Willow TrustBox Edge Gateway for OT Networks

PostedWillow Team

Securely extracting data from OT networks is no easy feat. At Willow, securely extracting data is core to our success, bringing WillowTwin™ to life. Live data from OT networks is the essence from which owners and operators of buildings and infrastructure environments make proactive, data-led decisions to reduce expenses, grow profits, and better manage risk.

Willow team members Daniel Porragas, Building Automation Manager, and Danny Henley-Martin, Product Manager, break down our approach to securely connecting to OT networks:

How the Willow TrustBox Edge Gateway device protects WillowTwin™

The Willow TrustBox Edge Gateway for OT networks is a small and secure device, that is both quick and easy to deploy, for building automation protocols to stream data into the WillowTwin™.

Our digital twin, WillowTwin™, really comes alive when connected with IoT & OT devices, as it enables you to overlay real-time data from physical assets in your Digital Twin and unlock valuable intelligence across your portfolio regardless of vendor or origin. Think traditional systems like HVAC, Energy or utilities, and even more recent technology advancements that include people, occupancy and smart city solutions. The Willow TrustBox Edge Gateway is a secure device that connects into these systems and networks, helping ensure we protect OT infrastructure and limit the cyber security risk.

Key features

We started with a “secure by design” approach to the device, and a few critical features make this approach a success. The device;

  • Uses outbound only connectivity to protect networks
  • Is hardened and penetration tested
  • Hosts containerised automation protocols like BACnet, Modbus & OPC-UA as well as API based integrations to local access control solutions.
  • Is updated remotely via Risk Tolerant Over-the-air OS, firmware and software updates
  • Runs Azure IoT Edge and the Defender IoT Micro Agent
  • Has an Operational Technology Compliant deployment approach

In particular, we want to dive deeper into the benefits of our Remote Edge Device Fleet Management, Azure IoT Edge and the Defender IoT Micro Agent, and how our key partners have helped to make this a success.

Remote Edge Device Fleet Management

As many building automation insiders know, device fleet management can be a real challenge and often it is left to real estate property owners to either work through the issues themselves, or to contract a partner to help them through it. Simply maintaining proprietary technology, devices and systems, now becomes an overhead where costs can grow and reluctance to update increases, due to the state of play to date. Ultimately, it isn’t great for property owners, as delays to updating devices and systems increases security risks and it isn’t great for solution providers, as their customers aren’t able to take full advantage of their new feature set or capabilities.

This in turn can hamper new investment into digital or IoT solutions at scale for property owners, as the action taken to reduce risk is to keep their systems and networks disconnected completely from the cloud.

To address these issues, Willow has taken a Software as a Service approach to Edge Device Fleet Management. The Willow IoT Edge Gateway, is that, a device that acts as a gateway to the WillowTwin™. We unburden our customers, their people, and partners from the need to worry about maintaining our edge devices.

Our customers don’t need to;

  • Send people out in the field with USBs to provide OS firmware updates
  • Have extended downtime when updating software and firmware
  • Worry about ensuring security patches are rolled out in a timely manner
  • Manage licensing and renewal to software suites
  • Face typical OT hardware obsolesce

Our solution allows for OS and firmware updates to be approved and released directly into the field remotely, with outbound only connections. Willow and our partners ensure quality prior to deployment and through a robust system on the edge device itself, is able to update silently on the side and then roll over to the new state, reducing downtime, and providing a mechanism to automatically recover itself in the event of an update failure to its previous state. In addition to this, we know some customers may have contractual clauses around the timing of updates, which our solution is able to work within.

Azure IoT Edge and the Defender IoT Micro Agent

Thanks to Microsoft’s continued investment in not just providing leading cloud services, but also real services and solutions for IoT, Willow has been able to leverage industry leading capabilities from Azure that underpin several key capabilities.

Through Azure IoT Edge the Defender IoT Micro Agent, our solution enables:

  • Rapid deployment of new software updates to our building automation protocol services to edge gateways across the globe
  • Secure compute and protected intellectual property within trusted containers isolated from the operating system on the edge device
  • High-volume data transport through to Willow IoT Services through industry event stream protocols like MQTT and AMQP
  • The ability to troubleshoot live containerised building automation protocols and remote restart commands without the need for remote access or inbound firewall rules into OT networks
  • Managed device identity from Willow’s dedicated IoT Services isolated to single customer accounts with complete segregation.
  • Real-time threat detection on edge device, reporting known vulnerabilities that may occur ensuring our solution continues to stay protected

Key Partners

Helping Willow to make all of this possible, we have partnered with Microsoft and Scalys who have been instrumental to the success of our overall edge solution.

Microsoft has been a key partner with Willow from day one and shares our vision to connect the built world into a comprehensive digital twin platform. In particular over the last two years Microsoft have continued to invest and double down on their Azure IoT suite offering, and we have been able to benefit enormously.

Throughout the last two years, Willow and Microsoft have met regularly providing us an amazing opportunity to share our challenges and feedback about key services provided by Azure IoT. One of the amazing benefits to this has been seeing Azure IoT Edge stabilise and new troubleshooting and monitoring features launch into preview and the deployment of the Azure Defender for IoT Micro Agent solution onto ARM-based devices.

Another great aspect to our relationship with Microsoft was the one that led us to Scalys, through Microsoft’s vast ecosystem of partners, they were able to quickly provide a recommendation to a company that they knew had security top of mind when it came to edge computing, but also the know how and flexibility to build a device to support our vision for empowering the WillowTwin™ with live data from the edge.

When we met with Scalys, they understood what Willow was after straight away, and how to help us achieve our goal for a small and secure device that we can easily deploy, and at the same time not need to focus on maintaining OS and firmware updates in the field. They were able to work with us to co-develop a solution specific for our needs and the global support process and system that we could leverage.

On top of this, the device itself gives us enormous confidence thanks to Scalys’ attention to detail and secure by design approach, all the way from component selection and manufacturing, through to assembly and housing. The quality build of their devices is fantastic and they won the CES 2019 BEST OF INNOVATION Honoree in the category Cyber Security and Personal Privacy (the most impressive technology in its product category).

“Securing IoT is complex and needs to be addressed at every layer. We are focused on addressing IoT security of the whole solution – from chip to software and the cloud. TrustBox’s highly secure hardware, along with the Open Enclave SDK provided by Microsoft, complements the secure software in Microsoft Azure IoT Edge and connects safely to Microsoft Azure IoT Hub and other Azure cloud services.”

Sam George, Director of Azure IoT Engineering at Microsoft

And together with Microsoft, Scalys has continued to be on the forefront of confidential computing at the edge, which ensures data that is computed continues to be protected in addition to when it is transferred or in storage. Over the past year, we’ve been able to see Scalys take this further, through their key partners at ARM, NXP and Microsoft, all of which Willow and our customers are able to also benefit from.

Final Words

This amazing journey, partnership and solution is available and working in the real world today. Willow isn’t holding back, rather moving forward, harder and faster. We are deploying more of these devices into the field each month, and the benefits are being realised today. Thank you for taking the time to read and watch our progress, for more information you can access our brochure here or feel free to contact us at Willow, we’ll be more than happy to help.

More articles you might like

  1. Join our mailing list

    Stay up to date with all the latest news and updates from Willow.