Data Centric Security for the Industrial IoT
Stan Schneider, RTI CEO
IIC Steering Committee Member
The smart machine era will be the most disruptive in the history of IT-- Gartner 2015
The Industrial Internet of Things
Industrial Internet of Things (IIoT)
Consumer Internet of Things (CIoT)
Cyber-Physical Systems (CPS)
The Industrial Internet Consortium
• Goal: Interoperability for the IIoT• 159+ companies!• RTI role
– Steering committee, data management (co-lead), architecture, security (co-lead), use case (co-lead), marketing
– Lead or co-lead 4 testbed teams
RTI Named Most Influential IIoT Company
RTI’s Experience
• ~800 Designs– Healthcare– Transportation– Communications– Energy– Industrial– Defense
• 15+ Standards & Consortia Efforts
Why Choose DDS?
• Reliability: Severe consequences if offline for 5 minutes?
• Performance/scale:
– Measure in ms or µs?
– Or scale > 20+ applications or 10+ teams?
– Or 10k+ data values?
• Architecture: Code active lifetime >3 yrs?
2 or 3 Checks?
DDS is Different!
Point-to-Point
TCP Sockets
Publish/Subscribe
FieldbusCANbus
Queuing
AMQPActive MQ
Client/Server
MQTT RESTXMPPOPCCORBA
BrokeredDaemon
Data-Centric
DDS
Shared Data Model
DataBus
Data Centric is the Opposite of OO
Object Oriented• Encapsulate data• Expose methods
Data Centric• Encapsulate methods• Expose data
ExplicitShared
Data Model
Data-Centric Connection = Data-Path Control
• Global Data Space– Automatic discovery
– Read & write data in any OS, language, transport
– Redundant sources/sinks/nets
• Type Aware
• QoS control– Timing, Reliability,
Ownership, Redundancy, Filtering, Security
Shared Global Data Space
DDS DataBus
Patient Hx
Device Identity
Devices
Sup
erv
iso
ry C
DS
Physiologic State
Nu
rsin
g St
atio
n
Cloud
Offer: Write this 1000x/sec
Reliable for 10 secs
Request: Read this 10x/secIf patient = “Joe”
Data-Centric Security Model
• Per-Topic Security– Control r,w access for each
function– Enforce each dataflow
• Complete Protection– Discovery authentication– Data-centric access control– Cryptography– Tagging & logging– Non-repudiation– Secure multicast– 100% standards compliant
• No code changes!• Plugin architecture for
advanced uses
• Topic Security model:– PMU: State(w)– CBM: State(r); Alarms(w)– Control: State(r), SetPoint(w)– Operator: *(r), Setpoint(w)
CBM AnalysisPMU Control Operator
State Alarms SetPoint
Demanding Use Cases
• The USS SECURE cybersecurity test bed is a collaboration between:
– The National Security Agency– Department of Defense
Information Assurance Range Quantico
– Combat Systems Direction Activity Dam Neck
– NSWCDD– NSWC Carderock/Philadelphia– Office of Naval Research– Johns Hopkins University
Applied Physics Lab– Real Time Innovations, Inc.
• Objectives– Immunize against cyberattack
and to rapidly recover when impacted
– Determine the best cyberdefense technologies without impacting real time deadline scheduled performance
http://www.navy.mil/submit/display.asp?story_id=79228
DDS Security Standard
• DDS entities are authenticated
• DDS enforces topic-level access control
• DDS maintains data integrity and confidentiality
• DDS enforces non-repudiation
• DDS provides availability
…while maintaining DDS interoperability & high performance
Pluggable Security Architecture
App.
Other DDSSystem
Secure DDS middleware
AuthenticationPlugin
Access ControlPlugin Cryptographic
Plugin
Secure Kernel
Crypto Module(e.g. TPM )
Transport (e.g. UDP)
application componentcertificates
?
Datacache
ProtocolEngine
KernelPolicies
DDS Entities
NetworkDriver
?
Network
Encrypted Data
Other DDSSystem
Other DDSSystem
App.App.
LoggingPlugin
DataTaggingPlugin
MAC
Standard Capabilities (Built-in Plugins)
Authentication X.509 Public Key Infrastructure (PKI) with a pre-configured shared Certificate Authority (CA)
Digital Signature Algorithm (DSA) with Diffie-Hellman and RSA for authentication and key exchange
Access Control Configured by domain using a (shared) Governance file Specified via permissions file signed by shared CA Control over ability to join systems, read or write data
topicsCryptography Protected key distribution
AES128 and AES256 for encryption HMAC-SHA1 and HMAC-SHA256 for message
authentication and integrity Data Tagging Tags specify security metadata, such as classification level
Can be used to determine access privileges (via plugin)Logging Log security events to a file or distribute securely over
Connext DDS
Secure DDS
over UDP
Control Station
MasterDevice
Transmission Substation
SlaveDevice
Security Needs Protection and Detection
DNP3 overRS232/485
DNP3 overEthernet DNP3 over DDS
Attack Detector
Display
AnomalyDetector
(Lua)
ScadaConverter
(C++)
SlaveDevice
Existing DNP3
RTI Routing Service
ComProcessor
RTI Routing Service
ComProcessor
Secure DDS
DDS DDS
About RTI
• Market Leader– 800+ designs; $1T designed-in value
• Over 70% DDS mw market share1• Largest embedded middleware vendor2
– By far the most DDS designs– 2013 Gartner Cool Vendor for technology and Open Community
Source model
• Standards Leader– Active in 15 standards efforts– DDS authors, chair, wire spec, security, more– IIC steering committee; OMG board
• Team Quality Leader– Stanford research pedigree– High-performance, control, systems experts– Top quality product, processes, execution– Consistent head-to-head victors
1Embedded Market Forecasters2VDC Analyst Report
Industrial Internet of Things Thought Leader
• RTI FastTrax IIoTStrategic Consulting– Architectural guidance– Security design– Cloud integration– Business objectives
For More Information
• RTI site: www.rti.com
• Examples, forum, papers: community.rti.com
• IIC website: www.iiconsortium.org
• Email: [email protected]
• Connect on LinkedIn
• Free RTI Connext DDS Pro: www.rti.com/downloads
The DDS Data-Centric Standard for the IIoT
• OMG’s Data Distribution Service is the Proven Data Connectivity Standard for the IoT
• OMG: world’s largest systems software standards org
– UML, DDS, Industrial Internet Consortium
• DDS: open & cross-vendor
– Open Standard & Open Source
– 12 implementations
Interoperability between source written for different vendors
Interoperability between applications running on different implementations
DDS-RTPS ProtocolReal-Time Publish-Subscribe
Distribution Fabric
DDS API
This is addressed by DDS Security
Security Boundaries
• System Boundary
• Network Transport– Media access (layer 2)
– Network (layer 3) security
– Session/Endpoint (layer 4/5) security
• Host– Machine/OS/Applications/Files
• Data & Information flows
Ultimately, you need to implement all!
DDS Security ModelConcept Unix Filesystem Security Model DDS Security Model
Subject UserProcess executing for a user
DomainParticipantApplication joining a DDS domain
ProtectedObjects
DirectoriesFiles
Domain (by domain_id)Topic (by Topic name)DataObjects (by Instance/Key)
Protected Operations
Directory.list, Directory.create (File, Dir) Directory.remove (File, Dir) Directory.rename (File, Dir) File.read, File.write,File.execute
Domain.joinTopic.createTopic.read (includes QoS)Topic.write (includes QoS)Data.createInstanceData.writeInstanceData.deleteInstance
Access Control Policy Control
Fixed in Kernel Configurable via Plugin
Builtin Access Control Mode
Per-File/Dir Read/Write/Executepermissions for OWNER, GROUP, USERS
Per-DomainParticipant Permissions :What Domains and Topics it can JOIN/READ/WRITE