2023-08-09 [Solution Brief] Intel® and ASRock Industrial build FIDO Device Onboard (FDO)-enabled devices for automated, bare-metal system onboarding
Overview
The IoT value is estimated to reach a maximum of $12.6 trillion-dollar value globally in 20301. With this growth, there has been an increase in number of industrial devices that require engineering and technical support for installation and deployment. This rapid expansion necessitates smarter solutions to manage both complexity and cost, especially when it comes to the critical "onboarding process" of these IoT devices in various industrial applications.
The World of IoT today is fragmented and effective solutions need to be secure, flexible, and easy to use. This is precisely what FDO uniquely enables. The protocol is a solution that addresses the current challenges of slow, expensive, and insecure manual onboarding processes. The FIDO Alliance aims to establish a new standard by releasing the FIDO Device Onboarding (FDO) specification in the industry. FDO simplifies the process of onboarding and provisioning devices by automating the secure exchange of cryptographic keys and device credentials. This ensures that devices can be securely connected to networks and managed throughout their lifecycle.
ASRock Industrial is collaborating with Intel® to implement this solution by developing FDO-enabled devices, such as the iEP-5000G Industrial IoT Controller powered by Intel® Atom® x6000E Processor. It features flexible IOs and expansions under a compact and rugged design as Edge Controller and IoT Gateway in various Edge AI applications. By utilizing FDO-enabled devices, we offer enhanced IoT security and enhanced efficiency.
|
|
|
|
The Challenge
The manual onboarding process conducted by engineers and technicians can be characterized by slowness, high expenses, and insecurity, often resulting in installation and setup costs exceeding those of the devices themselves. Moreover, the limited availability of trusted and skilled staff creates a bottleneck due to a shortage of labor. The wide range of IoT devices, with their complex hardware, operating systems, and customized system configurations pose challenges to offer build-to-order products for manufacturers and increase the device management costs for end customers.
Additionally, with the fragmented world of IoT, the existing onboarding environments tend to offer many different levels of automation. Very few are based on a consistent industry standard, and most solutions require end customers to be identified during the manufacturing period to provide pre-configuration service. Due to this requirement, additional friction and cost are generated in the supply chain if a ready-to-go fully configured product must be delivered.
Solutions
ASRock Industrial collaborates with Intel® to construct the FDO-enabled devices, the iEP-5000G Industrial IoT Controller by leveraging the Intel® Atom® x6000E Processor for automated, secure IoT onboarding and provisioning. In streamlined steps for an efficient identification process: ASRock Industrial builds an FDO-enabled device such as the iEP-5000G. It registers the Ownership Voucher (OV) for the target platform and ships the device to a retailer or customer. The device is then powered-up and connected to the network. At this point, it auto-provisions itself and will onboard zero touch. The following outlines breakdown of the procedures:
FDO-enabled onboarding process (source: FIDO Alliance2.)
1. ASRock Industrial and Intel® build and ship FDO-enabled devices
During the manufacturing process of the iEP-5000G, ASRock Industrial incorporates a Root of Trust (RoT) key inside the device to establish a unique identification. The RoT can take the form of a cryptographic key built into the silicon processor (or associated TPM2) during the manufacturing phase. Once this is completed, ASRock Industrial then ships the device to the retailer or customer.
2. Retailer or end customer registers ownership to the owner server
A digital proof of ownership known as an Ownership Voucher (OV) is created and stored outside the device. This allows the device to identify itself with the RV (Rendezvous Server) service.
3. Retailer or end customer registers the device to MGMT (Device Management System)
This initiates the registration of the OV with a device profile (operating system and software solution choice to be made.) The Device Management System then informs the RV server, which acts similarly to the re-direction service, pointing the device to the final server instance it will onboard from. The server can be located on a local network or the Internet (Cloud Service Provider.) When the device is powered on, it enables device authentication and provisioning, deploying the target applications (operating system or software) to the device from the Device Management System.
Result/Benefits
It is a great challenge requiring customers to go through a tedious manual onboarding process. Not only does it strain engineering and technicians, but it also complicates the manufacturing process and is prone to error. The consequence is a high level of inconvenience for the customer. ASRock Industrial iEP-5000G’s FDO-device onboarding setup in collaborative specification development between Intel® and the FIDO Alliance provides an excellent solution to address this ongoing challenge.
The benefits of ASRock Industrial FDO-enabled devices include:
|
|
Zero-touch onboarding past power-ON |
|
Fast and secure with lower onboarding costs |
|
|
Hardware flexibility – ASRock Industrial provides various FDO-enabled devices based on customer needs |
|
Late binding of the device to cloud greatly reduces number of SKUs vs. other zero-touch offerings |
The integration of FDO-onboarding simplifies the manufacturing process significantly, providing hardware flexibility and enabling ASRock Industrial to offer various FDO-enabled devices based on customer demand. The FDO-binding mechanism reduces the number of SKUs due to late binding of the device to the cloud. Customers can install their own operating systems and software, while the onboarding and activation processes occur simultaneously, ensuring scalable device provision.
Conclusion
The onboard process can be completed in minutes by choosing ASRock Industrial’s iEP-5000G with the FDO-specification, with enhanced security at a lower cost. The advantages are numerous, customers can now have convenient, secure, and remote IoT devices. ASRock Industrial has successful experience in implementing and adopting the FDO onboarding process from the manufacturer to the owner's side. If customers are interested in FDO implementation, please do not hesitate to contact us at www.asrockind.com. We would be happy to discuss and share our implementation experiences to accelerate your FDO adoption.
References
1. Chui, M., Collins, M. and Patel, M. (2021) IOT value set to accelerate through 2030: Where and how to capture it, McKinsey & Company. Available at: https://www.mckinsey.com/capabilities/mckinsey-digital/our-insights/iot-value-set-to-accelerate-through-2030-where-and-how-to-capture-it#/ (Accessed: 04 June 2023).
2. FIDO Alliance (2021) FIDO Device Onboard: A specification for automated, secure IoT provisioning technology
Trademark notices: All trademarks, brand names, logos, and product names mentioned or used in this solution brief are the property of their respective owners.
