Securing the IIoT with DDS-‐Security
June 2015
Gerardo Pardo-‐Castellote, Ph.D., CTO, Real-‐Time InnovaEons (RTI) Co-‐Chair OMG DDS SIG www.rE.com
The Industrial Internet of Things Industrial Internet of Things (IIoT) Consumer Internet of Things (CIoT)
Cyber-‐Physical Systems (CPS)
The Industrial Internet of Things Industrial Internet of Things (IIoT) Consumer Internet of Things (CIoT)
Cyber-‐Physical Systems (CPS)
ARAMCO produces 13% of world’s oil
Hardly an isolated incident… • 2013: ASack on Pacific Gas & Electric's Metcalf substaEon California.
– 17 transformers damaged. Approx. $15 Million in repairs [1]
• 2014: Steel Mill aSack in Germany – According to German BSI mill suffered "massive damage” [2]
• 2014: Reports of 79 Hacking incidents at US Energy companies [3]
• 2018: Worldwide spending on cyber security for oil and gas infrastructure will reach $1.9bn by 2018
– ABI Research: [4]
DDS-Use Cases
PracEcal ConnecEvity Requires NormalizaEon
© Duke Energy Co. hSp://www.duke-‐energy.com/pdfs/DEDistributedIntelligencePlalormVol01.pdf
© 2014 RTI
© Duke Energy Co. hSp://www.duke-‐energy.com/pdfs/DEDistributedIntelligencePlalormVol01.pdf
DocBox and Integrated Clinical Environment (ICE) Standard • Hospital error is the 6th leading cause of preventable death
• DocBox integrates devices to improve paEent safety
Unite Real-‐Time, Mobile, and Cloud
• Largest EMS equipment provider supplies ER equipment to 60% of the world’s emergency vehicles
• Uses DDS for in-‐vehicle plalorm, mobile device bus, cloud connecEvity
Power CriEcal Infrastructure (GC Dam)
• DDS controls the 6.8 GW GC Dam – Largest power plant in North America – Fastest-‐responding major power
source on the Western Grid – Requires 24x7 operaEon
• DDS met the challenges – Extreme availability – Wide area communicaEons – MulE-‐level rouEng – High security – 300k data values
Siemens Wind Power turbine control • Siemens Wind Power fields farms of 500 turbines with 100m blades
• DDS implements fast control within turbines and gust control across the array
• DDS enables distributed intelligent machines
DDS-Security
DDS: Data-‐Centric Qos-‐Aware Pub-‐Sub Model
Persistence Service
Recording Service
Virtual, decentralized global data space
CRUD operaEons
Source (Key) Speed Power Phase
WPT1 37.4 122.0 -12.20
WPT2 10.7 74.0 -12.23
WPTN 50.2 150.07 -11.98
Is there a Conflict?
• PubSub/DDS – Create a ‘global data space’ where informaEon is shared
– Publishers are unaware of subscribers and vice-‐versa
• Security… – Share informaEon only with authorized subjects – Requires IdenEfying who produces and consumes the informaEon and cryptographic protecEon of the data.
16
A CONFLICT?
Is there a Conflict?
• PubSub/DDS – Create a ‘global data space’ where informaEon is shared
– Publishers are unaware of subscribers and vice-‐versa
• Security… – Share informaEon only with authorized subjects – Requires IdenEfying who produces and consumes the informaEon and cryptographic protecEon of the data.
17
NO CONFLICT: Must Use Data-Centric Security Model!
Boundaries at which security should be applied
• System Boundary • Network Transport
– Media access (layer 2) – Network (layer 3) security – Session/Endpoint (layer 4/5) security
• Host – Machine/OS/ApplicaEons/Files
• Data & InformaEon flows
Ul#mately all need to be implemented
This is addressed by DDS Security
Threats 1. Unauthorized subscripEon 2. Unauthorized publicaEon 3. Tampering and replay 4. Unauthorized access to data by
infrastructure services
6/25/15 © 2012 Real-‐Time InnovaEons, Inc. -‐ All rights reserved 19
Alice: Allowed to publish topic T Bob: Allowed to subscribe to topic T Eve: Non-‐authorized eavesdropper Trudy: Intruder Trent: Trusted infrastructure service Mallory: Malicious insider
DDS Security Standard • DDS enEEes are authenEcated • DDS enforces access control for
domains/Topics/… • DDS maintains data integrity and
confidenEality • DDS enforces non-‐repudiaEon • DDS provides availability through
reliable access to data
…while maintaining DDS interoperability & high performance
PracEcal Fine-‐Grain Security • Per-‐Topic Security
– Control r,w access for each funcEon – Ensures proper dataflow operaEon
• Complete ProtecEon – Discovery authenEcaEon – Data-‐centric access control – Cryptography – Tagging & logging – Non-‐repudiaEon – Secure mulEcast – 100% standards compliant
• No code changes! • Plugin architecture for advanced uses
CBM Analysis PMU Control Operator
State Alarms SetPoint
Topic Security model: • PMU: State(w) • CBM: State(r); Alarms(w) • Control: State(r), SetPoint(w)
• Operator: *(r), Setpoint(w)
DDS Security covers 4 related concerns
Security Plugin APIs & Behavior
DDS & RTPS support for Security
Buil#n Plugins
Security Model
BuilEn Plugins SPI Buil#n Plungin Notes
AuthenEcaEon DDS:Auth:PKI-‐RSA/DSA-‐DH Uses PKI with a pre-‐configured shared CerEficate Authority. DSA and Diffie-‐Hellman for authenEcaEon and key exchange Establishes shared secret
AccessControl DDS:Access:PKI-‐Signed-‐XML-‐Permissions
Governance Document and Permissions Document Each signed by shared CerEficate Authority
Cryptography DDS:Crypto:AES-‐CTR-‐HMAC-‐RSA/DSA-‐DH
Protected key distribuEon AES128 and AES256 for encrypEon (in counter mode) SHA1 and SHA256 for digest HMAC-‐SHA1 and HMAC-‐256 for MAC
DataTagging Discovered_EndpointTags Send Tags via Endpoint Discovery
Logging DedicatedDDS_LogTopic
DDS Security Flow Domain
ParEcipant Create Fails AuthenEcate
DP? Yes
AuthenEcate DP?
No
Ignore Remote DP
AuthenEcate Remote DP?
No
Yes
No
Yes
Access OK? Ignore remote
endpoint
Message security
Endpoint Create Fails
Yes Access OK?
No
Create Domain ParEcipant
Create Endpoints
Discover remote Endpoints
Send/Receive data
Discover remote DP
Network Encrypted Data MAC
ConfiguraEon PossibiliEes
• Is the access to a parEcular Topic protected? – If so only authenEcated applicaEons with the correct permissions can read/write
• Is data on a parEcular Topic protected? How? – If so data will be sent signed or encrypted+signed
• Are all protocol messages signed? Encrypted? – If so only authenEcated applicaEons with right permissions will see anything
Domain Governance Document
P2 IdenEty CerEficate
P2 Private Key
P2
P2 Permissions File
P1 IdenEty CerEficate
P1 Private Key
P1
P1 Permissions File
• PKI. Each parEcipant has a pair of public & private keys used in authenEcaEon process. • Shared CA that has signed parEcipant public keys. ParEcipants need to have a copy of the CA cerEficate as well. • Permissions File specifies what domains/parEEons the DP can join, what topics it can read/write, what tags are associate
with the readers/writers • Domain Governance specifies which domains should be secured and how • Permissions CA that has signed parEcipant permission file as well as the domain governance document. ParEcipants need
to have a copy of the permissions CA cerEficate.
Configuring & Deploying Secure DDS
IdenEty CA Permissions CA
DDS-‐SECURITY Key Aspects
• Standard & Interoperable • Complete: Handles AuthenEcaEon, AuthorizaEon, Key distribuEon, EncrypEon, Integrity, …
• Scalable: Supports mulEcast • Fine-‐grain: Access control at Topic and QoS level; Configure Encrypt/Sign per Topic
• Flexible: Create your own plugins • Generic: Works over any (RTPS) Transport • Transparent: No changes to exisEng DDS App Code!
DDS: The best connecEvity standard for the IIoT • ReacEve and Data-‐Centric • Scalable, reliable, high-‐performance protocol • Qos support that meets the IIOT requirements • Supports Edge to Cloud deployments • Built-‐in data-‐centric security
DDS v 1.4
DDSI-‐RTPS
SECU
RIT
Y
DDS-‐
RPC
XTYPES
ApplicaEon
UDP TCP
C++ JAVA C C#
Custom IP
IDL 4.0
TLS/DTLS
About RTI
RTI Company Snapshot • World leader in fast, scalable communicaEons so�ware for real-‐Eme operaEonal systems • Strong leadership in Aerospace and Defense, Industrial Control, AutomoEve, Healthcare and more • Over 400,000 deployed licenses, ~800 designs, $1T designed-‐in value • Based in Silicon Valley with Worldwide offices • Global leader in DDS
– Over 70% market share1
– Largest Embedded Middleware vendor2
– 2013 Gartner Cool Vendor
– DDS authors, chair, wire spec, security, more
– First with DDS API and RTPS protocol
– IIC steering commiSee; OMG board
– Most mature & widely deployed soluEon
© 2014 RTI 1Embedded Market Forecasters 2VDC Analyst Report
Find out more…
www.slideshare.net/GerardoPardo www.slideshare.net/RealTimeInnovaEons
www.rE.com
community.rE.com
demo.rE.com
www.youtube.com/realEmeinnovaEons
blogs.rE.com
www.twiSer.com/RealTimeInnov
www.facebook.com/RTIso�ware
dds.omg.org
www.omg.org
www.iiconsorEum.org
Thank You!
©2015 Real-‐Time InnovaEons, Inc. ConfidenEal.