ARXUM Connection Box
The ARXUM Connection Box is equipped with an intuitive user interface. At the front side there is a 128x64px LCD with colour backlight and an incremental encoder with push function. This enables intuitive operation of the device similar to a car radio. The most important use for the front interface is the initial configuration of the device, e.g. IP address and DHCP settings. More complex settings can subsequently be performed based on the integrated web interface. Also, status information of the ACB is displayed at the front display and particularly status changes and errors are indicated, using a backlight color scheme for different system events. To connect the 3rd LAN interface, the proof-of-presence is implemented at the front.interface, the proof-of-presence is implemented at the front.
When VPN access is requested via the web interface, the device shows a four-digit number to the web user. This digit has to be entered with the encoder at the front display as a proof that the requesting party has physical access to the device. This mechanism is hardwired in the ACB.
-25 ... +80 °C
Quad core ARM Cortex A53
512 MB LPDDR2 RAM
4 GB eMMC Flash ROM
internal SD Card slot
Crypto Chip: Infineon 9670 TPM2.0
Native Inputs/ Outputs:
6x digital in 0-30V, < 1500Hz
2x analog in, 0-10V/0-20mA,
2x output relays
Meter-Bus for 3 clients
LAN1,2,3, LAN3 switchable
Step7 to Siemens PLCs
The ARXUM Connection Box is developed from a system integrator perspective and with a security-by-design concept. It has initially been developed to be deeply integrated into OEM production machines to implement pay-per-use business models. For this, the connectivity needs to reach into programmable logical controllers and provide connectors for industrial sensors. To protect the interests of the OEM, strong cyber security features and manipulation protection are required.
Security by Design
The device provides 3 separate LAN interfaces of which one is physically switchable. Network separation between the production machine network and the cloud/internet is assured like this. The switchable network interface can be connected to establish a VPN access to the device. For this, the requesting user has to prove that he/she has physical access to the device (see Proof-of-Presence inside the box). No USB connector is present as a security measure. The device contains an Infineon 9670 TPM2.0 crypto processor as hard-ware security anchor. The TPM is used as secure storage for private keys and servers as basis for securing the operating system with a secure boot process, as container for blockchain transaction signing and for encryption of relevant data on the device. Based on the secure chain of trust and the signed operating system libraries, the device is protected from malware and uncontrolled program starts. It is important to notice, that each single device drive is signed with it’s own unique private key, provided buy the TPM. Before delivery ARXUM exchanges all necessary keys of the device in a direct attestation. All communication with the ARXUM server does thus not require key negotiation. Based on this security infrastructure, a secure update and patching process is implemented: updates and patches are signed with each ACB’s identifier and provided for download. The ACB can thus verify the correct origin of update files. Same applies when updates are provided to OEM production machines to which the ACB is connected. As the keys for a secure communication have been exchanged before delivery, a symmetric communication is established between the ACB and the ARXUM server.
The Trusted Platform Module provides:
- A hard coded, unique ID in each TPM chip that allows identification of each single ACB.
- A random number generator.
- Facilities for the secure generation of cryptographic keys for limited uses.
- Remote attestation: Creates a nearly unforgettable hash key summary of the hardware and software configuration. The software in charge of hashing the configuration data determines the extent of the summary. This allows ARXUM to verify that the software has not been changed.
- Binding: Encrypts data using the TPM bind key, a unique RSA key descended from a storage key.
The TPM chip is at the core of the implemented hardware wallet of the ACB and acts as a hardware wallet in the device.
Industrial IoT Connectivity
The ARXUM Connection Box provides industry standard sensor connectivity (24V / 0-20mA). No further intermediate device is required to connect sensors and signals which again eliminates an attack vector. The ACB further provides industry standard communication protocols to exchange data with PLCs and SCADA systems. The connectivity concept foresees the possibility to add further I/O extension cards in two available slots.
Based on the securely stored private keys of the TPM, blockchain transactions are signed. The ARXUM Connection Box is an industrial IoT device which directly inserts transactions in the blockchain without manual intervention. It serves as a hardware oracle for sensor data and for production machine events.
In a current setup, the ACB is used to connect a laser engraving device as a production machine to the blockchain. The ACB surveillances the blockchain for smart contracts addressed to this very ACB. When relevant smart contracts are found, the production data is extracted from the contract and production is initiated through the ACB. As the production unfolds, different events are transacted in the blockchain.
videos about the Arxum connection box
Watch the ARXUM Connection Box at work! Soon you will be able to make your own personalized order.
Our co-founder Markus is giving you a short update on how we implemented LCD screen on the Arxum Connection Box.
Join us behind the scenes where our co-founder Markus shows you the finished prototype of the ARXUM connection box!