Skip to content

Security recommendations

In order for Nerve to operate in a secure manner, there is a set of measures that need to be taken by implementers of Nerve. This section gives the necessary background information and a Security recommendations checklist containing a summary of the suggested measures.

Security context and security measures expected by the environment

It is important to understand the setting for which Nerve has been designed. All security considerations and the security certification are based on these scenarios. If Nerve is used in a different scenario, the implementers of security will have to assess the impact of the changed security context and adapt their security strategy accordingly.

Nerve considers the machine builder and factory owner scenarios.

Machine builder scenario

In this scenario, a Nerve node is installed in an industrial machine in a production environment and delivered as part of the machine. On one side, Nerve is connected to the machine network, typically to a PLC over OPC-UA or S7 protocol, and to the IT network on the other side.

Machine Builder Security Context

Typically, the machine builder deploys a couple of workloads on the Nerve node:

Codesys workload for pulling data from the PLC and exposing some variables as part of an OPC-UA server One or more docker workload the data from the OPC-UA server and transforming it to another format One or more docker workload providing some dashboarding capability to visualize some of the data One or more docker workload processing, storing and shipping the data to the cloud The workloads are developed and tested by the machine builder software team.

The Nerve node is usually reliably connected to the Management System in the cloud but can work without connection to the Management System.

In such a case, periodic connection to the Management System is recommended for maintenance purpose.

The Management System and the Nerve node are used by the machine builder team to deploy, start, stop, update the workloads. Connect remotely to the workloads to perform some diagnostics.

Factory owner scenario

In this scenario the factory owner installs the Nerve device in the factory environment.

The workloads deployed on the Nerve node are similar as in the machine builder use-case, but developed by a software team from the factory owner.

The operations are similar to the machine builder use-case.

Machine Builder Security Context

Standalone installation

In this use-case, the Nerve node is installed inside a machine but not in a factory environment. For example, the Nerve node is used to monitor the motor of a ship or a gas compressor.

The internet connection the Management System is done over a LTE or 5G modem and may be unreliable or intermittent. The local network is limited in scope.

The workloads are similar to the machine-builder use case.

The functionality of the Nerve node can be used remotely through the Management System when the internet connection is available or locally by a service technician.

Defense in Depth Strategy

As per IEC62443, all compliant systems shall implement a defense in depth strategy.

For a successful implementation of a defense in depth strategy in the overall system, it is necessary for the user to understand the capabilities of Nerve and threats addressed by these capabilities.

Refer to the respective sections for more information. The mitigation strategies required by the user are summarized in the Security recommendation checklist.