Secure S1 Cellular Routers
Secure boot, integrity checks, compliance with the most up to date cryptographic and security recommendations… S1 Routers represent an entirely new standard in security and cybersecurity threat resistance for Advantech Cellular Routers.
In combination with hardware capabilities (CPU, OTP memory) and hardened Linux/ICR-OS, S1 Routers provide the simplicity of a web-based configuration with limited flexibility known from our standard product open platforms in exchange for a higher security level applied to S1 devices.
S1 Routers fitting to applications where compliance with IEC 62443-4-2 SL1 (level 1), BSI IT Security label rules and others is required. For currently available formal certification, take a look at the datasheets for relevant router models or contact Advantech support.
S1 Router Differentiation
| Key Differences Between S1 Routers and Standard Routers | S1 Routers | Standard products |
|---|---|---|
| Compliance with IEC 62443-4-2 SL1 (level 1), BSI IT Security label rules and requirements* | Yes | No |
| Secure boot | Yes | No |
| Read-only filesystem with integrity checks | Yes | No |
| Default username | admin | root |
| Router App format | .raw | .tgz |
| Min password requirements** | 12 chars, 3 classes | 6 chars, 1 class |
| Mandatory account lock | Yes | No |
| Available cryptographic algorithms** | strong only | both weak and strong |
| Web Admin | HTTPS only | HTTP and/or HTTPS |
| OpenVPN Security Level | 2 (medium) .. 5 (very high) | 0 (weak) .. 5 (very high) |
| FTP and Telnet | No | Yes |
| FW Support End indicator | Yes | No |
| Advanced Intrusion Detection Environment (AIDE) | Yes | No |
| Encrypted firmware image | Yes | No |
| Using scripts*** | No | Yes |
| Root access (sudo) | limited set of commands | full |
| Wi-Fi AP/Station "Extra Options" | No | Yes |
| HTTP Content-Security-Policy | strict | permissive |
| Persistent syslog | mandatory | optional |
| IPsec aggressive mode | No | Yes |
| Persistent data storage | combined (/var) | router apps (/opt), user data (/var/data) |
* Compliance does not mean formal approval; for scope of available formal approvals, contact the producer.
** Weak algorithms: strength < 128 bits (e.g. DES, 3DES, MD5, SHA-1, RSA-1024/2048)
Strong algorithms: strength ≥ 128 bits (e.g. SHA-256+, RSA-3072+, ED25519)
More info: Strength criteria explained in Security Guidelines, Section 1.2
*** The only way to use scripts is to convert required scripts into S1 Router Apps.
Above mentioned differences outline the general use and convenience for different customer applications. Standard products provide large flexibility to configure the router for almost any application case. The S1 Routers limits need to be reviewed more carefully with application requirements to decide whether convenient or not.
S1 Router GUI
What remains the same is the familiar look of the S1 Router's web interface for configuration. Customers can operate a familiar interface, logically segmented into categories. |  |
S1 Router availability and production
S1 Routers are only available for selected router models. You can easily identify them by the “-S1” suffix at the end of the part number (e.g., ICR-2734-S1). It is possible to expand the list to include other part numbers, depending on project volume and technical feasibility (not all routers in our production range can be modified to become S1 Routers). This requires prior agreement, after which a new part number must be created for ordering.
Throughout their lifecycle, S1 Routers benefit from regular updates provided specifically for this product group, using a dedicated firmware branch called ICR-OS S1, available on our website. As noted above, uploading this firmware to standard units is not possible. The ICR-OS S1 firmware branch is developed exclusively to work with S1 Routers.
S1 Router compatibility
| S1 Routers do not support native scripting due to security reasons, unlike standard products. However, it is possible to extend the standard firmware functionalities using well-known Router Apps. These Router Apps differ from those used with the standard ICR-OS firmware, so it is necessary to use dedicated S1 Router Apps, which have the “.raw” extension. Customers can also develop their own S1 Router Apps in the .raw format. In such cases, the developer is fully responsible for the security of the software they create. |
It is also possible to use S1 Routers in combination with other routers and various monitoring or management systems, provided the communication scenario in the application allows it (see the S1 Routers Differentiation chapter mentioned earlier).
FAQ
.raw format and upload it to the router(s)..raw extension, can be used. See the list here.