A Secure Dual-MCU Architecture for Robust Communication of IIoT Devices by Niedermaier, Matthias et al.
A SECURE DUAL-MCU ARCHITECTURE FOR ROBUST
COMMUNICATION OF IIOT DEVICES
A PREPRINT
Matthias Niedermaier
Hochschule Augsburg
matthias.niedermaier@hs-augsburg.de
Dominik Merli
Hochschule Augsburg
dominik.merli@hs-augsburg.de
Georg Sigl
TU Mu¨nchen
sigl@tum.de
August 13, 2019
ABSTRACT
The Industrial Internet of Things (IIoT) has already become a part of our everyday life be it water
supply, smart grid, or production, IIoT is everywhere. For example, factory operators want to know
the current state of the production line. These new demands for data acquisition in modern plants
require industrial components to be able to communicate. Nowadays, network communication in
Industrial Control Systems (ICSs) is often implemented via an IP-based protocol. This intercommu-
nication also brings a larger attack surface for hackers. If an IIoT device is influenced by attackers,
the physical process could be affected. For example, a high network load could cause a high Central
Processing Unit (CPU) load and influence the reaction time on the physical control side. In this
paper, we introduce a dual Microcontroller Unit (MCU) setup to ensure a resilient controlling for
IIoT devices like Programmable Logic Controllers (PLCs). We introduce a possible solution for
the demand of secure architectures in the IIoT. Moreover, we provide a Proof of Concept (PoC)
implementation with a benchmark and a comparison with a standard PLC.
Keywords security, robust, iiot, industrial control system
©2019 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current
or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective
works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works. DOI:
10.1109/MECO.2019.8760188 – http://dx.doi.org/10.1109/MECO.2019.8760188
1 Introduction
New demands for data collection in industrial plants call for a higher degree of networking. This partly dissolves the
historical air gap segmentation between office and operational networks. In modern systems, it is possible to have
access to the Industrial Internet of Things (IIoT), e.g. through the company network. Owing to this development in the
IIoT, the attack surface is also getting larger. This will require that the individual components must be secure by design
to reduce the probability and impact of successful attacks. Considering a Programmable Logic Controller (PLC) as an
example of an IIoT device, these have a special meaning, because they mostly control a physical process. This means
that influencing a PLC could also influence the process that takes place in the real world.
Previous research has already shown that PLCs could be affected by network traffic, e.g. through cyber-attacks. One
of the first was presented by Dillon Beresford on Siemens S7 PLCs [1], where a simple message could start and stop
these PLCs. This was later demonstrated on other devices with different protocols and vulnerabilities (e.g. Phoenix
Contact [2] and Beckhoff [3]).
Another possibility to influence the cycle time behavior of a PLC is network flooding [4]. In this case, the PLC is busy
processing the network data and is not able to control the physical process in the expected way.
Most existing IIoT devices have one Microcontroller Unit (MCU) that handles the network and input/output (IO)
operations. If this microcontroller can be influenced, then the behavior of the physical inputs and outputs are also
affected. For the real world, this means that the physical process controlled by the PLC is vulnerable.
ar
X
iv
:1
90
8.
04
13
3v
1 
 [c
s.C
R]
  1
2 A
ug
 20
19
A Secure Dual-MCU Architecture for Robust Communication of IIoT Devices A PREPRINT
As a result, secure architectures for IIoT devices are necessary [5], [6]. The IIoT architecture comprising two MCUs,
a network MCU (NW-MCU), and an IO-MCU handling the connection to the sensors and actuators, presented in this
paper, offers the following advantages compared to most existing solutions:
• A well-controlled communication between the two microcontrollers reduces intentional and unintentional
influencing of the physical process.
• Compared to a software solution, e.g. based on a single MCU and an Real-time Operating System (RTOS) [7],
a vulnerability in the hardware or software of the network MCU will not directly influence the IO MCU.
• The reduced code size on the IO MCU reduces testing effort, e.g. for safety certifications, because the critical
code size is smaller.
• By using a unidirectional connection [8] from the IO MCU to the network MCU, it is possible to monitor
without influencing.
The paper is structured as follows. Section 2 explains the methodology behind a dual controller setup for secure
controlling and gives the necessary background. In Section 3, the Proof of Concept (PoC) implementation is illustrated.
Section 4 compares the robustness against Denial of Service attacks of the secure architecture and a commercial PLC.
Finally, a conclusion is given in Section 5.
2 Methodology and Background
One of the simplest attacks in networks is a Denial of Service (DoS) flooding attack [9]. This means that as many
packets as possible are sent into a network, to either interfere with the network communication or to generate a high
CPU load on the target in such a way that other programs cannot be processed properly. The effects are especially
dangerous for IIoT devices such as PLCs, as they interact with the physical world, resulting in serious damage or
injury. Haddadin et al. showed how strong robots that interact with humans can injure them [10]. This cannot only
happen because of a bug in the program, but also due to DoS attacks over the network. Therefore, the communication
part of PLCs should be designed in such a way that it does not influence the control part.
There are secure architectures for complete chips with patents available on the market [11]. This concept requires deep
knowledge and no standard MCU can be used, which may make the end product expensive. Alves et al. introduced an
open-source Linux-based PLC and implemented an Intrusion Detection System (IDS) as a DoS protection [12]. How-
ever, the used method only partially protects against DoS attacks, implementation errors, and zero day vulnerabilities.
Furthermore, it is currently only feasible for Linux-based systems. They also show that the program execution time
on current PLCs varies during their tests.
Fig. 1 shows the principle of our secure architecture introduced in this paper with a dedicated network and IO MCU.
The network MCU handles the communication over Ethernet and Modbus/TCP. Configuration information and control
data are submitted without influencing the IO MCU. For this to happen, the IO control must be handled in a predefined
time slice by the IO MCU to ensure a certain response time. The uncritical part is responsible for the network
communication and the critical control part, for the physical process. Influences on this critical part will affect the
real world.
Critical Control
Part
Uncritical
Part
MCU
Network
MCU
Control/IO
Robust
communication
IO
IO
IO
Network
Figure 1: Example architecture of a dual MCU set-up for robust controlling.
The cycle time of a PLC is the time for the execution of a complete program cycle including the communication. It
depends on the processing time of the program, which is determined by the number of instructions. Higher prioritized
tasks interrupt the cycle, thereby delaying the actual cycle. This cycle time (tcycle) is the sum of the phases that are
processed at each pass. In a simplified representation with one task, there are four phases. First of all, the inputs
get read in (tread in); this step has a constant processing time. It is independent of input changes for cyclic tasks.
Thereafter, the communication is handled (tcomm). The communication depends on external participants and can have
different runtimes. For example, if the bus speed is slow or the data size is big, the communication part takes longer.
2
A Secure Dual-MCU Architecture for Robust Communication of IIoT Devices A PREPRINT
At the end, the necessary calculation (tcalc) is done and the outputs are written back (twrite out). In this case (Eq. 1),
the cycle time (tcycle) is free-running and varies in time.
tcycle = tread in + tcomm + tcalc + twrite out (1)
For our approach, the IO MCU must have a constant runtime independent of the network MCU, which results in
the requirement of a constant cycle time (tcycle). This could be achieved by setting a timeout to the communication
between the network MCU and the IO MCU. To get a constant cycle time (tcycle) of the IO MCU, a delay (tdelay) is
inserted to equalize time fluctuations. The calculation of the delay is shown in Eq. 2.
tdelay = tcycle − (tread in + tcomm + tcalc + twrite out) (2)
It must be ensured that the cycle time (tcycle) is higher than the maximum time, which can pass through the four
phases in Eq. 1. Therefore, the maximum time of each phase must be limited depending on the desired cycle time.
The behavior, which is illustrated in Eq. 2, must be represented by the IO MCU and runs independent of the NW
MCU.
3 PoC Implementation
To prove the feasibility of the introduced method, a PoC implementation is necessary. The focus is on the robust
communication between the two MCUs and the real-time behavior of the IO control during flooding attacks.
3.1 PoC Hardware
The hardware of the secure architecture consists of the network board and the IO shield, which are connected. Tab. 1
shows the specification of the hardware used. The MCU on the network board is faster but more expensive than the
IO MCU.
Table 1: Specification of the used hardware for the PoC implementation.
Hardware Network Board IO Shield
Board design STMicroelectronics custom
MCU STM32F767ZIT6 STM32F030F4P6
Core ARM®Cortex®-M7 Arm®Cortex®-M0
Clock up to 216 MHz up to 48 MHz
RAM 512kB 4kB
Flash 2MB 16kB
MCU price ∼ 10e ∼ 1e
For PLCs, which often costs several hundred dollars, an additional IO MCU would not render the final product much
more expensive. Furthermore, the proposed concept is possible with different MCUs, depending on the later demands.
3.1.1 Network Board Hardware
For the network MCU, a development board (STM NUCLEO-F767ZI1) is used. This MCU was chosen because, on
the one hand, this series is relatively energy-efficient, which is also used in standard PLCs, and on the other, offers
enough performance for further evaluations. The board provides an RJ45 Ethernet connector and an Arudino™ Uno
V3 connector. Additionally, an ST-Link programmer with Serial Wire Debug (SWD) and serial communication is
attached to the MCU for programming and debugging output.
3.1.2 IO Shield Hardware
The IO shield is a custom design, as there is no suitable shield for this purpose. Fig. 2 shows the shield, which is
designed to be compatible with the Arduino™ Uno V3 header. This makes the shield usable with many other boards.
1https://www.st.com/en/evaluation-tools/nucleo-f767zi.html
3
A Secure Dual-MCU Architecture for Robust Communication of IIoT Devices A PREPRINT
STM32F030F4
SWD Port
quartz crystal
IO LEDs to network boardUART
Figure 2: Rendered controller shield that is placed on top of the network MCU board.
3.2 PoC Software
As explained in Section 2, the communication part between the two MCUs does not use a constant time during
processing. This requires calculation and compensation to achieve a uniform runtime, resulting in a constant cycle
time. The software that runs on the two MCUs is fundamentally different in terms of Random-Access Memory (RAM)
and Read-only Memory (ROM) usage. Furthermore, in contrast to the IO MCU, the network MCU has no “hard” real-
time requirements. Of course, this only applies if the network communication does not have real-time requirements.
3.2.1 Network MCU
The network board has a much higher computing power than the IO board. It runs an operating system (FreeRTOS2)
to handle the different tasks in a pre-emptive multi-tasking single-core implementation. As a result, the network com-
munication with multiple subscribers can be handled through different RTOS tasks. For the network communication,
the Lightweight IP (LwIP)3 stack is used. Fig. 3 shows the configuration web server running on the network board.
This shows actual information, such as the uptime and the current state of the outputs. Furthermore, the cycle time of
the outputs on the IO MCU can be configured.
For the communication between the two boards, an Serial Peripheral Interface (SPI) with a speed of 13.5Mbit/s is
used. The network MCU is the master and continuously transmits the information to the IO MCU. If the IO MCU
does not respond within a certain time, the transmission is tried again after a delay.
3.2.2 IO MCU
The IO MCU runs a bare metal system, with the usage of the STMicroelectronics (STM) Hardware Abstraction
Layer (HAL). This makes later changes to the MCU easier if, for example, more performance is necessary. Within
this HAL, the SysTick is set to 100µs, which is also the resolution of all time-based HAL functions, such as the
timeouts of the communication functions. The sequence of the program on the IO MCU is illustrated in Fig. 4. The
start represents the initial powering of the MCU, whereon the initialization of this is done.
2https://www.freertos.org/
3https://savannah.nongnu.org/projects/lwip/
4
A Secure Dual-MCU Architecture for Robust Communication of IIoT Devices A PREPRINT
STM32F767 Dual Controller Server
Info
Called URL: / HTTP/1.1 Host: 192.168.178.210 Connection: kee
Build: Dec 28 2018 19:24:05
Uptime MS: 0006809123 ms
Free heap: 0000013520 bytes
Output PA0: L
Output PA1: L
Output PB1: L
Refresh   Soft Reset  
Config
Output PA0 in ms:
0000000001
Output PA1 in ms:
0000000001
Output PB1 in ms:
0000000001
Submit
Figure 3: Website, running on the network MCU, showing some information and allowing configuration of the network
and the IO MCU.
Initializestart
Read inputs
tread in
Communi-
cation
tcomm
Calculation
tcalc
Wait time
tdelay
Update
outputs
twrite out
res
et
tim
er
Figure 4: Program sequence to have a defined time behavior of the IO MCU. The dashed circle “Wait time” is the
additional task compared to a standard PLC cycle.
After the initialization, a continuous cycle is executed. At the start of the cycle, the timer to measure the delay is reset.
After this, the inputs are read with the HAL functions and the SPI with a timeout of 500µs is executed. The time is
chosen so that there is enough time to transfer the necessary data and a cycle time of 1ms is possible. After this, the
calculation of the new output states is done by comparing the current cycle count with the configured cycle time. In
these cycles, the varying timing which is measured with the timer must be compensated (See Eq. 2) to get a constant
cycle time. This is done in the wait state by holding it there until the desired cycle time is reached and then writing
the previous calculated outputs back. In the PoC implementation, the cycle time is set to 1ms. This is a common
minimum cycle time for commercial PLC solutions. Owing to this, multiples of 1ms can be used as the IO response
time. This is common for current commercial PLCs.
To ensure robust communication over SPI, the receive and transmit functions on the IO are implemented in a blocking
mode with a timeout. Interrupts and Direct Memory Access (DMA) are not used to prevent blocking and timing
problems through many interrupts and memory overflows by overwriting buffer boundaries. Thus, the IO MCU could
miss a transmission from the NW MCU to fulfill the real-time requirements of the IO control.
4 Benchmarking
Fig. 5 shows the PoC setup with the network board and the attached IO shield, which is used for the benchmark. For
a secure operation, the interferences on the SPI bus must be considered so that the IO MCU is not influenced. These
include flooding by the network MCU, invalid data, and shortcuts. The current PoC is not protected by cryptographic
mechanisms. Nevertheless, the SPI communication cannot influence the IO MCU.
Additionally, to show the stability of the concept during network flooding attacks, the cycle time is measured during a
flooding attack. For the measurements, a PicoScope 2208B Universal Serial Bus (USB) oscilloscope is used. With this,
the measured data can be exported and analyzed. Fig. 6 shows the cycle time of our implementation over time during
5
A Secure Dual-MCU Architecture for Robust Communication of IIoT Devices A PREPRINT
RJ45 network
IO shield
SWD Port
Arduino™ Uno V3 connector
Figure 5: Image showing the complete setup with the network MCU board and the IO shield.
pre-idle, hping34 flooding attack, and post-idle. The jitter is only about 10µs, which is equivalent to 1% deviation.
The cycle time is similar in all phases and is not influenced by the attack.
0 10 20 30 40 50 60
s
0.990
0.995
1.000
1.005
1.010
1.015
C
y
cl
e
ti
m
e
in
m
s
Pre idle Attack Post idle
Figure 6: Time plot of the 1ms cycle time during pre-idle, attack, and post-idle of our secure implementation. The
jitter is about 10µs, which is equal to a deviation of 1%.
Furthermore, our implementation is compared with a standard PLC. As this reference, a Wago PLC (HW:750-8100
SW:02.05.23(08)) is used, which is a current PLC from this vendor. This should not be regarded as an opinion about
this product, but as a reference for comparison.
Fig. 7 shows the boxplot of our secure PoC implementation during pre-idle, attack, and post-idle. The measurement
duration of each phase is 60s. The PoC introduced in this paper has a fixed cycle time of 1ms and the PLC from
Wago has a default of 10ms. For this reason, our implementation toggles the output every 10 cycles to allow a direct
comparison. The maximum jitter during idle is less than 1% for the secure architecture and about 300% for the Wago
PLC. The DoS attack is done with hping3 in the flooding mode. No difference was observed in the cycle time on our
PoC implementation during pre-idle, attack, and post idle. On the common PLC (Fig. 8), the attack slows down the
cycle time noticeably [4]. The density representation (Fig. 9) shows that our PoC implementation is stable and only
varies in a small range. In contrast, Fig. 10 shows that on a common controller a flooding attack could influence the
cycle time. In this case, it ranges up to a cycle time of 100ms (Factor 10 slower), where the outputs of the PLC are not
4https://www.spirent.com/
6
A Secure Dual-MCU Architecture for Robust Communication of IIoT Devices A PREPRINT
Pre idle Attack Post idle
0
25
50
75
100
C
y
cl
e
ti
m
e
in
m
s
Figure 7: Boxplot of the cycle time of our approach during hping3 attack. A constant cycle time is set to 10ms during
all phases.
Pre idle Attack Post idle
0
25
50
75
100
C
y
cl
e
ti
m
e
in
m
s
Figure 8: Boxplot of cycle time of the Wago PLC during hping3 attack, with variances during idle and influences
during attack.
updated. The comparison between our secure architecture presented here and a current PLC shows that our proposed
solution is feasible and stable.
5 Conclusion
The presented architecture allows a secure and robust operation of an IIoT device in a network environment. This is
achieved by a dual MCU architecture where one takes over the hard timing requirements and the second controller
handles the network communication. This ensures that even with weak points in the software implementation, e.g.
vulnerabilities in the network stacks or the operating system, the physical process is not affected. For future devices,
it is also possible to separate the power supply and galvanically isolate the communication to reduce the possibilities
of hardware attacks and failures.
0.0 2.5 5.0 7.5 10.0 12.5 15.0 17.5 20.0
Cycle time in ms
0
200
400
D
en
si
ty
Pre idle
Attack
Post idle
Figure 9: Density plot of the 10ms cycle time of our implementation during hping3 attack.
7
A Secure Dual-MCU Architecture for Robust Communication of IIoT Devices A PREPRINT
0.0 2.5 5.0 7.5 10.0 12.5 15.0 17.5 20.0
Cycle time in ms
0.0
0.5
D
en
si
ty
Pre idle
Attack
Post idle
Figure 10: Density plot of the cycle time of the Wago PLC during hping3 attack influenced during the attack.
In this paper, we have also shown the feasibility of our robust architecture by a PoC implementation on a Cortex®-M7
MCU for the network tasks combined with a Cortex®-M0 MCU for the time-critical IO handling. The network MCUs
runs FreeRTOS and the IO MCU runs a bare metal system. They communicate over SPI with each other in such a
way that the timing behavior is predictable. Our benchmark experiments have shown that physical controlling can be
influenced by a deviation maximum of the cycle time of under one percent. These experiments were performed during
a simulated DoS flooding attack. The results show that our dual MCU approach is a feasible solution against these
kinds of network attacks on IIoT devices such as PLCs.
References
[1] D. Beresford, “Exploiting Siemens Simatic S7 PLCs,” Black Hat USA, vol. 16, no. 2, pp. 723–733, 2011.
[2] M. Niedermaier, F. Fischer, and A. von Bodisco, “PropFuzz - An IT-security Fuzzing Framework for Proprietary
ICS Protocols,” in 2017 International Conference on Applied Electronics (AE), Pilsen, pp. 1–4, 2017.
[3] G. Bonney, H. Ho¨fken, B. Paffen, and M. Schuba, “ICS/SCADA Security Analysis of a Beckhoff CX5020 PLC,”
in Information Systems Security and Privacy (ICISSP), 2015 International Conference on, pp. 1–6, IEEE, 2015.
[4] M. Niedermaier, J.-O. Malchow, F. Fischer, D. Marzin, D. Merli, V. Roth, and A. von Bodisco, “You Snooze,
You Lose: Measuring PLC Cycle Times under Attacks,” in 12th USENIX Workshop on Offensive Technologies
(WOOT 18).
[5] A. A. Ca´rdenas, S. Amin, and S. Sastry, “Research Challenges for the Security of Control Systems.,” in HotSec,
2008.
[6] A. A. Ca´rdenas, S. Amin, and S. Sastry, “Secure Control: Towards Survivable Cyber-Physical Systems,” in
Distributed Computing Systems Workshops, 2008. ICDCS’08. 28th International Conference on, pp. 495–500,
IEEE, 2008.
[7] T.-S. Nguyen and T.-H. Huynh, “Design and Implementation of Modbus Slave based on ARM Platform and
FreeRTOS Environment,” in Advanced Technologies for Communications (ATC), 2015 International Conference
on, pp. 462–467, IEEE, 2015.
[8] A. Zilberstein and L. Frenkel, “Protection of Control Networks Using a One-way Link,” Jan. 19 2010. US Patent
7,649,452.
[9] C. L. Schuba, I. V. Krsul, M. G. Kuhn, E. H. Spafford, A. Sundaram, and D. Zamboni, “Analysis of a Denial of
Service Attack on TCP,” in Security and Privacy, 1997. Proceedings., 1997 IEEE Symposium on, pp. 208–223,
IEEE, 1997.
[10] S. Haddadin, A. Albu-Scha¨ffer, and G. Hirzinger, “Safety Evaluation of Physical Human-Robot Interaction via
Crash-Testing,” in Robotics: Science and Systems, vol. 3, pp. 217–224, 2007.
[11] T. L. Fruehling and T. L. Helm, “Secured Microcontroller Architecture,” Dec. 27 2005. US Patent 6,981,176.
[12] T. Alves, R. Das, and T. Morris, “Embedding Encryption and Machine Learning Intrusion Prevention Systems
on Programmable Logic Controllers,” IEEE Embedded Systems Letters, 2018.
8
