INNOVATION
The Cuprous secured edge gateway is designed with best-in-class security practices and consists of a single board with a low-powered Internet of Things computer. The computer integrates WiFi, Ethernet, and interface electronics including RS485. The gateway’s form factor is designed to fit in small enclosures and its low energy consumption avoids the need for any additional cooling.
SOFTWARE
Cuprux is our security focused Linux® operating system running on the gateway. It manages communication with the Cuprous Cloud Edge while insulating your
application from potential attacks in a controlled environment or container.
Cuprux also coordinates with a Cuprous provisioning service to manage the deployment and lifecycle of the gateway and your application.
HOW IT WORKS
Gateways are provisioned with a unique identity by the time they are supplied to your users. This identity is stored in a registry that is syncronised with your cloud.
​
When plugged into a network, the gateway will establish a VPN connection to your cloud and the user will be provided with a public and secure web link to access it. No configuration to access the gateway is required by your users.
EDGE
-
A high-performance, energy efficient Arm Cortex-A5 CPU-based embedded microprocessor running up to 500 MHz, 256MiB of memory, 8GB of eMMC flash storage with secure enclave hardware
-
No fan or heatsink is required to cool the gateway, leading to increased energy efficiency and reliability
-
Limited attack surface given that the gateway is designed to establish trusted outbound internet connections only
-
Software containerisation further prevents network access to the operating system and eliminates local area network address contention
-
Secure access to its user interface via a private WiFi connection or across the internet via a WireGuard VPN (Virtual Private Network)
-
Supervisory function for hosting event-driven services that enable a great user experience
-
Dual mode 2.4 GHz 802.11 b/g/n Wi-Fi - simultaneously hosts a WiFi access point and connects to existing WiFi networks
-
On-board U.FL connector for an external antenna to promote good reception
-
Wired 10/100 Mbps ethernet via onboard RJ45 modular jack.
-
RS485 communications for local connectivity with a range of several hundred metres, with the potential to support over 255 server nodes, including MODBUS nodes. The RS485 port is galvanically isolated to resist 8kV fault transients and eliminate ground loops.
-
USB 2.0 host port header, USB C device port, FTDI compatible serial connector.
-
Trusted firmware and software updates via WireGuard
-
Autonomous operation without requiring internet connectivity - also known as “local first cooperation”
-
A “commit log” design permits external services to connect and “catch up” with the state of the system
-
AES-128 CCM encryption for data at rest
-
A software secret store for holding sensitive data including encryption keys
-
User credentials are encrypted and any stored passwords are hashed
-
Tamper switch for detecting whether an enclosure has been opened and closed
-
Enclosure temperature monitoring
-
Easy access to board components, including voltage test points
-
Animated LEDs that indicate the state of the gateway
-
Low power consumption and low heat generation - sub 1W
-
PCB test points for factory-based quality control
-
Components are FCC and CE certified
-
Cuprux - our own modern Linux® distribution designed specifically for the gateway, supporting systemd and its containerisation
PROVISIONING
AND CLOUD
-
A suite of services designed to run on self-hosted Debian-based Linux® machines, including those using the popular Ubuntu distribution
-
A registry service for holding information on each gateway provisioned at the point of manufacture
-
A registry service that can import data from other Cuprous registries for the purpose of managing gateways that can be trusted with the system
-
One or more Cloud Gateway services that globally manage public HTTPS access to each gateway and its associated WireGuard VPN network
-
Each Edge Gateway may connect to any Cloud Gateway so that it may be accessed securely over the public internet
-
Cloud Gateways and their associated registry is resilient in the face of failure - as long as one Cloud Gateway remains active then access to the Edge Gateways remains
-
Gateway identities are aliased using encryption and randomness so that their public facing internet addresses cannot be guessed, nor traced back to a gateway
-
Secure shell access (SSH) is provided to an Edge Gateway only via the host machine of the Cloud Gateway - the Edge Gateway is locked down
-
Trusted software updates can be pushed to an Edge Gateway from a Cloud Gateway securely