Security for Arduino.

Hi all.

What are the security issues when you think the Arduino as a "commercial product"?

I know there may not be a short answer but i am trying to compare Arduino with PLC.

As far as i know PLC is an "expensive and safety" for a commercial product but i think i can be more creative with cheaper Arduino and Arduino shields with lots of libraries.

Any help would be greatly appreciated because i am really stuck with this question.

Thank you.

What do you mean by security exactly?

This is what i am trying to understand :slight_smile:

When i read from experienced people about the Arduino vs PLC they say that we need to use PLC if the project is extra support needed and security is the issue.

If security is not an issue and we may support the product ourselves we can use Arduino.

I am trying to understand what should i add to Arduino to use it as a commercial product.

Thank you.

what should i add to Arduino to use it as a commercial product.

More robust IO and libraries.

As it stands all Arduinos have no protection on the IO pins, that's fair enough because it's a dev platform and not supposed to be the final product. But you should add IO protection.

A lot of the library code I've seen cannot be called robust, there is no bounds checking on parameters, blind indexing into arrays etc. Either write your own code or have a serious look at the libraries you use.


Rob

PLCs are prime targets for cyber attacks, such as the Siemens PLCs controlling the machines in the Iranian uranium enrichment facilities.

Most arduinos don’t have enough connectivity for security to be an issue. If they DO have a connection (via ethernet or serial, for instance), security (or the lack of it) is entirely up to the individual arduino “sketch”; the arduino core itself doesn’t have a standardized enough interface to have attack vectors.

PLC have quite a high pricetag when you look at MIPS/EURO or MB/EURO.
But that is really not the point. There are multitude of reasons for using PLC's:

  • Electrical robustness: PLC's are designed for an industrial environment and everything that comes with it including electrical disturbances like transients. They also use standard 24V I/O or 4-20mA analog and robust field buses like profibus or modbus
  • Maintainability: Despite all years many PLC's are still programmed in ladder. The reason for that is that any electrical engineer who can read and understand a relay schematic can read and understand a ladder program for troubleshooting and often he can even change and/or adapt it
  • Service life: If you choose a PLC from a major manufacturer it will have your machine or plant running for decades. Even if it goes out of production there will be support and/or compatible replacements.

What one have to understand that the real cost is standstill cost. Not investment in a cpu.
I don't think a arduino will ever live up the points stated above.

Robustness isn't the same thing as security which is why I asked the question,
and robustness can involve lifetime, surviving harsh environments, vibration
resistance, dust etc etc.

Knowing what sort of commercial product would help work out which issues
are important (office or factory, indoors / outdoors, etc etc).

And did you mean "security" or "safety" in the original post?

In Danish we have one word covering both, but the meaning in English of these two words are quite different.

http://ruggedcircuits.com/html/ruggeduino.html

Thank you so much for all the answers. When i sum up all the things PLCs has advantages on Electrical robustness and coding with its high prices.

I asked a PLC for my greenhouse project and it is 300$ (ENDA ELC386R and EXM88R 16 IN 14 OUT).

As i said i am trying to make a commercial greenhouse project. My target greenhouses dust free, no vibration etc.

Using PSU is not enough for IO protection, right? Do you have any idea about ruggeduino?

Do you think it is too risky to use Arduino?

beingobserver:
Do you think it is too risky to use Arduino?

With the right electrical design? No.

Without the right electrical design? Your PLC will fail, too.

300s for a greenhouse? defintely overkill

nilton61:
300s for a greenhouse? defintely overkill

I guess it will depend on the kind of greenhouse?
If it is commercial, and he is growing skunk tomatoes worth a fortune, it is not much.

If it is a backyard project I agree that it is on the high side.
(But then again, I know people who have orchids worth a fortune, just for the fun of it)

Thank you for all the answers. It helped alot to compare PLC and Arduino.

Actually i don't know what would be produced with the machine, it depends on customer. It would be orchid or lettuce :smiley:

I will try to find out how can i have someone to design a custom pcb which consists of Arduino Mega, some of its shields for internet connection, display, sensor connections etc.

If you want to share your opinion, any help would be appreciated.

Thank you.

An other subject to consider is personal safety and prevention of accidents. Do your machine need E-stops or light barriers or similar? In that case the most viable would be sourcing these from well known manufacturers

find out how can i have someone to design a custom pcb

There are a few people here who do contract design work, Crossroads, myself and others.

If you get to that point maybe post in the "Gigs and collaborations" section.


Rob

Assuming we are not talking anything more than plain vanilla arduino (not DUE or some other larger variant) then we are talking about something like an ATMEGA328.

A commercial design based on a generic Arduino (bootloader and all) is rather crude since it really is just an enhanced development platform. From a coding perspective, you have made it easy for someone to replace your firmware. Maybe that is not a concern... but to others it is a big security issue. You are also subject to any coding errors made by 3rd party library developers.

Consider that the arduino is mostly a "proof of concept:" solution. A commercial product really should get re-written from the ground up when creating the final embedded device using your own AVRGCC code.

Using the AVR Atmega328, programmed via ISP (maybe carefully crafted in AVRGCC and not using "sketchy" libraries) , without the bootloader, and with security fuse bits engaged means that you have a good standalone solution, that is reasonably secure and you are using the 328 as an embedded controller... as Atmel intended.

@nilton61 i think there won't be e-stop or light barrier. Thanks

@Graynomad Thank you so much, i didn't know about "Gigs and collaborations" section, i will post there soon (when i am a bit sure about what i need)

@pwillard You are right, Arduino based new pcb design may be crude for the commercial product.
I thought it would be more easier and cheaper to build upon Arduino Mega.
I am not experienced about pcb design & manufacture.

Do you think designing a pcb from 0 is a more suitable & secure for long term?

Reminds me of something I saw the other day.

One of the weak points (maybe the weakest point) of using Arduinos for embedded solutions is the edge connectors. The connection you get with them by poking in a wire is rubbish and they can fall out very easily (leading to death if it’s the GND wire that falls out).

You can get Arduinos without headers and this lets you solder wires directly to the board (the official Leonardo even has a “headerless” version). This is much better.

But how’s this for a solution: Arduino Pro mini with screw terminals…!

miniscrew.jpg