks
to this direct hardware control: even in an ex-
treme case, only the virtual security appliance
could be overloaded and external network
packets get delayed or dropped. Due to the
strict partitioning of the CPU cores and system
domains this will not affect the Windows par-
tition or potential other guest systems. Access
to the PC and its Windows system will be
blocked by the mGuard firewall unless author-
ized by a general static or user-specific dynamic
firewall rule. Integrated virtual private network
(VPN) functionality enables secure remote ac-
cess with authentication and encryption. VPN
tunnels are terminated by the virtual mGuard®,
the Windows system gets to see regular IP
communication only.
Virtualization with an appropriate embedded
virtual machine manager enables trendsetting
consolidation of industrial automation and
cyber security functions onto a cost-optimized
hardware, preserving the modular design and
benefits of dedicated devices. The HyperSe-
cured solution as presented is not generally
limited to just one protected Windows system.
It will be possible to use additional CPU cores
with their own native guest systems including
real-time operating systems and controllers.
n
Figure 2. HyperSecured Industrial PC
architecture
link
1...,5,6,7,8,9,10,11,12,13,14 16,17,18,19,20,21,22,23,24,25,...76