Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Cybersecurity Spotlight: Looking under the Hood at Data Breaches and Hardening Techniques

1,254 views

Published on

Originally presented on January 19, 2016.
On-Demand: http://ecast.opensystemsmedia.com/612

Published in: Software
  • Be the first to comment

Cybersecurity Spotlight: Looking under the Hood at Data Breaches and Hardening Techniques

  1. 1. Cybersecurity and Industrial IoT Control Systems The Connectivity Platform for the Industrial Internet of Things™
  2. 2. Industrial Internet of Things (IIoT) ©2016 Real-Time Innovations, Inc. 2
  3. 3. IIoT Systems Are Distributed Sensors Actuators Streaming Analytics & Control HMI/UI IT, Cloud & SoS Connectivity ©2016 Real-Time Innovations, Inc. 3
  4. 4. IIoT Systems Are Distributed Sensors Actuators Streaming Analytics & Control HMI/UI IT, Cloud & SoS Connectivity ©2016 Real-Time Innovations, Inc. 4 Potential Vulnerability
  5. 5. Threats ©2016 Real-Time Innovations, Inc. 5
  6. 6. Challenge: Security with Other Demanding Requirements • Scalable real-time performance • High reliability, resilience and safety • Autonomous operation ©2016 Real-Time Innovations, Inc. 7
  7. 7. Data Distribution Service (DDS) Standard Data Distribution Service (DDS) Sensors Actuators Streaming Analytics & Control HMI/UI IT, Cloud & SoS Connectivity ©2016 Real-Time Innovations, Inc. 8
  8. 8. Key DDS Features • Decentralized architecture – Peer-to-peer communication – No message brokers or servers – Low latency and high scalability – No single point of failure • Multicast – Efficient broad data distribution • Automatic discovery – Systems are self-forming and self-healing • Real-time Quality of Service – Control over & visibility into timing ©2016 Real-Time Innovations, Inc. 9 Data Distribution Service (DDS) Sensors Actuators Streaming Analytics & Control HMI/UI IT, Cloud & SoS Connectivity
  9. 9. Publish/Subscribe for Loose Coupling ©2016 Real-Time Innovations, Inc. 10 DDS Software Data Bus Control App Commands Sensor SensorData ActuatorSensor SensorData Display App
  10. 10. Use with New and Existing Systems New and Updated Apps Existing, Unmodified Apps and (Sub)Systems DDS-RTPS Interoperability Protocol DDS App DDS Library DDS App DDS Library Transport Transport Non-DDS App DDS Routing Service Adapter Non-DDS App DDS Routing Service Adapter OS & Transport OS & Transport DDS API ©2016 Real-Time Innovations, Inc. 11
  11. 11. This is addressed by DDS Security Security Boundaries • System Boundary • Network Transport – Media access (layer 2) – Network (layer 3) security – Session/Endpoint (layer 4/5) security • Host – Machine/OS/Applications/Files • Data & Information flows ©2016 Real-Time Innovations, Inc. 12
  12. 12. Data Security - Threat Model 1. Unauthorized subscription 2. Unauthorized publication 3. Tampering and replay 4. Unauthorized access to data by infrastructure services Alice: Allowed to publish topic ‘T’ Bob: Allowed to subscribe to topic ‘T’ Eve: Non-authorized eavesdropper Trudy: Intruder Mallory: Malicious insider Trent: Trusted infrastructure service Alice Bob Eve Trudy Trent Mallory ©2016 Real-Time Innovations, Inc. 13
  13. 13. Plugin Approach • Requires trivial or no change to existing DDS apps and adapters • Runs over any transport – Including low bandwidth, unreliable – Does not require TCP or IP – Multicast for scalability, low latency • Completely decentralized – High performance and scalability – No single point of failure • Fine grained control – Which data is encrypted and/or signed – Access control Secure DDS library Authentication Access Control Encryption Data Tagging Logging Application Any Transport (e.g., TCP, UDP, multicast, shared memory…) ©2016 Real-Time Innovations, Inc. 14
  14. 14. ©2016 Real-Time Innovations, Inc. 15
  15. 15. Standard Capabilities (Built-in Plugins) Authentication  X.509 Public Key Infrastructure (PKI) with a pre-configured shared Certificate Authority (CA)  Digital Signature Algorithm (DSA) with Diffie-Hellman and RSA for authentication and key exchange Access Control  Configured by domain using a (shared) Governance file  Specified via permissions file signed by shared CA  Control over ability to join systems, read or write data topics Cryptography  aes-128-ctr for encryption  HMAC-SHA256 for message authentication and integrity  aes-128-gcm, aes-192-gcm and aes-256-gcm for encryption with authentication Data Tagging  Tags specify security metadata, such as classification level  Can be used to determine access privileges (via plugin) Logging  Log security events to a file or distribute securely over DDS ©2016 Real-Time Innovations, Inc. 16
  16. 16. rti.com/downloads Start using DDS Today! Download the FREE complete RTI Connext DDS Pro package for Windows and Linux: • Leading implementation of DDS • Includes C, C++, C#/.NET and Java APIs • Tools to monitor, debug, test, visualize and prototype distributed applications and systems • Adapters to integrate with existing applications and IT systems ©2016 Real-Time Innovations, Inc. 17

×