Securing the IIoT with DDS-­‐Security Gerardo Pardo-­‐Castellote, Ph.D., CTO, Real-­‐Time InnovaEons (RTI) Co-­‐Chair OMG DDS SIG www.rE.com June 2015 The Industrial Internet of Things Consumer Internet of Things (CIoT) Industrial Internet of Things (IIoT) Cyber-­‐Physical Systems (CPS) The Industrial Internet of Things Consumer Internet of Things (CIoT) Industrial Internet of Things (IIoT) Cyber-­‐Physical Systems (CPS) ARAMCO produces 13% of world’s oil Hardly an isolated incident… •  2013: ASack on Pacific Gas & Electric's Metcalf substaEon California. –  17 transformers damaged. Approx. $15 Million in repairs [1] •  2014: Steel Mill aSack in Germany –  According to German BSI mill suffered "massive damage” [2] •  2014: Reports of 79 Hacking incidents at US Energy companies [3] •  2018: Worldwide spending on cyber security for oil and gas infrastructure will reach $1.9bn by 2018 –  ABI Research: [4] DDS-Use Cases
PracEcal ConnecEvity Requires NormalizaEon © Duke Energy Co. hSp://www.duke-­‐energy.com/pdfs/DEDistributedIntelligencePlalormVol01.pdf © 2014 RTI © Duke Energy Co. hSp://www.duke-­‐energy.com/pdfs/DEDistributedIntelligencePlalormVol01.pdf DocBox and Integrated Clinical Environment (ICE) Standard •  Hospital error is the 6th leading cause of preventable death •  DocBox integrates devices to improve paEent safety Unite Real-­‐Time, Mobile, and Cloud •  Largest EMS equipment provider supplies ER equipment to 60% of the world’s emergency vehicles •  Uses DDS for in-­‐
vehicle plalorm, mobile device bus, cloud connecEvity Power CriEcal Infrastructure (GC Dam) •  DDS controls the 6.8 GW GC Dam –  Largest power plant in North America –  Fastest-­‐responding major power source on the Western Grid –  Requires 24x7 operaEon •  DDS met the challenges –
–
–
–
–
Extreme availability Wide area communicaEons MulE-­‐level rouEng High security 300k data values Siemens Wind Power turbine control •  Siemens Wind Power fields farms of 500 turbines with 100m blades •  DDS implements fast control within turbines and gust control across the array •  DDS enables distributed intelligent machines DDS-Security
DDS: Data-­‐Centric Qos-­‐Aware Pub-­‐Sub Model Virtual, decentralized global data space Source
(Key)
CRUD operaEons Speed
Power
Phase
WPT1
37.4
122.0
-12.20
WPT2
10.7
74.0
-12.23
WPTN
50.2
150.07
-11.98
Persistence Service Recording Service Is there a Conflict? •  PubSub/DDS –  Create a ‘global data space’ where informaEon is shared –  Publishers are unaware of subscribers and vice-­‐versa A CONFLICT? •  Security… –  Share informaEon only with authorized subjects –  Requires IdenEfying who produces and consumes the informaEon and cryptographic protecEon of the data. 16 Is there a Conflict? •  PubSub/DDS –  Create a ‘global data space’ where informaEon is shared –  Publishers are unaware of subscribers and vice-­‐versa •  Security… NO CONFLICT: Must Use DataCentric Security Model!
–  Share informaEon only with authorized subjects –  Requires IdenEfying who produces and consumes the informaEon and cryptographic protecEon of the data. 17 Boundaries at which security should be applied Ul#mately all need to be implemented •  System Boundary •  Network Transport –  Media access (layer 2) –  Network (layer 3) security –  Session/Endpoint (layer 4/5) security •  Host –  Machine/OS/ApplicaEons/Files •  Data & InformaEon flows This is addressed by DDS Security Threats Alice: Allowed to publish topic T Bob: Allowed to subscribe to topic T Eve: Non-­‐authorized eavesdropper Trudy: Intruder Trent: Trusted infrastructure service Mallory: Malicious insider 1.
2.
3.
4.
Unauthorized subscripEon Unauthorized publicaEon Tampering and replay Unauthorized access to data by infrastructure services © 2012 Real-­‐Time InnovaEons, Inc. -­‐ All rights reserved 6/16/15 19 DDS Security Standard •  DDS enEEes are authenEcated •  DDS enforces access control for domains/Topics/… •  DDS maintains data integrity and confidenEality •  DDS enforces non-­‐repudiaEon •  DDS provides availability through reliable access to data …while maintaining DDS interoperability & high performance
PracEcal Fine-­‐Grain Security •  Per-­‐Topic Security PMU CBM Analysis Control Operator –  Control r,w access for each funcEon –  Ensures proper dataflow operaEon •  Complete ProtecEon –
–
–
–
–
–
–
Discovery authenEcaEon Data-­‐centric access control Cryptography Tagging & logging Non-­‐repudiaEon Secure mulEcast 100% standards compliant •  No code changes! •  Plugin architecture for advanced uses State Alarms SetPoint Topic Security model: •  PMU: State(w) •  CBM: State(r); Alarms(w) •  Control: State(r), SetPoint(w) •  Operator: *(r), Setpoint(w) DDS Security covers 4 related concerns Security Model Security Plugin APIs & Behavior Buil#n Plugins DDS & RTPS support for Security BuilEn Plugins SPI Buil#n Plungin Notes AuthenEcaEon DDS:Auth:PKI-­‐RSA/DSA-­‐DH Uses PKI with a pre-­‐configured shared CerEficate Authority. DSA and Diffie-­‐Hellman for authenEcaEon and key exchange Establishes shared secret AccessControl DDS:Access:PKI-­‐Signed-­‐XML-­‐
Permissions Governance Document and Permissions Document Each signed by shared CerEficate Authority Cryptography DDS:Crypto:AES-­‐CTR-­‐HMAC-­‐RSA/
DSA-­‐DH Protected key distribuEon AES128 and AES256 for encrypEon (in counter mode) SHA1 and SHA256 for digest HMAC-­‐SHA1 and HMAC-­‐256 for MAC DataTagging Discovered_EndpointTags Send Tags via Endpoint Discovery Logging DedicatedDDS_LogTopic DDS Security Flow Create Domain ParEcipant Yes Create Endpoints Discover remote DP AuthenEcate AuthenEcate DP? DP? Access OK? No No Yes AuthenEcate Remote DP? No Domain ParEcipant Create Fails Endpoint Create Fails Ignore Remote DP Yes Discover remote Endpoints Access OK? No Ignore remote endpoint Yes Send/Receive data Message security Encrypted Data MAC Network ConfiguraEon PossibiliEes •  Is the access to a parEcular Topic protected? –  If so only authenEcated applicaEons with the correct permissions can read/write •  Is data on a parEcular Topic protected? How? –  If so data will be sent signed or encrypted+signed •  Are all protocol messages signed? Encrypted? –  If so only authenEcated applicaEons with right permissions will see anything Configuring & Deploying Secure DDS IdenEty CA Permissions CA P2 Permissions File P1 Permissions File P1 IdenEty CerEficate P1 Private Key •
•
•
•
•
P1 Domain Governance Document P2 IdenEty CerEficate P2 P2 Private Key PKI. Each parEcipant has a pair of public & private keys used in authenEcaEon process. Shared CA that has signed parEcipant public keys. ParEcipants need to have a copy of the CA cerEficate as well. Permissions File specifies what domains/parEEons the DP can join, what topics it can read/write, what tags are associate with the readers/writers Domain Governance specifies which domains should be secured and how Permissions CA that has signed parEcipant permission file as well as the domain governance document. ParEcipants need to have a copy of the permissions CA cerEficate. DDS-­‐SECURITY Key Aspects •  Standard & Interoperable •  Complete: Handles AuthenEcaEon, AuthorizaEon, Key distribuEon, EncrypEon, Integrity, … •  Scalable: Supports mulEcast •  Fine-­‐grain: Access control at Topic and QoS level; Configure Encrypt/Sign per Topic •  Flexible: Create your own plugins •  Generic: Works over any (RTPS) Transport •  Transparent: No changes to exisEng DDS App Code! DDS: The best connecEvity standard for the IIoT SECURITY IDL 4.0 XTYPES DDS-­‐RPC •  ReacEve and Data-­‐Centric •  Scalable, reliable, high-­‐performance protocol •  Qos support that meets the IIOT requirements •  Supports Edge to Cloud deployments ApplicaEon •  Built-­‐in data-­‐centric security C++ JAVA C C# DDS v 1.4 DDSI-­‐RTPS UDP TCP TLS/DTLS IP Custom Thank You! ©2015 Real-­‐Time InnovaEons, Inc. ConfidenEal. RTI Company Snapshot •
•
•
•
•
World leader in fast, scalable communicaEons so€ware for real-­‐Eme operaEonal systems Strong leadership in Aerospace and Defense, Industrial Control, AutomoEve, Healthcare and more Over 400,000 deployed licenses, ~800 designs, $1T designed-­‐in value Based in Silicon Valley with Worldwide offices Global leader in DDS –  Over 70% market share1 –  Largest Embedded Middleware vendor2 –  2013 Gartner Cool Vendor –  DDS authors, chair, wire spec, security, more –  First with DDS API and RTPS protocol –  IIC steering commiSee; OMG board –  Most mature & widely deployed soluEon © 2014 RTI 1Embedded Market Forecasters 2VDC Analyst Report Find out more… www.rE.com dds.omg.org community.rE.com www.omg.org demo.rE.com www.iiconsorEum.org www.youtube.com/realEmeinnovaEons blogs.rE.com www.twiSer.com/RealTimeInnov www.facebook.com/RTIso€ware www.slideshare.net/GerardoPardo www.slideshare.net/RealTimeInnovaEons