CPS and IoT Security
AuroraSOC treats Cyber-Physical Systems (CPS) and IoT devices as first-class security assets alongside traditional IT infrastructure.
What are Cyber-Physical Systems
CPS are systems where software directly controls physical processes:
| Domain | Examples | Risk |
|---|---|---|
| Industrial Control | PLCs, SCADA, DCS | Physical damage to equipment |
| Building Automation | HVAC, access control, fire suppression | Safety hazards |
| Medical Devices | Infusion pumps, patient monitors | Patient harm |
| Transportation | Traffic controllers, railway switches | Public safety |
| Energy | Smart grid, solar inverters, substations | Grid instability |
CPS vs. IT Security
Key differences:
| Aspect | IT Security | CPS/IoT Security |
|---|---|---|
| Priority | Confidentiality, Integrity, Availability | Safety, Availability, Integrity |
| Patching | Regular patch cycles | Months or years between patches |
| Protocols | TCP/IP, HTTP, TLS | Modbus, DNP3, BACnet, OPC UA, MQTT |
| Devices | Servers, workstations | Constrained: 256KB RAM, no screen |
| Lifetime | 3-5 years | 15-25 years |
| Isolation response | Isolate and investigate | Must maintain safety functions |
AuroraSOC's CPS architecture
A device that auto-registers over MQTT starts with attestation_status set to unknown. The MQTT consumer routes every device through the attestation gate, which verifies the ECDSA-signed firmware hash. Only a device that attests successfully is marked trusted and handed to the CPS Security agent for correlation; a device that fails is quarantined and denied response actions until it recovers. Attestation is the trust boundary, not an optional path.
Three firmware platforms
ESP32-S3: Zephyr RTOS (C)
Use case: Edge AI inference with WiFi connectivity. Zephyr's hardware abstraction layer supports the ESP32-S3 peripherals. TLS for secure MQTT communication, OTA update capability, and TFLite Micro for on-device ML anomaly detection.
nRF52840: Embassy-rs (Rust)
Use case: BLE security sentinel and USB device monitor. Memory safety without garbage collection on 256KB RAM. Async/await on bare metal for concurrent BLE and MQTT-SN handling. CC310 hardware crypto accelerator for ECDSA attestation.
STM32F429: Ada SPARK
Use case: Safety-critical relay control with formal verification. Pre and post contracts verified at compile time by the SPARK prover. Used where software failures could cause physical harm. PKA (Public Key Accelerator) for hardware-accelerated attestation.
Firmware attestation
Every device periodically proves its firmware integrity. The device computes SHA-256 of its firmware binary, signs it with ECDSA, and publishes to MQTT. The backend verifies the signature against the known public key. Valid attestations are recorded. Failed attestations generate critical alerts.
Physical-cyber correlation
AuroraSOC detects attacks spanning physical and digital domains:
| Type | Detection Method | Example |
|---|---|---|
| PHYSICAL_TAMPER | Vibration sensor plus auth failure | Physical access attempt during digital auth |
| FIRMWARE_MISMATCH | Hash comparison against known-good | Supply chain attack replacing firmware |
| ANOMALOUS_TELEMETRY | Baseline deviation analysis | Temperature spike indicating hardware manipulation |
| COMMUNICATION_ANOMALY | Traffic pattern analysis | Device talking to unknown IP |
| LOCATION_ANOMALY | Network zone validation | Device on unexpected network segment |
Physical-cyber correlation alerts are always treated as critical severity because they may indicate a sophisticated attacker with physical access.
CPS security tools
The CPS Security agent has six specialised tools: QueryCPSSensor for real-time device telemetry, VerifyAttestation for firmware integrity checks, RevokeCertificate for compromised device revocation, CorrelatePhysicalCyber for cross-domain analysis, QueryOTProtocol for OT protocol data, and IsolateNetworkSegment for OT network isolation.