Embedded Security and the IoT – Challenges, Trends and Solutions
Download as PPTX, PDF•6 likes•2,362 views
The document discusses data-centric security for the Industrial Internet of Things (IIoT) and highlights the role of RTI in fostering interoperability among over 159 organizations. It emphasizes the advantages of the Data Distribution Service (DDS), such as reliability, security features, and efficient data management. Additionally, it details the DDS security model, which includes per-topic access control, encryption, and authentication, aimed at protecting IIoT systems from cyber threats.
Embedded Security and the IoT – Challenges, Trends and Solutions
- 1. Data Centric Security for the Industrial IoT Stan Schneider, RTI CEO IIC Steering Committee Member
- 2. The smart machine era will be the most disruptive in the history of IT -- Gartner 2015
- 3. The Industrial Internet of Things Industrial Internet of Things (IIoT) Consumer Internet of Things (CIoT) Cyber-Physical Systems (CPS)
- 5. The Industrial Internet Consortium • Goal: Interoperability for the IIoT • 159+ companies! • RTI role – Steering committee, data management (co-lead), architecture, security (co-lead), use case (co-lead), marketing – Lead or co-lead 4 testbed teams
- 6. RTI Named Most Influential IIoT Company
- 7. RTI’s Experience • ~800 Designs – Healthcare – Transportation – Communications – Energy – Industrial – Defense • 15+ Standards & Consortia Efforts
- 8. Why Choose DDS? • Reliability: Severe consequences if offline for 5 minutes? • Performance/scale: – Measure in ms or µs? – Or scale > 20+ applications or 10+ teams? – Or 10k+ data values? • Architecture: Code active lifetime >3 yrs? 2 or 3 Checks?
- 9. DDS is Different! Point-to-Point TCP Sockets Publish/Subscribe Fieldbus CANbus Queuing AMQP Active MQ Client/Server MQTT REST XMPP OPC CORBA Brokered Daemon Data-Centric DDS Shared Data Model DataBus
- 10. Data Centric is the Opposite of OO Object Oriented • Encapsulate data • Expose methods Data Centric • Encapsulate methods • Expose data Explicit Shared Data Model
- 11. Data-Centric Connection = Data-Path Control • Global Data Space – Automatic discovery – Read & write data in any OS, language, transport – Redundant sources/sinks/nets • Type Aware • QoS control – Timing, Reliability, Ownership, Redundancy, Filtering, Security Shared Global Data Space DDS DataBus Patient Hx Device Identity Devices SupervisoryCDS Physiologic State NursingStation Cloud Offer: Write this 1000x/sec Reliable for 10 secs Request: Read this 10x/sec If patient = “Joe”
- 12. Data-Centric Security Model • Per-Topic Security – Control r,w access for each function – Enforce each dataflow • Complete Protection – Discovery authentication – Data-centric access control – Cryptography – Tagging & logging – Non-repudiation – Secure multicast – 100% standards compliant • No code changes! • Plugin architecture for advanced uses • Topic Security model: – PMU: State(w) – CBM: State(r); Alarms(w) – Control: State(r), SetPoint(w) – Operator: *(r), Setpoint(w) CBM AnalysisPMU Control Operator State Alarms SetPoint
- 13. Demanding Use Cases • The USS SECURE cybersecurity test bed is a collaboration between: – The National Security Agency – Department of Defense Information Assurance Range Quantico – Combat Systems Direction Activity Dam Neck – NSWCDD – NSWC Carderock/Philadelphia – Office of Naval Research – Johns Hopkins University Applied Physics Lab – Real Time Innovations, Inc. • Objectives – Immunize against cyberattack and to rapidly recover when impacted – Determine the best cyberdefense technologies without impacting real time deadline scheduled performance http://www.navy.mil/submit/display.asp?story_id=79228
- 14. DDS Security Standard • DDS entities are authenticated • DDS enforces topic-level access control • DDS maintains data integrity and confidentiality • DDS enforces non- repudiation • DDS provides availability …while maintaining DDS interoperability & high performance
- 15. Pluggable Security Architecture App. Other DDS System Secure DDS middleware Authentication Plugin Access Control Plugin Cryptographic Plugin Secure Kernel Crypto Module (e.g. TPM ) Transport (e.g. UDP) application componentcertificates ? Data cache Protocol Engine Kernel Policies DDS Entities Network Driver ? Network Encrypted Data Other DDS System Other DDS System App.App. Logging Plugin DataTagging Plugin MAC
- 16. Standard Capabilities (Built-in Plugins) Authentication X.509 Public Key Infrastructure (PKI) with a pre-configured shared Certificate Authority (CA) Digital Signature Algorithm (DSA) with Diffie-Hellman and RSA for authentication and key exchange Access Control Configured by domain using a (shared) Governance file Specified via permissions file signed by shared CA Control over ability to join systems, read or write data topics Cryptography Protected key distribution AES128 and AES256 for encryption HMAC-SHA1 and HMAC-SHA256 for message authentication and integrity Data Tagging Tags specify security metadata, such as classification level Can be used to determine access privileges (via plugin) Logging Log security events to a file or distribute securely over Connext DDS
- 17. Secure DDS over UDP Control Station Master Device Transmission Substation Slave Device Security Needs Protection and Detection DNP3 over RS232/485 DNP3 over Ethernet DNP3 over DDS Attack Detector Display Anomaly Detector (Lua) Scada Converter (C++) Slave Device Existing DNP3 RTI Routing Service ComProcessor RTI Routing Service ComProcessor Secure DDS DDS DDS
- 18. About RTI • Market Leader – 800+ designs; $1T designed-in value • Over 70% DDS mw market share1 • Largest embedded middleware vendor2 – By far the most DDS designs – 2013 Gartner Cool Vendor for technology and Open Community Source model • Standards Leader – Active in 15 standards efforts – DDS authors, chair, wire spec, security, more – IIC steering committee; OMG board • Team Quality Leader – Stanford research pedigree – High-performance, control, systems experts – Top quality product, processes, execution – Consistent head-to-head victors 1Embedded Market Forecasters 2VDC Analyst Report
- 19. Industrial Internet of Things Thought Leader • RTI FastTrax IIoT Strategic Consulting – Architectural guidance – Security design – Cloud integration – Business objectives
- 20. For More Information • RTI site: www.rti.com • Examples, forum, papers: community.rti.com • IIC website: www.iiconsortium.org • Email: [email protected] • Connect on LinkedIn • Free RTI Connext DDS Pro: www.rti.com/downloads
- 21. The DDS Data-Centric Standard for the IIoT • OMG’s Data Distribution Service is the Proven Data Connectivity Standard for the IoT • OMG: world’s largest systems software standards org – UML, DDS, Industrial Internet Consortium • DDS: open & cross-vendor – Open Standard & Open Source – 12 implementations Interoperability between source written for different vendors Interoperability between applications running on different implementations DDS-RTPS Protocol Real-Time Publish-Subscribe Distribution Fabric DDS API
- 22. This is addressed by DDS Security Security Boundaries • System Boundary • Network Transport – Media access (layer 2) – Network (layer 3) security – Session/Endpoint (layer 4/5) security • Host – Machine/OS/Applications/Files • Data & Information flows Ultimately, you need to implement all!
- 23. DDS Security Model Concept Unix Filesystem Security Model DDS Security Model Subject User Process executing for a user DomainParticipant Application joining a DDS domain Protected Objects Directories Files Domain (by domain_id) Topic (by Topic name) DataObjects (by Instance/Key) Protected Operations Directory.list, Directory.create (File, Dir) Directory.remove (File, Dir) Directory.rename (File, Dir) File.read, File.write, File.execute Domain.join Topic.create Topic.read (includes QoS) Topic.write (includes QoS) Data.createInstance Data.writeInstance Data.deleteInstance Access Control Policy Control Fixed in Kernel Configurable via Plugin Builtin Access Control Mode Per-File/Dir Read/Write/Execute permissions for OWNER, GROUP, USERS Per-DomainParticipant Permissions : What Domains and Topics it can JOIN/READ/WRITE