Data Distribution Service Security and the Industrial Internet of Things
1. Data Distribution Service Security and
the Industrial Internet of Things
Hamed Soroush, Ph.D
Senior Research Security Engineer, IIC Security Working Group Co-Chair
2. Outline
⢠Background on Industrial Internet of Things
⢠Background on Data Distribution Service
⢠Data Distribution Service Security
Š2016 Real-Time Innovations, Inc.
3. What is the Internet of Things?
Industrial Internet of Things (IIoT)Consumer Internet of Things (CIoT)
Cyber-Physical Systems (CPS)
Š2016 Real-Time Innovations, Inc.
4. World Economic Forum 2015
⢠The Industrial Internet will transform
many industries, including:
â Manufacturing
â Oil and gas
â Agriculture
â Mining
â Transportation
â Healthcare
⢠âŚand dwarf the consumer side
⢠Collectively, these account for nearly
two-thirds of the world economy
Š2016 Real-Time Innovations, Inc.
5. Š2016 Real-Time Innovations, Inc.
220+ companies
Goal: build and prove a common architecture that
interoperates between vendors and across industries
10. Preventing Medical Errors
What Can Change This?
ECRI Institute identifies alarm hazards as its
Top Health Technology Hazard for 2013
Clinicians exposed each day to tens of
thousands of alarms
Nineteen out of 20 hospitals surveyed
rank alarm fatigue as a top patient safety
concern
Hospital Errors are the Third Leading Cause of
Death in U.S., and New Hospital Safety Scores
Show Improvements Are Too Slow
New research estimates up
to 440,000 Americans are
dying annually from
preventable hospital errors.
Š2016 Real-Time Innovations, Inc.
11. Example: Patient-Controlled Analgesia
PCA is widely used, and
considered safeâŚ
âŚbut 2-3 patients die every day
in the US from opiate overdose
from PCA
The patient presses a
button to receive
intravenous pain
medication. Monitoring is
not typically used due to
high false/nuisance alarm
rate.
Š2016 Real-Time Innovations, Inc.
12. Improve Safety by Connecting Devices
⢠The Integrated Clinical
Environment (ICE)
standard specifies
interoperability for
medical devices
⢠RTI Connext DDS ties
together instruments in
real time
âRTI Connext DDS met all our needs â
whether weâre handling 12 patients, or
200.â
-- DocBox Founder, Tracy Rausch
â⌠the anesthesiologist forgot to resume
ventilation after separation from
cardiopulmonary bypass. The delayed
detection was attributed to the fact that the
audible alarms for the pulse oximeter and
capnograph had been disabled during bypass
and had not been reactivated. The patient
sustained permanent brain damage.â
Every surgical team surveyed has
experienced this error!
Š2016 Real-Time Innovations, Inc.
13. Key to the Success of IIoT: Interoperability
⢠Interoperability
â Across Systems
â Across Vendors
â Across Brownfiled & Greenfield Deployments
â Across Teams
Š2016 Real-Time Innovations, Inc.
16. Data Centric is Different!
Point-to-Point
TCP
Sockets
Publish/Subscribe
Fieldbus
CANbus
Queuing
AMQP
Active MQ
Data-Centric
DDS
Shared Data
Model
DataBus
Client/Server
MQTT
REST
XMPP
OPC
Broke
red
ESB
Daem
on
Š2016 Real-Time Innovations, Inc.
17. Itâs All About the Data
Data centricity enables interoperation, scale, integration
Unstructured files
Database
Data Centricity Data at Rest
Messaging middleware
DataBus
Data Centricity Data in Motion
Š2016 Real-Time Innovations, Inc.
18. Data Centric is the Opposite of OO
Object Oriented
⢠Encapsulate data
⢠Expose methods
Data Centric
⢠Encapsulate methods
⢠Expose data
Explicit
Shared
Data
Model
Š2016 Real-Time Innovations, Inc.
21. Data-Centric Model
âGlobal Data Spaceâ generalizes Subject-Based Addressing
⢠Data objects addressed by Domain ID, Topic and Key
⢠Domains provide a level of isolation
⢠Topic groups homogeneous subjects (same data-type & meaning)
⢠Key is a generalization of subject
Data Writer
Data Writer
Data Writer
Data Reader
Data Reader
Data Reader
Airline Flight Destination Time
SWA 023 PDX 14:05
UA 119 LAX 14:40
Sensor Value Units Location
4535 72 Fahrenheit Bldg. 405
5677 64 Fahrenheit Bldg., 201
Data Writer
Domain
Topic
Instance
Key (subject)
Š2016 Real-Time Innovations, Inc.
22. Quality of Service (QoS)
⢠Aside from the actual data to be delivered, users often
need to specify HOW to send it âŚ
⌠reliably (or âsend and forgetâ)
⌠how much data (all data , last 5 samples, every 2 secs)
⌠how long before data is regarded as âstaleâ and is discarded
⌠how many publishers of the same data are allowed
⌠how to âfailoverâ if an existing publisher stops sending data
⌠how to detect âdeadâ applications
⌠âŚ
⢠These options are controlled by formally-defined
Quality of Service (QoS)
Š2016 Real-Time Innovations, Inc.
23. Data Centricity Enables Interoperability
⢠Global Data Space
â Automatic
discovery
â Read & write data
in any OS,
language,
transport
â Redundant
sources/sinks/nets
⢠Type Aware
⢠No Servers
⢠QoS control
â Timing, Reliability,
Ownership,
Redundancy,
Filtering, Security
Shared Global Data Space
DDS DataBus
Patient Hx
Device
Identity
Devices
SupervisoryCDS
Physiologic
State
NursingStation
Cloud
Offer: Write this
1000x/sec
Reliable for 10 secs
Request: Read this 10x/sec
If patient = âJoeâ
Š2016 Real-Time Innovations, Inc.
24. Why Choose DDS?
⢠Reliability: Severe consequences if offline for
5 minutes?
⢠Performance/scale:
â Measure in ms or Âľs?
â Or scale > 20+ applications or 10+ teams?
â Or 10k+ data values?
⢠Architecture: Code active lifetime >3 yrs?
2 or 3 Checks?
Š2016 Real-Time Innovations, Inc.
25. This is addressed by DDS Security
Security Boundaries
⢠System Boundary
⢠Network Transport
â Media access (layer 2)
â Network (layer 3) security
â Session/Endpoint (layer 4/5) security
⢠Host
â Machine/OS/Applications/Files
⢠Data & Information flows
Š2016 Real-Time Innovations, Inc.
26. Data Security
Threats in the Global Data Space
1. Unauthorized subscription
2. Unauthorized publication
3. Tampering and replay
4. Unauthorized access to data by infrastructure services
Alice: Allowed to publish topic âTâ
Bob: Allowed to subscribe to topic âTâ
Eve: Non-authorized eavesdropper
Trudy: Intruder
Mallory: Malicious insider
Trent: Trusted infrastructure service
Alice
Bob
Eve
Trudy
Trent
Mallory
Š2016 Real-Time Innovations, Inc.
27. ⢠Transport Layer Security
⢠Fine-grained Data-Centric Security
Approaches to Secure DDS
Š2016 Real-Time Innovations, Inc.
28. Threat & Trust Models for DDS Security
⢠We are protecting against attacks originating over the
network
⢠The local machine is in our trust base
â To protect against threats in the same machine host-
protection techniques should be used
⢠These are outside the scope of DDS security
⢠By securing DDS we mean providing mechanisms for
â Confidentiality of the data samples
â Integrity of the data samples and the messages that contain
them
â Authentication of DDS writers & readers
â Authorization of DDS writers & readers
Š2016 Real-Time Innovations, Inc.
29. Data-centric Security for DDS: How is it Done?
⢠Security Model
â What to Protect
⢠Security Plugin APIs
â How/where to protect
â Interchangeability of the plugins
⢠DDS RTPS Wire Protocol
â Data encapsulation and
discovery interoperability
⢠Default Builtin Plugins
â Out-of-box implementation
â Interoperable implementations
OMG DDS Security Specification
RTI Connext⢠DDS Implementation
Š2016 Real-Time Innovations, Inc.
30. Security Model
⢠A security model is defined in terms of:
â The subjects (principals)
â The objects being protected
⢠The operations that are protected on the objects
â Access Control Model
⢠A way to define for each subject
â What the objects it can perform operations on are
â Which operations are allowed
Š2016 Real-Time Innovations, Inc.
31. Security Model Example:
UNIX FileSystem (simplified)
⢠Subjects: Users, specifically processes executing on behalf of a specific userid
⢠Protected Objects: Files and Directories
⢠Protected Operations on Objects:
â Directory.list, Directory.createFile, Directory.createDir, Directory.removeFile,
Directory.removeDir, Directory.renameFile
â File.view, File.modify, File.execute
⢠Access Control Model:
â A subject is given a userId and a set of groupId
â Each object is assigned a OWNER and a GROUP
â Each Object is given a combination of READ, WRITE, EXECUTE permissions
for the assigned OWNER and GROUP
â Each protected operation is mapped to a check, for example
⢠File.view is allowed if and only if
â File.owner == Subject.userId AND File.permissions(OWNER) includes READ
â OR File.group IS-IN Subject.groupId[] AND File.permissions(GROUP) includes READ
Š2016 Real-Time Innovations, Inc.
32. DDS Security Model
1/15/2016
Š 2012 Real-Time Innovations, Inc. - All rights
reserved 32
Concept Unix Filesystem Security Model DDS Security Model
Subject User
Process executing for a user
DomainParticipant
Application joining a DDS domain
Protected
Objects
Directories
Files
Domain (by domain_id)
Topic (by Topic name)
DataObjects (by Instance/Key)
Protected
Operations
Directory.list,
Directory.create (File, Dir)
Directory.remove (File, Dir)
Directory.rename (File, Dir)
File.read,
File.write,
File.execute
Domain.join
Topic.create
Topic.read (includes QoS)
Topic.write (includes QoS)
Data.createInstance
Data.writeInstance
Data.deleteInstance
Access Control
Policy Control
Fixed in Kernel Configurable via Plugin
Builtin Access
Control Mode
Per-File/Dir
Read/Write/Execute
permissions for OWNER,
Per-DomainParticipant Permissions :
What Domains and Topics it can
JOIN/READ/WRITE
33. Pluggable Security Architecture
App.
Other
DDS
System
Secure DDS
middleware
Authentication
Plugin
Access Control
Plugin Cryptographic
Plugin
Secure Kernel
Crypto
Module
(e.g. TPM )
Transport (e.g. UDP)
application componentcertificates
?
Data
cache
Protocol
Engine
Kernel
Policies
DDS Entities
Network
Driver
?
Network
Encrypted Data
Other
DDS
System
Other
DDS
System
App.App.
Logging
Plugin
DataTagging
Plugin
MAC
Š2016 Real-Time Innovations, Inc.
34. Platform Independent Interception Pts + SPIs
34
Service Plugin Purpose Interactions
Authentication Authenticate the principal that is
joining a DDS Domain.
Handshake and establish shared
secret between participants
The principal may be an
application/process or the user
associated with that application or
process.
Participants may send messages to
do mutual authentication and
establish shared secret
Access Control Decide whether a principal is allowed to
perform a protected operation.
Protected operations include joining
a specific DDS domain, creating a
Topic, reading a Topic, writing to a
Topic, etc.
Cryptography Perform the encryption and decryption
operations. Create & Exchange Keys.
Compute digests, compute and verify
Message Authentication Codes. Sign and
verify signatures of messages.
Invoked by DDS middleware to
encrypt data compute and verify
MAC, compute & verify Digital
Signatures
Logging Log all security relevant events Invoked by middleware to log
Data Tagging Add a data tag for each data sample
Š2016 Real-Time Innovations, Inc.
35. What are the Standard Capabilities
(Built-in Plugins)
Authentication ďˇ X.509 Public Key Infrastructure (PKI) with a pre-configured
shared Certificate Authority (CA)
ďˇ Digital Signature Algorithm (DSA) with Diffie-Hellman and
RSA for authentication and key exchange
Access Control ďˇ Configured by domain using a (shared) Governance file
ďˇ Specified via permissions file signed by shared CA
ďˇ Control over ability to join systems, read or write data topics
Cryptography ďˇ Protected key distribution
ďˇ AES128 and AES256 for encryption
ďˇ HMAC-SHA256 for message authentication and integrity
Data Tagging ďˇ Tags specify security metadata, such as classification level
ďˇ Can be used to determine access privileges (via plugin)
Logging ďˇ Log security events to a file or distribute securely over DDS
Š2016 Real-Time Innovations, Inc.
36. Overview of What Happens
Create
Domain
Participant
Authenticate
DP?
Create
Endpoints
Discover
remote
Endpoints
Send/Receive
data
Discover
remote DP
Authenticate
DP?
Yes
Domain
Participant
Create Fails
No
Access OK?
Endpoint
Create Fails
No
Authenticate
Remote DP?
Ignore
Remote DP
No
Yes
Access OK?
Ignore
remote
endpoint
Message
security
DP = Domain Participant
Endpoint = Reader / Writer
No
Š2016 Real-Time Innovations, Inc.
37. The Big Picture: Authentication
⢠Once discovered & authenticated to the middleware,
domain participants are mutually authenticated to
each other using a point-to-point public-key based
challenge-response handshaking protocol.
⢠After the handshake, participants have learned about:
â Each other's identities
â Each other's granted access permissions
â A shared secret, which is used to derive symmetric keys that
enables message security
Š2016 Real-Time Innovations, Inc.
38. The Big Picture: Access Control
⢠DDS Security allows for configuring & enforcing the
privileges of each participant such as
â Which domains it can join
â What topics it can read/write
⢠It also allows specifying & enforcing policies for the whole
domain such as
â What topics are discovered using Secure Discovery
â Encrypt or Sign for Secure Discovery
â What topics have controlled access
â Encrypt or Sign for each secure topic
⢠User data and payload
⢠Metadata and routing information
â What to do with unauthenticated access requests
Š2016 Real-Time Innovations, Inc.
39. The Big Picture: Message Security
⢠DDS Security enables message security by allowing for encryption and
authentication of DDS messages.
â Symmetric encryption keys & MAC keys are generated per data writer
â These keys are distributed to authenticated data readers that are authorized.
⢠Distribution of these keys is done using other symmetric keys derived from the shared
secret.
⢠The key distribution is transport independent
â e.g. it could happen over multicast
â These keys are used for encryption and/or message authentication based on
the policy defined in the governance document.
â different parts of messages can optionally be encrypted per governance
policy
⢠headers, complete message, sub-message, discovery data
Š2016 Real-Time Innovations, Inc.
41. Domain
Governance
Document
Identity CA
Certificate
Permissions
CA
Certificate
P2 Identity
Certificate
P2 Private
Key
P2
P2 Permissions
File
P1 Identity
Certificate
P1 Private
Key
P1
P1 Permissions
File
⢠Keys. Each participant has a pair of public & private keys used in authentication process.
⢠Identity CA that has signed participant public keys. Participants need to have a copy of the CA
certificate as well.
⢠Permissions File specifies what domains/partitions the DP can join, what topics it can read/write,
what tags are associate with the readers/writers
⢠Domain Governance specifies which domains should be secured and how
⢠Permissions CA that has signed participant permission file as well as the domain governance
document. Participants need to have a copy of the permissions CA certificate.
Configuring & Deploying Secure DDS
Š2016 Real-Time Innovations, Inc.
42. Permissions Document
⢠For each Participant
â Specifies
⢠What Domain IDs it can join
⢠What Topics it can read/write
⢠What Partitions it can join
⢠What Tags are associated with the Readers and Writers
Š2016 Real-Time Innovations, Inc.
44. Domain Governance Document
⢠The domain governance document is an XML
document that specifies which DDS domain
IDs shall be protected and the details of the
protection.
⢠It is signed by the permissions CA.
Š2016 Real-Time Innovations, Inc.
45. A Sample Domain Governance File
Š2016 Real-Time Innovations, Inc.
46. Configuration possibilities
⢠Are âlegacyâ or un-identified applications allowed in the
Domain? Yes or No.
â If yes an unauthenticated applications will:
⢠See the âunsecuredâ discovery Topics
⢠Be allowed to read/write the âunsecuredâ Topics
⢠Is a particular Topic discovered over protected discovery?
â If so it can only be seen by âauthenticated applicationsâ
⢠Is access to a particular Topic protected?
â If so only authenticated applications with the correct permissions
can read/write
⢠Is data on a particular Topic protected? How?
â If so data will be sent signed or, encrypted then signed
⢠Are all protocol messages signed? Encrypted?
â If so only authenticated applications with right permissions will see
anything
Š2016 Real-Time Innovations, Inc.
47. DDS Security allows for configurations that
combine interoperability, scalability, and high
performance requirements of Industrial IoT
Systems with those of security.
48. Try out Secure DDS
⢠Current Specification Draft:
â http://www.omg.org/spec/DDS-SECURITY/
⢠Any Questions?
â Send e-mail to hamed AT rti DOT com
Š2016 Real-Time Innovations, Inc.