Architecture and Security Overview

Wireless & Cloud Architecture

Option 1. Client Corporate WiFi

Client WiFi AP Configuration

Currently Petasense Motes support WPA2-PSK, WEP and WPA authentication with WiFi Access Point*

*WPA2 Enterprise/802.1x authentication is part of the roadmap, expected in 2020

Client WiFi AP configuration requirements:

• Requires TCP port 31314 to be open for outbound communication

• Client AP should not present a web-page/HTML form for log in

Additional WiFi Security suggestions:

• Setup a hidden SSID that is not broadcast for devices to detect

• Client may configure their corporate firewall to limit traffic from Motes to only to a specific domain (imp.electricimp.com)

• Mote MacIDs should be “whitelisted” on the AP

• Static network configuration & access through proxy servers are additional options

Option 2. Independent WiFi Network

Petasense can help Client install and operate an independent WiFi network that is dedicated to send Petasense sensor data using an independent network that uses separate WiFi APs and cellular back haul

IBR600

IBR900

(work with following model numbers – UAP-AC-M and UAP-AC-PRO)

In this model, Petasense may help with procurement of Gateways and Mesh Extenders and Access Point. Client shall be responsible for ongoing maintenance of the network. Petasense shall support the install and any troubleshooting necessary

Detailed Cloud Architecture

Overview

Electric Imp platform

Petasense Motes & IoT Device Security

Function

• Wireless sensor & transmitter

• Collects vibration samples and sends them to the cloud

Design

Hardware includes:

• MEMS and piezo accelerometers

• Use Electric Imp module for WiFi connectivity

• Bluetooth Low Energy module for interaction with mobile app

Software includes:

• Petasense app firmware for sensing – runs on Electric Imp OS

• Electric Imp OS provides a VM to run Petasense firmware

• BLE stack – firmware running on Bluegiga

Security

• Secure client certificate that is used to authenticate Mote on Server

• Imp modules supports WPA2-PSK security for the WiFi network

• Imp OS boots from On Die flash memory which is secure and has protection mechanisms; the JTAG port is disabled to prevent snooping

• Certificate for communication is stored on microcontroller flash and configured to Readback Protection (RDP) level 2 which prevents keys from being read

Electric Imp Cloud

Function

• Manages secure communication with Imp module

• Provides REST API access to communicate with Petasense Cloud

Design

• Runs on EI Virtual Private Cloud in multiple AWS regions

• UL 2900-2-2 Security Certification

Security between Imp Module & Imp Cloud

• Electric Imp Module uses a TCP connection (with TLS 1.2) to send data to Electric Imp Cloud (server)

• Client certificate used to identify client to server

• AES-128 and AES-256 Ciphers supported after key exchange, forward secrecy coming soon

initiated outbound from client to server

• Server and client designed to reject any connections that do not present certificate

• Imp Cloud does not persist application data

• Initial connections made to domain imp.electricimp.com on port 31314 (else tries 993)

• Data transferred as binary JSON

Petasense Cloud

Function

• Orchestrates and configures all Petasense Motes

• Provides a highly scalable multi tenant architecture

• Capable of handling high volume time series data

• Runs advanced signal processing algorithms for vibration analysis

• Powers Petasense machine learning

• Serves Petasense desktop web, mobile web and iOS apps

Design

• Petasense servers run in a virtual private cloud inside Google Cloud service

• Database runs on MySQL and HDFS based clusters

Security

• Servers are firewalled at the Google Cloud level

• TLS 1.2 between Electric Imp Module & Electric Imp Cloud

• https with TLS 1.2 between Petasense Cloud and Electric Imp Cloud

• https with TLS 1.2 between browsers/iOS app and Petasense Cloud