SEC-Line

Open Platform for Secure Edge Computing

Manageable, Secure and Reliable Edge Computers

Embedded computing is morphing into Edge computing, where systems deployed in the real world are always connected. While they are exposed to logical and physical attacks, they must be continuously monitored, secured and maintained. Deployments can involve hundreds of computers, a challenge which requires specific tools to achieve security, operational efficiency and business agility.

Kontron SEC-Line Open Platform includes two majors set of tools tackling these challenges: a firmware based on OpenWRT™ and OpCenter, its remote management console.
Combined with Kontron computers already qualified for demanding industry segments, the SEC-Line platform turns them into secured server routers ready for modern connected computing infrastructures.

SEC-Line Use Cases

According to the software payload profile required by the use case, choose the computer according to its performance.

Network security and management
lower range computers
network security
Router/Firewall only
(black box/no user code)
  • Black box
  • Security layer
  • Remote Management/updates
  • OpCenter On premises tools

Kontron firmware based on OpenWRT™ allows IT architects to implement the approved network security policy right into embedded computers like standard firewall/router equipment. Their network policy is then captured in per-system 'Settings profiles' in the on premises OpCenter for audits and re-use. This allows OT to deploy it further into new equipment without requiring network expert IT knowledge.

Legacy embedded applications
medium range computers
legacy applications
Secure computer with router/firewall base
for static or legacy workloads
  • Single VM for simple or legacy software
  • Security layer
  • Remote Management/updates
  • OpCenter On premises tools

Embedded computers for Legacy applications often come with old versions of OS and libraries. The virtualisation layer of Kontron firmware is used to protect and deploy them unmodified with their initial OS. The security comes from the hardware root of trust protected firmware which runs them in virtual machines augmented with modern firewall and multi-zone router and cyber defense mechanisms. This allows OT teams to continue using old stacks and safely deploy in modern, always connected mission profiles, with almost no code development. The firwmare is regularly updated to circumvent discovered vulnerabilities, while the application and its OS can remain the same.

Deploy IoT stacks side-to-side with existing applications
high end computers
IoT stacks
Secure server with router/firewall base
for large dynamic workloads
  • Multiple VMs for Edge Stacks
  • Security layer
  • Remote Management/updates
  • OpCenter On premises tools

Thanks to virtualization, IoT stacks can deploy on top of Kontron SEC-Line, side to side with existing applications. The hypervisor strictly controls the ressource consumption of each VM and container and the router/firewall is used by infrastructure engineers and network architects to distribute the data and the control flows within the computer and towards the selected physical connectors.
This allows a single computer to replace several existing systems without cabling redesign.

SEC-Line Firmware Demo

Kontron products powered by SEC-Line offer a hardware enforced secure firmware protecting customer software against cyber threats.

Operational applications run securely inside virtual machines, allowing payload insulation and consolidation. Virtual machines only connect through generic network connections, behind the local firewall and router. The complexity of multi-network management and low level hardware code is handled by the firmware itself. This way, the embedded software can stay simple, and delegate vulnerability management to the OpenWRT™-based firmware layer which has a small footprint and is maintained via updates from Kontron OpCenter.

Kontron products 'Powered by SEC-Line' feature:

  • Hardware Root Of Trust: all passwords, encryption keys and certificates within TPM
    • TPM-based Secure Boot preventing device refactoring
    • Measured boot using TPM hashing mechanism allowing Remote attestation
    • AppProtect technology for software licensing
  • Complete router/firewall based on OpenWRT
    • Control of device networking (wired, wireless, LTE, VPN)
    • Remote management of configations via OpCenter
    • Health monitoring engine, HIDS, etc.
  • Cyber Defense techniques
    • Monitoring Access Control: AppArmor restritcs software to only known usage patterns, seriously limiting the impact of exploits.
    • Host Intrusion Detection Service: OSSEC, intrusions detection, Blocking Brute Force Attacks.
  • Centralised management of all system settings
  • Virtual machines support based on QEMU
    • Standard computing VMs : protect legacy unprotected payloads behind SEC-Line embedded firewall and router
    • Complex DevOps stacks : enclose dynamic payloads inside a VM and control their resource consumption
    • Intelligent network VMs : Direct management of modems can be given to such a VM, just like on bare metal implementations, bypassing SEC-Line firmware
System GUI

SEC-Line powered systems offer a rich GUI interface used by network and cybersecurity experts to manage hundreds of settings. All the settings can then be captured from SEC-Line OpCenter in a single operation as a settings template. Templates can then be used by fleet operators to rebuild or duplicate a unit without the need for experts.

OpCenter : SEC-Line management console

Manage fleets of computers. Update SEC-Line firmware and settings from a single point.

Kontron OpCenter maintains all the data needed to manage and maintain all the computers in the fleet. From its console, remote computers firwmare can be updated, and their multiple network and security settings captured and stored. Settings can later be applied after device replacement at a simple click of a button. OpCenter can also import information from higher level asset management platform, avoiding manual data entry for device creation. It can also export all the fleet data to other corporate tools in various formats.

OpCenter manages operational network policies into computers powered by KSeOS. All settings for its firewall and router layers as well as the VM parameters are managed via OpCenter database, and deployed into all computers in the field from its GUI pages.

Manage edge computer fleets from a single console

With its standalone design, it aims at 'on premises' operation and is compatible with any IOT solution, or application stack selected by the customer.

Monitor via its GUI pages

Users can monitor remote systems and command updates of their firwmare, while restoring their network and cybersecurity settings. Secure and reliable operation is enforced via encrypted channels protocols designed to operate on very intermittent connections often found in mobile operations (trains, airplanes, etc.)

On-premises management tool

OpCenter allows on premises management of all the critical data needed by computers in the fleet, allowing easy rebuilt or replacement of a unit. Running as a standalone VM inside any infrastructure server, it maintains:

  • Deployed systems information
  • Computers Settings files
  • Encrypted images for security updates
  • *Software stacks images to initially provision VMs
  • *LoRa devices keys and deployment information
  • *when applicable

Enter the lab
OpCenter MainScreen

Visit OpCenter and Browse the GUI. Monitor SEC-Line computers in our showroom, etc... Recommended reading: go to the On-Line documentation (in the help menu on the top right).

OpCenter MainScreen

Attend a tour of OpCenter in action, manned by your Kontron sales engineer. See the GUI menus used to monitor computers status, to backup and restore their settings, etc. (use Request Live Demo at the top of this page to book your guided tour).

Kontron Platforms powered by SEC-Line

Edge Computers/Servers/Routers
Railways

The Kontron TRACe family is a product range of fanless EN50155 railway computers offering easy customization to meet application-specific requirements. Designed to ensure stable operation in harsh environments and is ideal for any rolling stock system from Passenger Information Systems to Video Streaming & Storage Servers, Network Video Surveillance and Train Management Systems.

They now offer versions powered by SEC-Line which run complete software stacks inside virtual machines, secured through an embedded secure firewall / router layer. SEC-Line systems are also managed as a fleet via a unique management console.

SR-TRACe-G40x

EN50155 multi-network (LTE, Wi-Fi, GNSS, Wired ETH) Server/Router

Download Datasheet View Product
TRACe-LP1

EN50155 IoT LoRaWAN™ Gateway with Edge Computing Capability

Download Datasheet View Product
Avionics

The Kontron ACE Flight™ family is a line of products designed to support the digital transformation of commercial avionics. Some models are now powered by SEC-Line firmware offering leading edge secure firewall / router features and optional virtual machines on the more powerful server units. Their firmware updates are remotely managed by the SEC-Line fleet management console: OpCenter, which can also capture all the unit cybersecurity , hypervisor and network settings to manage them from a unique control point.

AF1600

Small Form Factor Avionics Gateway Router

Download Datasheet View Product

ACE Flight™ 4608

High Performance Avionics Server

Download Datasheet View Product

SEC-Line features and benefits

Embedded Computing becomes Edge Computing
  • Agility

      OS and Cloud agnostic, Legacy and DevOps friendly
  • Connectivity

      Leading egde router/firewall, central management
  • Security

      HW root of trust, Encrypted updates, Remote Attestation, Cyber defense
  • Manageability

      Unique control point, Central database Store
      OS updates, OS Settings, VM Images, System information
-->