Announcing the Firmware Analysis Public Preview
Consider an organization with thousands of smart sensors, IoT/OT and network equipment deployed on factory floors. Most of these devices are running full operating systems, but unlike traditional IT endpoints which often run security agents, IoT/OT and network devices frequently function as “black boxes”: you have little visibility into what software they’re running, which patches are applied, or what vulnerabilities might exist within them. This is the challenge many organizations face with IoT/OT and networking equipment - when a critical vulnerability is disclosed, how do you know which devices are at risk? To help address this challenge, we are excited to announce the public preview of firmware analysis, a new capability available through Azure Arc. This extends the firmware analysis feature we introduced in Microsoft Defender for IoT, making it available to a broader range of customers and scenarios through Azure. Our goal is to provide deeper visibility into IoT/OT and network devices by analyzing the foundational software (firmware) they run. Firmware analysis will also help companies that build firmware for devices better meet emerging cybersecurity regulations on their products. In this post, we’ll explain how the service works, its key features, and how it helps secure the sensors and edge devices that feed data into AI-driven industrial transformation. Securing Edge Devices to Power AI-Driven Industrial Transformation In modern industrial environments, data is king. Organizations are embracing Industry 4.0 and AI-driven solutions to optimize operations, leveraging advanced analytics and machine learning. The path to AI-driven industrial transformation is fueled by data – and much of that data comes from sensors and smart devices at the edge of the network. These edge devices measure temperature, pressure, vibration, and dozens of other parameters on the factory floor or in remote sites, feeding streams of information to cloud platforms where AI models turn data into insights. In fact, sensors are the frontline data collectors in systems like predictive maintenance, continuously monitoring equipment and generating the raw data that powers AI predictions. However, if those edge devices, sensors, and networking equipment are not secure and become compromised, the quality and reliability of the data (and thus the AI insights) cannot be guaranteed. Vulnerable devices can also be used by attackers to establish a foothold in the network, allowing them to move laterally to compromise other critical systems. In an industrial setting this could mean safety hazards, unplanned downtime, or costly inefficiencies. This is why securing the smart devices and networking equipment at the foundation of your industrial IoT data pipeline is so critical to digital transformation initiatives. By using firmware analysis on the devices’ firmware before deployment (and regularly as firmware updates roll out), the manufacturer and plant operators gain visibility into the security posture of their environment. For example, they might discover that a particular device model’s firmware contains an outdated open-source library with a known critical vulnerability. With that insight, they can work with the vendor to get a patched firmware update before any exploit occurs in the field. Or the analysis might reveal a hard-coded passwords for maintenance account in the device; the ops team can then ensure those credentials are changed or the device is isolated in a network segment with additional monitoring. In short, firmware analysis provides actionable intelligence to fortify each link in the chain of devices that your industrial systems depend on. The result is a more secure, resilient data foundation for your AI-driven transformation efforts – leading to reliable insights and safer, smarter operations on the plant floor. Firmware analysis is also a key tool used by device builders – by analyzing device firmware images before they are delivered to customers, builders can make sure that new releases and firmware updates meet their and their customers’ security standards. Firmware analysis is a key component to address emerging cybersecurity regulations such as the EU Cyber Resilience Act and the U.S. Cyber Trust Mark. How Firmware Analysis Works and Key Features Firmware analysis takes a binary firmware image (the low-level software running on an IoT/OT and network device) and conducts an automated security analysis. You can upload an unencrypted, embedded Linux-based firmware image to the firmware analysis portal. The service unpacks the image, inspects its file system, and identifies potential hidden threat vectors – all without needing any agent on the device. Here are the main capabilities of the firmware analysis service: Identifying software components and vulnerabilities: The first thing the analysis does is produce an inventory of software components found inside the firmware, generating a Software Bill of Materials (SBOM). This inventory focuses especially on open-source packages used in the firmware. Using this SBOM, the service then scans for known vulnerabilities by checking the identified components against public Common Vulnerabilities and Exposures (CVEs) databases. This surfaces any known security flaws in the device’s software stack, allowing device manufacturers and operators to prioritize patches for those issues. Analyzing binaries for security hardening: Beyond known vulnerabilities, our firmware analysis examines how the firmware’s binaries were built and whether they follow security best practices. For example, it checks for protections like stack canaries, ASLR (Address Space Layout Randomization), and other compile-time defenses. This “binary hardening” assessment indicates how resistant the device’s software might be to exploitation. If the firmware lacks certain protections, it suggests the device could be easier to exploit and highlights a need for improved secure development practices by the manufacturer. In short, this feature acts as a gauge of the device’s overall security hygiene in its compiled code. Finding weak credentials and embedded secrets: Another critical aspect of the analysis is identifying hard-coded user accounts or credentials in the firmware. Hard-coded or default passwords are a well-known weakness in IoT devices – for instance, the Mirai botnet famously leveraged a list of over 60 factory-default usernames and passwords to hijack IoT devices for DDoS attacks. Firmware analysis will flag any built-in user accounts and the password hash algorithms used, so manufacturers can remove or strengthen them, and enterprise security teams can avoid deploying devices with known default credentials. Additionally, the firmware analysis looks for cryptographic materials embedded in the image. It will detect things like expired or self-signed TLS/SSL certificates, which could jeopardize secure communications from a device. It also searches for any public or private cryptographic keys left inside the firmware – secrets that, if found by adversaries, could grant unauthorized access to the device or associated cloud services. By uncovering these hidden secrets, the service helps eliminate serious risks that might otherwise go unnoticed in the device’s software. All these insights – from software inventory and CVEs to hardening checks and secret material detection – are provided in a detailed report for each firmware image you analyze. Firmware analysis provides deep insights, clear visibility, and actionable intelligence into your devices' security posture, enabling you to confidently operate your industrial environments in the era of AI-driven industrial transformation. Getting Started and What’s Next If you have IoT/OT and network devices in your environment, use firmware analysis to test just how secure your devices are. Getting started is easy: access firmware analysis public preview by searching on “firmware analysis” in the Azure portal, or access using this link. In the future, firmware analysis will be more tightly integrated into the Azure portal. Onboard your subscription to the preview and then upload firmware images for analysis - here is a step-by-step tutorial. The service currently supports embedded Linux-based images up to 1GB in size. In this preview phase, there is no cost to analyze your firmware – our goal is to gather feedback. We are excited to share this capability with you, as it provides a powerful new tool for securing IoT/OT and network devices at scale. By shedding light on the hidden risks in device firmware, firmware analysis helps you protect the very devices that enable your AI and digital transformation initiatives. Firmware is no longer just low-level code—it’s a high-stakes surface for attack, and one that demands visibility and control. Firmware analysis equips security teams, engineers, and plant operators with the intelligence needed to act decisively—before vulnerabilities become headlines, and before attackers get a foothold. Please give the firmware analysis preview a try and let us know what you think.Introducing Microsoft Planetary Computer Pro — Now in Public Preview
Today, we’re excited to announce the public preview of Microsoft Planetary Computer Pro — a turnkey platform that makes it dramatically easier for organizations to harness geospatial data for real-world impact. Planetary Computer Pro is built on the trusted foundation of Microsoft Planetary Computer, which offers access to over 120 distinct geospatial datasets totaling over 50PB in volume. Planetary Computer Pro is a new Azure-native service purpose-built to help organizations manage, transform, and operationalize geospatial data at enterprise scale. Geospatial data and insights are critical for solving high-impact problems across industries, from climate risk assessment and regulatory compliance to supply chain optimization and precision agriculture. Yet, traditional geospatial tooling is complex and fragmented, limiting access to a small group of geospatial specialists. Planetary Computer Pro bridges that gap — making geospatial data cloud-native, AI-ready, and accessible to data scientists, developers, and business analysts alike. We built Microsoft Planetary Computer Pro to make geospatial data a first-class citizen in modern data stacks — standardized, scalable, and seamlessly integrated with the tools enterprises already use. Geospatial Data Management, Reimagined Planetary Computer Pro is a fully managed geospatial data platform designed to ingest, catalog, store, process, and disseminate large volumes of private geospatial data in Azure. Planetary Computer Pro makes it possible to: Empower your entire organization with secure, governed access to geospatial data Accelerate time-to-insights with built-in ingestion, transformation, and visualization pipelines Standardize and optimize your datasets for cloud-native analytics, machine learning and AI modeling Unify geospatial and enterprise systems under shared security, identity, and governance Key Capabilities in Public Preview You can deploy, manage, and monitor Planetary Computer Pro resources through Azure Portal, CLI, or SDKs, just like any other Azure-native resource provider. Capability Description Cloud Optimization Auto-convert raw geospatial assets into cloud-optimized formats with built-in ingestion pipeline for AI/ML and big data analytics Data Interoperability Organize multiple datasets into SpatioTemporal Asset Catalog (STAC) open specification, allowing for robust spatial/temporal queryability and interoperability Managed Storage & APIs Fully managed storage and interact with data using intuitive REST APIs (API Reference Guide) Rich Visualization Explore and analyze large datasets in a web-based Data Explorer, including tiling and mosaic rendering for raster data and data cube formats (Supported Data Types) Scalability & Security Built on zone-redundant storage, governed by Microsoft Entra ID and Azure RBAC Use Cases Across Industries Microsoft Planetary Computer Pro supports a broad spectrum of scenarios across sectors such as: Energy & Utilities: Power grid optimization, site monitoring, methane detection Agriculture: Precision farming, pest & disease prediction Supply Chain: Risk-aware routing, climate-resilient sourcing Finance & Insurance: Underwriting, claims validation, exposure modeling Government: Emergency response, environmental monitoring, land use compliance Defense & Intelligence: ISR, threat detection, terrain analysis Sustainability Teams: Deforestation mapping, EUDR compliance, biodiversity tracking Get Started with Public Preview The public preview of Microsoft Planetary Computer Pro is available now in select Azure regions including East US, North Central US, and West Europe. To get started: Visit Microsoft Planetary Computer Pro Review our documentation Microsoft Planetary Computer Pro | Microsoft Learn Contact us at MPCPro@microsoft.com What’s Next? We’re actively working on: Platform Integration: Expanded integration with Microsoft Fabric Direct access to Microsoft Planetary Computer Commercial satellite imagery access via Azure Marketplace AI and Automation: Automated raster data workflow environment Copilot and agent-assisted insights generation Platform Enhancement: Additional geospatial data type support New region availability and government cloud supportScaling industrial transformation with a robust partner ecosystem
In recent years, manufacturers have been on a journey to incorporate intelligent technologies like AI into their business processes. These exciting advancements are happening within an extended ecosystem, encompassing everything from planning and manufacturing to distribution and servicing of goods. A defining aspect of many such business processes is their continuous generation of data, which, when effectively contextualized and analyzed, can unlock critical business outcomes, including minimizing downtime, reducing waste, enhancing quality, improving sustainability, and boosting worker productivity. In addition to analytics, a comprehensive data governance strategy is fundamental as it supports the ability to embrace ecosystem-driven collaboration, a key component to unlock the full potential of AI-driven manufacturing. Challenges in meeting the promise of IT and OT integration With AI only as good as the data behind it, the ability to harness data across an ecosystem is paramount. However, the inherent complexities within industrial environments create digital transformation barriers. Each factory has its own unique mix of automation equipment and software configurations based on site-specific production processes. Management and data handling are also system and site specific. When organizations try to scale transformation efforts across different sites, these complexities multiply, with individual IT management systems adding permutations. Due to the variety of source and configuration combinations, pulling the right data, semantics, and contextualization into an external analysis platform becomes incredibly difficult and cost prohibitive. As a result, the ability to scale an outcome through the use of a digital feedback loop is completely out of reach. How an adaptive cloud approach supports operational transformation To overcome these challenges, organizations can benefit from a consistent approach to industrial data value realization that is repeatable across sites. Azure’s adaptive cloud approach enables organizations to secure, manage, and scale industrial operations by unifying data, applications, and infrastructure across edge and cloud environments. By leveraging the adaptive cloud approach, businesses can create a unified data foundation, breaking down operational silos to drive AI-driven insights and improved collaboration between IT and OT teams. Azure IoT Operations, enabled by Arc empowers customers to easily move machine and process data between the edge and cloud in a highly unified and repeatable way. Under the hood, Azure IoT Operations is a full-stack data plane that runs in on-premises Arc-enabled Kubernetes clusters. It enables customers to discover Assets via Akri and collect data. Then, customers can process and send data from the edge to the cloud using open standards and open protocols that are managed and supported by Microsoft. This solution helps enable unified data flow from facilities to natively integrated cloud destinations, including Microsoft Fabric, Azure Event Hubs, and Azure Event Grid's MQTT broker which provides real-time insights and AI-driven decision-making. Azure IoT Operations leverages Azure Arc to extend the cloud management pattern down to the physical site, using the same cloud deployment and management controls as Azure to enable unique advantages in repeatability and scalability across the enterprise. While Azure's adaptive cloud approach can provide a foundation to simplify everything from data collection to scaling AI initiatives, Microsoft is a platform company, and our partners are essential to success in the complex industrial market. Why a partner ecosystem is critical for enabling customer success Achieving business outcomes from industrial data requires navigating the complexity of interconnected technology landscapes, where diverse technologies and systems must cohesively integrate. The siloed IT, OT, and ET data that results from these diverse systems can slow AI adoption, limiting manufacturers’ ability to extract real-time insights. A collaborative vendor network can help address these challenges by enabling streamlined data exchange, enhanced automation, and increased operational intelligence. The transformation enabled by this network demands a collective approach, bringing together industrial automation partners offering industry-specific AI and analytics solutions, system integrators collaboratively engineering IT-OT solutions, OEMs modernizing production lines, and ISVs to develop industry-specific solutions that drive efficiency and scalability. A multi-cloud, open, and interoperable approach can allow businesses to connect engineering, production, and supply chain workflows into AI-driven digital infrastructure from cloud to edge. Manufacturers operate in complex multi-vendor environments that demand flexibility and interoperability. Choosing to adopt an open and collaborative partner network approach offers the opportunity to extend the life of investments and adopt AI and automation gradually. In addition, unlike closed models that often lead to vendor lock in, open ecosystems enhance security and governance through consistent policy enforcement, interoperability, and real-time visibility across multi-cloud, edge, and on-prem environments. For instance, a solution like Azure Arc offers centralized security controls, automated compliance and third-party tool integration. Industrial enterprises desire a unified, scalable AI-cloud-edge strategy to optimize engineering, production, and supply chain workflows. To make outcomes from Industrial AI initiatives a reality, organizations — including traditional competitors —should consider embracing partnerships, open standards and an adaptive cloud approach to enable easier connectivity and interoperability. Microsoft’s open, scalable, and multi-cloud ecosystem helps enable more efficient integration of Azure solutions with third-party platforms (public and private clouds) and open industry standards that enable data interoperability across IoT, AI, and automation solutions. Learn more about how Microsoft, along with partners, is reimagining how intelligent digital threads and AI agents will transform the manufacturing industry here. Join Us - Industrial AI in Action at Hannover Messe 2025 Join us at the Microsoft booth in Digital Ecosystems Hall 17 to explore the latest innovations in our partner ecosystem supporting the transformation of industrial operations. Experience live demonstrations showcasing how AI-driven manufacturing, real-time data insights, and an adaptive cloud approach drive efficiency, flexibility, and innovation. See firsthand how Microsoft and its partners mentioned below are enabling intelligent automation, predictive quality control, and improved IT/OT integration to accelerate digital transformation. Avanade Avanade excels in IT/OT integration and advanced manufacturing solutions, with specialized expertise in integrating PLM, ERP, and MES systems for digital continuity across design, manufacturing, supply chain, and service processes. Avanade offers dynamic sourcing for flexible procurement and supplier collaboration, process flexibility for diverse product variants, and human-machine collaboration to meet new product requirements. At HMI 2025, Avanade and Microsoft will showcase advanced closed-loop manufacturing demos using AI machine vision for quality control, integrated with Azure IoT Operations—which leverages MQTT and OPC UA protocols to streamline data transport and connectivity. Visit the Microsoft booth to explore how seamless system integration, dynamic sourcing, and human-machine collaboration can help produce superior products faster with less waste. Learn more about Avanade at HMI 2025. Capgemini Microsoft and Capgemini are driving the next era of smart manufacturing by embracing the adaptive cloud approach to accelerate digital transformation. Through Capgemini’s Intelligent Industry offerings worker performance and operational efficiencies can be improved through AI-driven processes—empowering manufacturers to move beyond manual workflows and unlock new levels of productivity. Capgemini integrates across edge to cloud environments using services like Azure IoT Operations, Azure AI, and Microsoft Fabric to optimize quality, and overall equipment effectiveness (OEE) for manufacturers. Join us at Capgemini’s Theatre Talk at HMI on Thursday, April 3 at 10:00am, where industry leaders will share how AI, when paired with edge to cloud technologies, can unlock the full potential of smart factories. Be part of the conversation—see what’s next in digital manufacturing! Celebal Technologies The Operational Technology (OT) Data Liberator by Celebal Technologies extracts, processes, and integrates OT data into a centralized Lakehouse, ensuring metadata synchronization, real-time streaming, historical data retrieval, and a resilient data pipeline—all while maintaining full data governance and simplified infrastructure management within the customer’s network. Deployed as a Kubernetes workload at the edge, the Liberator streams MQTT data directly into Azure IoT Operations and can be configured to leverage Akri-enabled connectors for protocol translation, eliminating traditional data silos and accelerating digital transformation. Powered by Azure IoT Operations, the OT Data Liberator delivers secure, scalable connectivity across legacy and modern OT systems, enabling data transformation and management. From manufacturing and energy to utilities and resources, this collaboration empowers industries to optimize operations, enhance security, and scale digital transformation with confidence. Learn more here. Litmus Litmus, a leader in Industrial Data Operations, has partnered with Microsoft to accelerate industrial transformation by integrating Litmus Edge with Azure IoT Operations. This collaboration enables seamless connectivity through the Akri Litmus connector, supporting data processing and management of factory edge devices while bridging legacy OT systems with Microsoft’s edge to cloud technologies, including Azure Arc and Microsoft Fabric. The joint solution delivers zero-code protocol integration, centralized device orchestration, and real-time insights, simplifying edge-to-cloud data operations. Key outcomes include faster AI deployment, reduced downtime, improved product quality, and enhanced operational agility across industrial environments. Together, Litmus and Microsoft offer a unified scalable platform that empowers manufacturers to modernize operations and easily replicate lines and sites to unlock the full potential of their industrial data. Visit the Microsoft booth to see a live demo of this powerful edge-to-cloud solution in action and learn more here. Loopr.ai Loopr delivers real-time, AI-driven visual inspection for complex assemblies, performing over 400,000 inspections annually to enhance quality consistency, workforce efficiency, and cost reduction. With Azure IoT Operations, Loopr efficiently integrates with on-premise factory systems, enterprise ERP, and cloud analytics like Microsoft Fabric, enabling manufacturers to deploy AI-driven quality control within their existing Azure infrastructure. Loopr powered by Azure IoT Operations enables customers to overcome scaling challenges, optimize workflows and streamline edge-to-cloud data transport, enabling real-time analytics and enterprise-wide deployment. For example, a North American automotive manufacturer recently integrated Loopr's AI-powered visual inspection system to automate their final quality checks. This implementation led to improved precision on the production line and a reduction in defect rates. MTEK MTEK Industry AB is transforming digitalization of discrete manufacturing with its Digital Production System and advanced integration platforms. Through collaboration with Microsoft, MTEK has successfully deployed MBrain and the Manufacturing Integration Platform (Mint) in production facilities. Utilizing the full Microsoft stack, including Azure IoT Operations, Dynamics 365, Microsoft Fabric and Teams (to name a few), MTEK achieves IT/OT/human convergence, optimizing operations while reducing environmental impact. MBrain integrates into Azure IoT Operations supporting MQTT and OPC UA, enabling immediate data monitoring and management. Together, Microsoft and MTEK deliver easily integrated data exchange between edge devices and the cloud by supporting real-time analytics and decision-making. Join us at Hannover Messe 2025 to discover how MBrain's real-time data analytics and IT/OT/human convergence empower manufacturers to achieve total value capture. Schneider Electric Schneider Electric enables digital transformation by integrating world-leading automation and energy technologies, endpoint to cloud connecting products, controls, software and services, across the entire lifecycle, enabling integrated company management, for homes, buildings, data centers, infrastructure, and industries. Schneider Electric is partnering with Microsoft to transform manufacturing into an AI-powered, open, software-defined industry. Microsoft's AI, Edge & Cloud patterns are combined with Schneider Electric's advanced, secure, and user-friendly industrial automation edge solution. Join us at HMI 2025 to experience this direct-to-cloud, secure interface that empowers innovative, data-driven approaches to modernize processes and products using AI agents and digital twin solutions with real-time simulation. Siemens Siemens develops technologies that power progress across industrial automation, infrastructure, transportation, and healthcare, with a strong emphasis on digital solutions and sustainability globally. The collaboration with Siemens leverages Siemens Industrial Edge and Microsoft Azure IoT Operations to create integrated, data-driven production environments that address customer pain points. This partnership helps ensure data flow from the shop floor to the cloud, empowering manufacturers to harness advanced technologies like AI and digital twins to streamline their production processes. Learn more about how Siemens and Microsoft are partnering to accelerate IT and OT integration at HMI 2025. Sight Machine Sight Machine’s industrial AI data platform, now deployable at the edge with Azure IoT Operations, unifies real-time production data, enhancing data accessibility and productivity. At the Microsoft booth come and discover how Sight Machine and Microsoft are revolutionizing beverage bottling operations by reducing downtime and increasing availability through real-time plant data, AI-driven insights, and collaboration tools, all powered by Microsoft’s secure, scalable cloud infrastructure. Microsoft fosters collaborative innovation, empowering partners to drive industrial transformation. At Hannover Messe 2025, Sight Machine will also demonstrate its integration with NVIDIA Omniverse, offering real-time 3D visualization, rapid troubleshooting, and root cause analysis. Co-developed by Microsoft, NVIDIA, and Sight Machine, this solution enhances manufacturing performance. Visit the NVIDIA booth to learn more. Symphony AI SymphonyAI revolutionizes the Intelligent Factory with Predictive, Generative and Agentic AI solutions for industrial verticals across manufacturing, consumer goods and energy. Their software drives end-to-end digital transformation from edge to cloud, integrating data sources, contextualizing information, and powering AI-driven applications. At HMI, discover how SymphonyAI’s IRIS Foundry Industrial DataOps platform is extending capabilities to the edge to help manufacturers leverage factory data to expedite AI drive value in maintenance, quality, process optimization, closed-loop operations, and overall plant performance. The new edge capabilities easily and securely connect to factory systems, store and transform data, automate workflows and leverage Azure IoT Operations Dataflows and MQTT Broker to smoothly transport data to IRIS Foundry, unlocking actionable AI for factory operations. Don't miss this opportunity to see how we can transform your operations—join us at HMI for the demo. Learn more AI and the adaptive cloud approach are transforming how industries design, build and operate, driving the next wave of efficiency, agility, and innovation. To fully harness this potential, organizations should embrace a collaborative ecosystem that fosters AI-driven insights, simplified data integration, and secure digital transformation. The future of manufacturing is intelligent, interconnected, and AI-powered—and success depends on a strong partner network, a flexible cloud strategy, and a commitment to open, multi-cloud innovation. By working together, we can accelerate industrial transformation, overcome complex challenges, and unlock the full power of smart manufacturing. Learn more about the adaptive cloud approach and explore comprehensive cloud-to-edge scenarios designed for specific industry needs with Arc Jumpstart Agora.Automatic IoT Edge Certificate Management with GlobalSign EST
(Republish from Feb 15, 2023) When it comes to managing IoT devices, security is of the utmost importance. But you’d also rest easier if devices are secure without concern about manual certificate management. In this post, we'll show you a solution that streamlines IoT Edge certificate management using GlobalSign's IoT Edge Enroll EST service. An Analogy Think of each IoT Edge device as a new driver, ready to hit the road and communicate with the IoT Hub. And like a new driver, each device needs its own set of credentials that need renewal. Here's how GlobalSign's EST service makes it a breeze: Birth Certificate: During manufacturing, each device is given a unique Initial Device Identifier (IDevID) certificate and private key (ideally, something like Trusted Computing Group’s (TCG) Trusted Platform Module’s (TPM) Endorsement Key (EK) certificates with factory burnt secured hardware backed private keys). This is like the device's birth certificate, proving its identity. Driver's License: When the device connects for the first time, it uses its IDevID to authenticate with GlobalSign for certificate signing request (CSR). In return, GlobalSign provides a short-lived Locally Significant Device Identifier (LDevID) certificate from a trusted root CA. This LDevID acts as the device's driver's license, allowing it to operate for some time. The LDevID serves as the device's unique identifier in IoT Hub, registered through Device Provisioning Service (DPS). Automatic Renewal: To make sure your devices never lose their communication privileges, IoT Edge automatically renews the LDevID certificates before expiration. Like a driver license renewal, but automated! By using GlobalSign's EST service, you can enjoy secure certificate management for your IoT Edge devices. It's like having a personal assistant renewing your driver's license for you. Give it a try to start streamlining your IoT Edge certificate management. Prerequisites An IoT hub and Device Provisioning Service linked to it. A GlobalSign demo account: Sign up for Test Your Azure IoT Edge PoC with live device certificates from GlobalSign's IoT Edge Enroll. You'll receive an email with details for your EST server endpoint within a few days, including three endpoints (IDevID, LDevID, and Edge CA). Reply to the GlobalSign contact and ask to: Enable X.509 authentication (mTLS) for both the LDevID and the Edge CA endpoints Turn off “re-enrollment forcing” (the default behavior with GlobalSign IoT Edge Enroll is that it notices that a previously issued certificate was presented and "upgrade" the request to the reenrollment workflow. This overrides the subject CN to be the same as the previously issued certificate. Typically, customers would use a separate CA for the bootstrap/idevid, so in practice this outcome usually wouldn't be seen. But for simplicity of this post, it’s easier to ask GlobalSign to respect the certificate signing request (CSR) and not perform the “upgrade”). Linux machine, VM, or device with IoT Edge installed: Don't provision the IoT Edge device identity. Create the IDevID In this section, we create the IDevID certificate, which serves as the device's birth certificate. It’s a one-time process that occurs during device manufacturing, and ensures that the initial secret value for first-time authentication to GlobalSign never leaves the factory. Later, when the device wakes up, it will use the IDevID certificate to get a driver's license, or the LDevID certificate. On your local machine or SSH into the IoT Edge device, create directories to store certificates and private keys for IoT Edge and assign ownership of these directories to the "aziotcs" certificate service and "aziotks" key service. sudo mkdir -p /var/aziot/secrets sudo mkdir /var/aziot/certs -p Retrieve the GlobalSign demo root CA certificate with curl and convert it to PEM format using openssl. This certificate serves as the common root of trust between IoT Edge, GlobalSign, and DPS (and thus IoT Hub). curl https://<YOUR-IDEVID-ENDPOINT>.est.edge.dev.globalsign.com:443/.well-known/est/cacerts| openssl base64 -d | openssl pkcs7 -inform DER -outform PEM -print_certs | openssl x509 -out globalsign-root.cert.pem Use openssl to create a new private key and certificate signing request (CSR). openssl req -nodes -new -subj /CN=IDevID -sha256 -keyout IDevID.key.pem -out IDevID.csr Send the CSR to GlobalSign's simple enroll EST endpoint using curl, to obtain the IDevID certificate that is signed with the root CA and paired with the private key created earlier. curl -X POST --data-binary "@IDevID.csr" -H "Content-Transfer-Encoding:base64" -H "Secret-Value: <YOUR-SECRET-VALUE>" -H "Content-Type:application/pkcs10" https://<YOUR-IDEVID-ENDPOINT>.est.edge.dev.globalsign.com:443/.well-known/est/simpleenroll | openssl base64 -d | openssl pkcs7 -inform DER -outform PEM -print_certs | openssl x509 -out IDevID.cert.pem Move the certificates and private keys to the directories you created earlier, and give the IoT Edge certificate and key services the appropriate permissions to the PEM files and directories. sudo cp *cert.pem /var/aziot/certs sudo cp *key.pem /var/aziot/secrets sudo chown aziotcs:aziotcs /var/aziot/certs/*.cert.pem sudo chmod 644 /var/aziot/certs/*.cert.pem sudo chown aziotks:aziotks /var/aziot/secrets/*.key.pem sudo chmod 600 /var/aziot/secrets/*.key.pem sudo chown aziotcs:aziotcs /var/aziot/certs sudo chmod 755 /var/aziot/certs sudo chown aziotks:aziotks /var/aziot/secrets sudo chmod 700 /var/aziot/secrets Use the ls command to verify that the files are in place with the proper permissions and match the expected values. $ sudo ls -lR /var/aziot /var/aziot: total 8 drwxr-xr-x 2 aziotcs aziotcs 4096 Jan 11 14:38 certs drwx------ 2 aziotks aziotks 4096 Jan 11 14:38 secrets /var/aziot/certs: total 8 -rw-r--r-- 1 aziotcs aziotcs 1298 Jan 11 14:38 IDevID.cert.pem -rw-r--r-- 1 aziotcs aziotcs 1383 Jan 11 14:38 globalsign-root.cert.pem /var/aziot/secrets: total 4 -rw------- 1 aziotks aziotks 1704 Jan 11 14:38 IDevID.key.pem Prepare DPS for provisioning Here's how to get DPS ready for device provisioning: If you haven’t already done so, create an IoT hub and DPS, then link them together. Go to the DPS instance in Azure portal, then select Certificates > Add. In the pop-up, select your GlobalSign EST root CA certificate. You can use SFTP, VS Code Remote Extension to copy it from the IoT Edge device, or use curl to get it again. Select Set certificate status to verified on upload so that you can skip proof-of-possession. Click Save. Create a DPS enrollment group. Make sure attestation type is set to Certificate, IoT Edge device is set to True, certificate type is set to CA Certificate, and the root CA you just uploaded is set as the Primary Certificate. Now, your DPS is ready to provision the IoT Edge device when it wakes up, using the root CA certificate as the trusted source of authentication. Configure and start the IoT Edge device In this section, we set up the IoT Edge device with its birth certificate (IDevID) to communicate with the GlobalSign EST server and receive its driver license (LDevID). The LDevID allows the device to talk to DPS and get the proper authorization for communication with IoT Hub. On the IoT Edge device, create a config file config.toml. Replace marked parameters with details from your GlobalSign account and DPS. # The CA cert of the demo root we got from earlier [cert_issuance.est] trusted_certs = ["file:///var/aziot/certs/globalsign-root.cert.pem"] # Empty because the LDevID (device ID) and Edge CA endpoints are different [cert_issuance.est.urls] # Use the IDevID cert and private key for authentication to EST [cert_issuance.est.auth] identity_cert = "file:///var/aziot/certs/IDevID.cert.pem" identity_pk = "file:///var/aziot/secrets/IDevID.key.pem" # DPS provisioning with X.509 certificate # Replace with ID Scope from your DPS [provisioning] source = "dps" global_endpoint = "https://global.azure-devices-provisioning.net" id_scope = "<DPS-ID-SCOPE e.g 0AB12345678>" [provisioning.attestation] method = "x509" registration_id = "my-device-id" # Get LDevID (device ID) cert from EST with auto renew [provisioning.attestation.identity_cert] method = "est" common_name = "my-device-id" url = "https://<YOUR-LDEVID-ENDPOINT>.est.edge.dev.globalsign.com:443/.well-known/est/" [provisioning.attestation.identity_cert.auto_renew] threshold = "80%" retry = "4%" # Get Edge CA from EST also with auto renew [edge_ca] method = "est" url = "https://<YOUR-EDGE-CA-ENDPOINT>.est.edge.dev.globalsign.com:443/.well-known/est/" [edge_ca.auto_renew] threshold = "80%" retry = "4%" Copy the file over as root and apply configuration with iotedge config apply. This also starts the IoT Edge device. sudo cp config.toml /etc/aziot/config.toml sudo iotedge config apply Verify that the configuration was successful by using the iotedge check command. You should see successful checks on the connection with DPS and the status of certificates and keys. You can also check in your DPS Enrollment Group > Registration Records or IoT Hub to see that the IoT Edge device is registered (shown below). Note: if you haven’t configured an IoT Edge deployment, you might see an error about edgeHub container being missing in iotedge check and a 417 in IoT Hub. That’s normal until you add the deployment via Set modules. On the device, check the new certificates from the EST server. In the "/var/lib/aziot/certd/certs" directory, you should see three different certificates starting with "estid", "aziotedgeca", and "deviceid". Use OpenSSL to inspect them. Note: the certificate names are randomly generated, use "ls" to find their names and paste them into the OpenSSL command. sudo ls /var/lib/aziot/certd/certs sudo openssl x509 -text -in /var/lib/aziot/certd/certs/estid-<GUID>.cer sudo openssl x509 -text -in /var/lib/aziot/certd/certs/aziotedgedca-<GUID>.cer sudo openssl x509 -text -in /var/lib/aziot/certd/certs/deviceid-<GUID>.cer sudo openssl x509 -in /var/aziot/certs/IDevID.cert.pem -text | head -n 10 That’s it! When the time (80% to expiration) comes, IoT Edge will automatically renew both the device ID and the Edge CA certificates without manual intervention. Simplify IoT Edge Security This blog showed how to configure IoT Edge devices for secure communication using X.509 certificates without the need for manual certificate management. By using this approach, organizations can securely and efficiently manage their IoT Edge devices at scale, streamlining device enrollment and reducing the risk of security breaches. To adapt the example to fit your needs, consider the following: Security level: Your security requirements may vary based on your use case. Consider whether a unique IDevID certificate per device is necessary or if sharing the same certificate among multiple devices is acceptable. It's important to never store the initial EST secret value on the device in plaintext. Comprehensive security: For a more robust security approach, refer to The blueprint to securely solve the elusive zero-touch provisioning of IoT devices at scale | Azure. Dev/test scenarios: IoT Edge also supports basic authentication (username/password) for EST servers. To Restart If you need to restart midway through, stop the IoT Edge service first, delete any certificates and keys that were generated, reapply the config, and restart IoT Edge. sudo iotedge system stop sudo sh -c "rm /var/lib/aziot/certd/certs/*" sudo sh -c "rm /var/lib/aziot/keyd/keys/*" sudo cp config.toml /etc/aziot/config.toml sudo iotedge config apply sudo iotedge system logs -- -fEnable an Industrial Dataspace on Azure
What is an Industrial Dataspace? An industrial dataspace is an environment designed to enable the secure and efficient exchange of data between different organizations within an industrial ecosystem. Developed by the International Data Spaces Association, it focuses on key principles such as data sovereignty, interoperability, and collaboration. These principles are crucial in the context of Industry 4.0 where interconnected systems and data-driven decision-making optimize industrial processes and create resilient supply chains. A tutorial with step-by-step instructions on how to enable an industrial dataspace on Azure is available here. Use Case: Providing a Carbon Footprint for Produced Products One of the most popular use cases for industrial dataspaces is providing the Product Carbon Footprint (PCF), an increasingly important requirement in customers' buying decisions. The Greenhouse Gas Protocol is a common method for calculating the PCF, splitting the task into scope 1, scope 2, and scope 3 emissions. This example solution focuses on calculating scope 2 emissions from simulated production lines using energy consumption data to determine the carbon footprint for each product. Accessing the Reference Implementation The Product Carbon Footprint reference implementation can be accessed here and deployed to Azure with a single click. During the installation workflow, all the required components are deployed to Azure. This reference implementation supports data modelling with IEC standard Open Platform Communication Unified Architecture (OPC UA), aligned with the OPC Foundation Cloud Initiative. It also uses the IEC standard Asset Administration Shell (AAS) to provide product semantics, creating a Product Carbon Footprint AAS for simulated products and storing it in an AAS Repository. Finally, the implementation uses the IEC/ISO standard Eclipse Dataspace Components (EDC) to establish the trust relationship between the manufacturer and the customer, enabling the actual PCF data transfer via an OpenAPI-compatible REST interface. Conclusion Enabling an industrial dataspace on Azure can help manufacturers meet regulatory requirements, optimize industrial processes, and improve customer engagement by leveraging modern cloud technologies and standards to provide a secure and efficient data exchange environment, ultimately driving transparency and sustainability in the manufacturing industry.Partners accelerating industrial transformation with Azure IoT Operations
In the digital age, the essence of innovation lies not only in groundbreaking technology but also in the power of collaboration. At Microsoft, we have always recognized that our success is intertwined with the success of our partners. Our platform products, including the newly released Azure IoT Operations, are designed to be the foundation upon which our partners can build transformative solutions. These collaborations are more than just business arrangements; they are the bedrock of a thriving ecosystem that drives innovation, addresses customer needs, and propels industry standards forward. Partnerships enable us to extend our reach and impact far beyond what we could achieve alone. By combining our technological prowess with the domain expertise and creativity of our partners, we create a dynamic synergy that fosters groundbreaking advancements. This collaborative spirit is vital as we navigate the complexities of the Internet of Things (IoT) landscape, where diverse applications and specialized knowledge are paramount. Our partners bring unique perspectives and capabilities to the table, ensuring that Azure IoT Operations can cater to a broad spectrum of industries and use cases.Transforming Manufacturing with the Help of Ontologies
For over three years, Microsoft has been contributing to the Digital Twin Consortium’s open-source initiative. The most successful open-source project the DTC runs is the Manufacturing Ontologies project available at: https://github.com/digitaltwinconsortium/ManufacturingOntologies We examine our most recent contributions.
