SEC-Line micro clouds SEC-Line overview SEC-Line firmware demo Security mechanisms SEC-line OpCenter demo SEC-Line profiles Platforms Downloads

SEC-Line features and benefits

Embedded Computing becomes Edge Computing
  • Agility

    OS and Cloud agnostic, Legacy and DevOps friendly

  • Connectivity

    Leading egde router/firewall, central management

  • Security

    HW root of trust, Encrypted updates, Remote Attestation, Cyber defense

  • Manageability

    Unique control point, Central database Store
    OS updates, OS Settings, VM Images, System information

SEC-Line Micro Clouds: a new foundation for embedded computing

The micro cloud concept is shaping the world of embedded software and networking with virtualization coming to the FAR edge. Thanks to the SEC-Line firmware, the embedded computer becomes a versatile secured platform, able to consolidate multiple software workloads inside a single equipment using virtual machines. This approach to computing for the 'far edge' is also called UCPE ( Universal Customer Premises Equipment ). A micro cloud can run independant software stacks securely in each Virtual Machine, allowing old and insecure software to share the same computer with modern orchestrator driven payloads and software defined networking.

Simple multi-gateway
Simple multi-gateway Communication management handled by SEC-Line layers

The router/firewall/cyber layer is used to filter and protect all communications in/out of VMs and via the rest of the HW interfaces. All settings are managed by IT network and security experts, remotely via OpCenter configuration templates database, or locally using the embedded GUI pages

Inside a blade playing 'cloud connector' using SEC-Line

In this example, a blade of a parallel real time computer can run virtual machines. This board extends the main company cloud. The computer designer keeps control of the rest of the system architecture and real-time performance while letting one board to be operated as a cloud computing instance for the IT infrastructure, extending the main cloud at the edge, able to run centrally orchestrated payloads.

video surveillance VM appliance
Videosurveillance VM appliance Real-time video surveillance with Genetec Security Center

In this use case, Genetec video recorder and preprocessor runs as a virtual machine within the security protection bubble featured by SEC-Line. Bare metal performance is guaranteed with VM direct access to the storage devices.

Monitoring, Securing and Maintaining Edge Computers:
SEC-Line: a secure firmware with a remote management console.

While systems deployed in the real world are always connected, they are exposed to attacks and must be continuously monitored, secured and maintained. Deployments can involve hundreds of computers, a challenge which requires specific tools to achieve security, operational efficiency and business agility.

OpenWrt-based firmware - Secure Hypervisor/Firewall/Router

Protecting applications and OS stacks with a unique combination of leading edge technologies.

  • Built from the open source router / firewall software OpenWrt. Small footprint image (<150 MByte)
  • Enhanced with Kontron integration of security features : OSSEC, AppArmor, hardened by TPM, Wibu
  • Augmented with QEMU virtualization. OS and Stacks run in Virtual Machines (works for legacy SW and modern container stacks, allows HW consolidation)
DEMO OpenWrt firmware
OpCenter management console
OpCenter Console - Remote firmware update and settings management

On-premises console of SEC-Line from which secure firmware updates and all settings can be managed from a single operation point for large computer fleets.

  • OpenWrt software and settings are managed remotely from a single point
  • Software updates are deployed quickly and easily from a single point
  • OpCenter is designed for intermittent connectivitity. No cloud dependance
  • Ideal for IT personnel. SEC-Line computers are managed like generic firewall/routers.
DEMO OpCenter console

firmware demo

Protecting customer software against cyber threats with a hardware enforced secure firmware.

System GUI

Systems powered by SEC-Line offer an augmented version of OpenWrt with a rich GUI used to manage hundreds of settings. All the settings can then be captured from SEC-Line remote management console in a single operation as a settings template. Templates can then be used by fleet operators to rebuild or duplicate a unit without the need for experts.

Explore SEC-Line GUI ( user: guest passwd: guest ) Request a guided demo

Kontron products 'Powered by SEC-Line' feature:

  • Hardware Root Of Trust: all passwords, encryption keys and certificates within TPM
    • TPM-based Secure Boot preventing device refactoring
    • Measured boot using TPM hashing mechanism allowing Remote attestation
    • Wibu Cryptoprocessor for software license systems
  • Complete router/firewall based on OpenWrt
    • Control of device networking (wired, wireless, LTE, VPN)
    • Remote management of configations via OpCenter
    • Health monitoring engine, HIDS, etc.
  • Cyber Defense techniques
    • Monitoring Access Control: AppArmor restricts software to only known usage patterns, seriously limiting the impact of exploits.
    • Host Intrusion Detection Service: OSSEC, intrusions detection, Blocking Brute Force Attacks.
  • Centralised management of all system settings
  • Virtual machines support based on QEMU

Hardware and software mechanisms at the heart of Kontron SEC-Line hardening

Confidentiality, integrity and availability are digital security requirements SEC-Line is answering with hardware enforced root of trust and software techniques such as Secure Boot.

OpCenter : SEC-Line management console

Manage fleets of computers. Update SEC-Line firmware and settings from a single point.

Kontron OpCenter management console is delivered as a VM image to run on an infrastructure server. From this point, computer SEC-Line firwmare can be updated, and their numerous network and security settings captured and stored in a database of settings archives. From it, settings can later be applied after device replacement at a simple click of a button in OpCenter.

OpCenter can also import asset information from higher level management platforms, avoiding manual data entry for device creation. It can also export all the fleet data to other corporate tools in various formats.

Enter the lab

OpCenter MainScreen

Visit OpCenter and Browse the GUI. Monitor SEC-Line computers in our showroom.
Recommended reading: go to the On-Line documentation (in the help menu on the top right).

Visit OpCenter ( user guest/password guest )

Attend a tour of OpCenter, manned by your Kontron sales engineer. See the GUI menus used to monitor computers status, to backup and restore their settings, etc.

Request a guided demo
Manage edge computer fleets from a single console

With its standalone design, it aims at 'on premises' operation and is compatible with any IOT solution, or application stack selected by the customer.

Monitor via its GUI pages

Users can monitor remote systems and command updates of their firwmare, while restoring their network and cybersecurity settings. Secure and reliable operation is enforced via encrypted channels protocols designed to operate on very intermittent connections often found in mobile operations (trains, airplanes, etc.)

On-premises management tool

OpCenter allows on premises management of all the critical data needed by computers in the fleet, allowing easy rebuilt or replacement of a unit. Running as a standalone VM inside any infrastructure server, it maintains:

SEC-Line profiles

According to the software payload profile required by the use case, choose the computer according to its performance.

Network security and management
lower range computers
network security
Router/Firewall only
(black box/no user code)
  • Black box
  • Security layer
  • Remote Management/updates
  • OpCenter On premises tools

Kontron firmware based on OpenWrt allows IT architects to implement the approved network security policy right into embedded computers like standard firewall/router equipment.

Their network policy is then captured in per-system "Settings profiles" in the on premises OpCenter for audits and re-use. This allows OT to deploy it further into new equipment without requiring network expert IT knowledge at the installation site.

Legacy embedded applications
medium range computers
legacy applications
Secure computer with router/firewall base
for static or legacy workloads
  • Single VM for simple or legacy software
  • Security layer
  • Remote Management/updates
  • OpCenter On premises tools

Embedded computers for Legacy applications often come with old versions of OS and libraries. The virtualization layer of Kontron firmware is used to protect and deploy them unmodified with their initial OS. The security comes from the hardware root of trust protected firmware which runs them in virtual machines augmented with modern firewall and multi-zone router and cyber defense mechanisms.

This allows OT teams to continue using old stacks and safely deploy in modern, always connected mission profiles, with almost no code development. The firwmare is regularly updated to circumvent discovered vulnerabilities, while the application and its OS can remain the same.

Deploy IoT stacks side-to-side with existing applications
high end computers
IoT stacks
Secure server with router/firewall base
for large dynamic workloads
  • Multiple VMs for Edge Stacks
  • Security layer
  • Remote Management/updates
  • OpCenter On premises tools

Thanks to virtualization, IoT stacks can deploy on top of Kontron SEC-Line, side to side with existing applications. The hypervisor strictly controls the ressource consumption of each VM and container and the router/firewall is used by infrastructure engineers and network architects to distribute the data and the control flows within the computer and towards the selected physical connectors.
This allows a single computer to replace several existing systems without cabling redesign.

Kontron Platforms powered by SEC-Line

Edge Computers/Servers/Routers

The TRACe family is a product range of fanless EN50155 railway computers offering easy customization to meet application-specific requirements. Designed to ensure stable operation in harsh environments and is ideal for any rolling stock system from Passenger Information Systems to Video Streaming & Storage Servers, Network Video Surveillance and Train Management Systems.

They now offer versions powered by SEC-Line which run complete software stacks inside virtual machines, secured through an embedded secure firewall / router layer. SEC-Line systems are also managed as a fleet via a unique management console.


EN50155 multi-network (LTE, Wi-Fi, GNSS, Wired ETH) Server/Router

Download Datasheet View Product

EN50155 IoT LoRaWAN™ Gateway with Edge Computing Capability

Download Datasheet View Product

The Kontron ACE Flight™ family is a line of products designed to support the digital transformation of commercial avionics. Some models are now powered by SEC-Line firmware offering leading edge secure firewall / router features and optional virtual machines on the more powerful server units. Their firmware updates are remotely managed by the SEC-Line fleet management console: OpCenter, which can also capture all the unit cybersecurity, hypervisor and network settings to manage them from a unique control point.


Small Form Factor Avionics Gateway Router

Download Datasheet View Product
ACE Flight™ 4608

High Performance Avionics Server

Download Datasheet View Product