View
1.019
Download
0
Category
Preview:
Citation preview
Cybersecurity and Industrial IoT Control SystemsThe Connectivity Platform for the Industrial Internet of Things™
2
Industrial Internet of Things (IIoT)
©2016 Real-Time Innovations, Inc.
3
IIoT Systems Are Distributed
Sensors Actuators
Streaming Analytics &
Control
HMI/UI IT, Cloud & SoS Connectivity
©2016 Real-Time Innovations, Inc.
4
IIoT Systems Are Distributed
Sensors Actuators
Streaming Analytics &
Control
HMI/UI IT, Cloud & SoS Connectivity
©2016 Real-Time Innovations, Inc.
Potential Vulnerability
5
Threats
©2016 Real-Time Innovations, Inc.
7
Challenge:Security with Other Demanding Requirements
• Scalable real-time performance
• High reliability, resilience and safety
• Autonomous operation
©2016 Real-Time Innovations, Inc.
8
Data Distribution Service (DDS) Standard
Data Distribution Service (DDS)
Sensors Actuators
Streaming Analytics &
ControlHMI/UI IT, Cloud & SoS
Connectivity
©2016 Real-Time Innovations, Inc.
9
Key DDS Features
• Decentralized architecture– Peer-to-peer communication– No message brokers or servers– Low latency and high
scalability– No single point of failure
• Multicast– Efficient broad data distribution
• Automatic discovery– Systems are self-forming and
self-healing• Real-time Quality of Service
– Control over & visibility into timing
©2016 Real-Time Innovations, Inc.
Data Distribution Service (DDS)
Sensors Actuators
Streaming Analytics &
ControlHMI/UI
IT, Cloud & SoS
Connectivity
10
Publish/Subscribe for Loose Coupling
©2016 Real-Time Innovations, Inc.
DDS Software Data Bus
Sens
or D
ata
Control App
Com
man
ds
Stat
usSensor
Sens
or D
ata
Actuator
Com
man
ds
Stat
us
Sensor
Sens
or D
ata
Display App
Sens
or D
ata
Stat
us
11
Use with New and Existing Systems
New and Updated AppsExisting, Unmodified Apps and
(Sub)Systems
DDS-RTPS Interoperability Protocol
DDS App
DDS Library
DDS App
DDS Library
Transport Transport
Non-DDSApp
DDS Routing Service
Adapter
Non-DDSApp
DDS Routing Service
Adapter
OS & Transport OS & Transport
DDSAPI
©2016 Real-Time Innovations, Inc.
12
This is addressed by DDS Security
Security Boundaries
• System Boundary• Network Transport
– Media access (layer 2)– Network (layer 3) security– Session/Endpoint (layer 4/5) security
• Host– Machine/OS/Applications/Files
• Data & Information flows
©2016 Real-Time Innovations, Inc.
13
Data Security - Threat Model
1. Unauthorized subscription2. Unauthorized publication3. Tampering and replay 4. Unauthorized access to data by infrastructure services
Alice: Allowed to publish topic ‘T’Bob: Allowed to subscribe to topic ‘T’Eve: Non-authorized eavesdropper Trudy: IntruderMallory: Malicious insiderTrent: Trusted infrastructure service
AliceBob
EveTrudy
TrentMallory
©2016 Real-Time Innovations, Inc.
14
Plugin Approach
• Requires trivial or no change to existing DDS apps and adapters
• Runs over any transport– Including low bandwidth,
unreliable– Does not require TCP or IP– Multicast for scalability,
low latency• Completely decentralized
– High performance and scalability– No single point of failure
• Fine grained control– Which data is encrypted and/or signed– Access control
Secure DDSlibrary
Authentication
Access Control
Encryption
Data Tagging
Logging
Application
Any Transport(e.g., TCP, UDP, multicast,
shared memory…)
©2016 Real-Time Innovations, Inc.
15
Network
Connext DDSlibrary
Authentication
Access Control
Encryption
Data Tagging
Logging
Application
Transport(e.g., TCP, UDP, multicast,
shared memory)
Secu
rity
Plug
ins
Connext DDSlibrary
Authentication
Access Control
Encryption
Data Tagging
Logging
Application
Transport
Connext DDSlibrary
Authentication
Access Control
Encryption
Data Tagging
Logging
Application
Transport
©2016 Real-Time Innovations, Inc.
16
Standard Capabilities (Built-in Plugins)Authentication X.509 Public Key Infrastructure (PKI) with a pre-configured
shared Certificate Authority (CA) Digital Signature Algorithm (DSA) with Diffie-Hellman and
RSA for authentication and key exchangeAccess Control Configured by domain using a (shared) Governance file
Specified via permissions file signed by shared CA Control over ability to join systems, read or write data
topicsCryptography aes-128-ctr for encryption
HMAC-SHA256 for message authentication and integrity aes-128-gcm, aes-192-gcm and aes-256-gcm for
encryption with authenticationData Tagging Tags specify security metadata, such as classification level
Can be used to determine access privileges (via plugin)Logging Log security events to a file or distribute securely over
DDS
©2016 Real-Time Innovations, Inc.
rti.com/downloads
Start using DDS Today!Download the FREE complete RTI Connext DDS Pro package for Windows and Linux:
• Leading implementation of DDS• Includes C, C++, C#/.NET and Java APIs• Tools to monitor, debug, test, visualize and
prototype distributed applications and systems• Adapters to integrate with existing applications and
IT systems
©2016 Real-Time Innovations, Inc.
Recommended