OCF‑over‑Thread: Cascoda’s Certified Module Fuses OCF PKI with Thread, Delivering Secure, Scalable IP Mesh for Smart Buildings

In the evolving IoT landscape, two persistent challenges—interoperability across a sea of standards and robust security—continue to hinder widespread adoption in smart homes and commercial building automation.

OCF‑over‑Thread, engineered by Cascoda, tackles both issues head‑on. As a certifiable end‑to‑end solution, it streamlines product development for smart‑home and smart‑building applications by combining the secure application layer of OCF with Thread’s low‑power, IPv6‑based network layer. Thread’s mesh architecture, built on open IEEE 802.15.4 standards, can seamlessly and securely connect thousands of devices without a single point of failure.

Thread’s self‑healing, interference‑resistant mesh ensures reliable connectivity, while OCF guarantees device‑to‑device and device‑to‑cloud communication that is authenticated and encrypted. The OCF‑over‑Thread stack leverages public‑key infrastructure (PKI) for authentication and incorporates continuous vulnerability management for rapid threat response.

Certified, IP‑Based Mesh Platform for Large‑Scale Deployments

Since its debut two years ago, Cascoda has integrated OCF and Thread via a Thread border router (an OpenThread‑based IP gateway) and ultra‑low‑power IoT nodes. The company’s hardware embeds a trusted execution environment (TEE) that securely stores OCF PKI keys and permits only signed firmware, a prerequisite for trustworthy IoT devices.

Today, Cascoda offers the industry’s first OCF‑certified, low‑power module that supports both IP (Thread) and PKI security (OCF). Built on an open‑source SDK, the Chili2D module delivers OCF’s secure IP framework, Thread’s IPv6 mesh layer, the necessary Thread IP router, and seamless cloud connectivity.

The platform’s security is reinforced by a root of trust, cryptographic acceleration, and tamper‑protection features. These attributes earned the module European and UK IoT security attestations under the IASME “IoT Security Assured” scheme, aligning with OCF’s goal of privacy‑respecting, end‑to‑end IoT deployments.

By enabling secure IP connectivity for low‑power devices, this module supports OCF’s broader mission of driving demand‑side energy efficiencies in building automation and smart‑city infrastructure. It also marks progress toward the IP‑BLIS vision, a coalition that includes OCF, KNX, DALI, BACnet, Thread Group, and Connectivity Standards Alliance, to promote a secure, multi‑standard IP foundation.

OCF Chair Mark Trayer remarked, “For the first time, low‑power mesh devices can leverage a chain of trust built on OCF PKI, delivering end‑to‑end encryption over IP.” He added, “This unlocks scalable, secure deployments—such as a city‑wide street‑lighting network that can grow to include air‑quality or traffic monitoring—while granting stakeholders granular, permission‑based data access.”

CEO Bruno Johnson, OCF member, highlighted the breakthrough: “By marrying OCF’s security with Thread’s low‑power networking in a certified platform, we’ve made battery‑powered devices addressable over the internet without a costly gateway. This opens up secure, large‑area IP mesh networks for smart building and city applications.”

In an interview with embedded.com, Johnson noted that X.509 PKI can now be deployed on an M23 microcontroller, delivering banking‑grade security for IoT devices. “Manufacturers can rapidly assemble end‑to‑end, cloud‑based building management systems while retaining full ownership of the ecosystem.”

The Cascoda Chili2D Module

Chili2D is a Thread‑based wireless module powered by an Arm Cortex‑M23. It offers 512 kB flash, 96 kB SRAM, and runs at 48 MHz—tight constraints that test the limits of the OCF stack.

Thread’s low‑power, self‑forming mesh differs from Wi‑Fi by enabling battery‑powered, cost‑effective deployments and supporting hundreds of devices with automatic reconfiguration.

Because Thread is application‑layer agnostic, Chili2D can host multiple protocols simultaneously—DNS, SNTP, and OCF—on the same network. The OCF stack, illustrated below, combines CoAP, DTLS, and AES to secure communications.

CoAP delivers a REST‑like interface for constrained devices, while DTLS provides PKI‑based authentication and AES encryption for data confidentiality. The synergy of IPv6/UDP in Thread and OCF makes the protocol stack a natural fit.