Cybersecurity Spotlight: Looking under the Hood at Data Breaches and Hardening Techniques

Cybersecurity and Industrial IoT Control SystemsThe Connectivity Platform for the Industrial Internet of Things™

2

Industrial Internet of Things (IIoT)

©2016 Real-Time Innovations, Inc.

3

IIoT Systems Are Distributed

Sensors Actuators

Streaming Analytics &

Control

HMI/UI IT, Cloud & SoS Connectivity


4

IIoT Systems Are Distributed

Sensors Actuators


Control

HMI/UI IT, Cloud & SoS Connectivity


Potential Vulnerability

5

Threats


7

Challenge:Security with Other Demanding Requirements

• Scalable real-time performance

• High reliability, resilience and safety

• Autonomous operation


8

Data Distribution Service (DDS) Standard

Data Distribution Service (DDS)

Sensors Actuators


ControlHMI/UI IT, Cloud & SoS

Connectivity


9

Key DDS Features

• Decentralized architecture– Peer-to-peer communication– No message brokers or servers– Low latency and high

scalability– No single point of failure

• Multicast– Efficient broad data distribution

• Automatic discovery– Systems are self-forming and

self-healing• Real-time Quality of Service

– Control over & visibility into timing


Data Distribution Service (DDS)

Sensors Actuators


ControlHMI/UI

IT, Cloud & SoS

Connectivity

10

Publish/Subscribe for Loose Coupling


DDS Software Data Bus

Sens

or D

ata

Control App

Com

man

ds

Stat

usSensor

Sens

or D

ata

Actuator

Com

man

ds

Stat

us

Sensor

Sens

or D

ata

Display App

Sens

or D

ata

Stat

us

11

Use with New and Existing Systems

New and Updated AppsExisting, Unmodified Apps and

(Sub)Systems

DDS-RTPS Interoperability Protocol

DDS App

DDS Library

DDS App

DDS Library

Transport Transport

Non-DDSApp

DDS Routing Service

Adapter

Non-DDSApp

DDS Routing Service

Adapter

OS & Transport OS & Transport

DDSAPI


12

This is addressed by DDS Security

Security Boundaries

• System Boundary• Network Transport

– Media access (layer 2)– Network (layer 3) security– Session/Endpoint (layer 4/5) security

• Host– Machine/OS/Applications/Files

• Data & Information flows


13

Data Security - Threat Model

1. Unauthorized subscription2. Unauthorized publication3. Tampering and replay 4. Unauthorized access to data by infrastructure services

Alice: Allowed to publish topic ‘T’Bob: Allowed to subscribe to topic ‘T’Eve: Non-authorized eavesdropper Trudy: IntruderMallory: Malicious insiderTrent: Trusted infrastructure service

AliceBob

EveTrudy

TrentMallory


14

Plugin Approach

• Requires trivial or no change to existing DDS apps and adapters

• Runs over any transport– Including low bandwidth,

unreliable– Does not require TCP or IP– Multicast for scalability,

low latency• Completely decentralized

– High performance and scalability– No single point of failure

• Fine grained control– Which data is encrypted and/or signed– Access control

Secure DDSlibrary

Authentication

Access Control

Encryption

Data Tagging

Logging

Application

Any Transport(e.g., TCP, UDP, multicast,

shared memory…)


15

Network

Connext DDSlibrary

Authentication

Access Control

Encryption

Data Tagging

Logging

Application

Transport(e.g., TCP, UDP, multicast,

shared memory)

Secu

rity

Plug

ins

Connext DDSlibrary

Authentication

Access Control

Encryption

Data Tagging

Logging

Application

Transport

Connext DDSlibrary

Authentication

Access Control

Encryption

Data Tagging

Logging

Application

Transport


16

Standard Capabilities (Built-in Plugins)Authentication X.509 Public Key Infrastructure (PKI) with a pre-configured

shared Certificate Authority (CA) Digital Signature Algorithm (DSA) with Diffie-Hellman and

RSA for authentication and key exchangeAccess Control Configured by domain using a (shared) Governance file

Specified via permissions file signed by shared CA Control over ability to join systems, read or write data

topicsCryptography aes-128-ctr for encryption

HMAC-SHA256 for message authentication and integrity aes-128-gcm, aes-192-gcm and aes-256-gcm for

encryption with authenticationData Tagging Tags specify security metadata, such as classification level

Can be used to determine access privileges (via plugin)Logging Log security events to a file or distribute securely over

DDS


rti.com/downloads

Start using DDS Today!Download the FREE complete RTI Connext DDS Pro package for Windows and Linux:

• Leading implementation of DDS• Includes C, C++, C#/.NET and Java APIs• Tools to monitor, debug, test, visualize and

prototype distributed applications and systems• Adapters to integrate with existing applications and

IT systems
