The document discusses four keys to securing distributed industrial internet of things (IIoT) systems: 1) using a decentralized architecture rather than a centralized one, 2) implementing access control, 3) not relying solely on TCP and transport layer security, and 4) ensuring interoperability through open architectures and standards. It provides examples of how RTI's Data Distribution Service approach addresses these keys and secures critical infrastructure like power grids.

1. Your systems. Working as one.
Four Keys to Securing Distributed Control
Systems and the Industrial IoT
David Barnett

2. Agenda
• Industrial Internet of Things
• Four Keys to IIoT Security
• Data Distribution Service
• Example: Securing the Power Grid
• Next Steps
• Q&A
2014-Nov-13 © 2014 RTI 2

3. Industrial Internet of Things (IIoT)
2014-Nov-13 © 2014 RTI 3

4. IIoT Systems Are Distributed
HMI/UI IT, Cloud & SoS
Connectivity
Sensors Actuators
Streaming
Analytics &
Control
2014-Nov-13 © 2014 RTI 4

5. IIoT Systems Are Distributed
2014-Nov-13 © 2014 RTI 5

6. Unit DataBus
Unit DataBus
Example
Intelligent
Industrial
Internet
Intelligent
Systems
Intelligent
Machines
Cloud
Enterprise LAN
Intelligent
System of
Systems
Unit LAN Segment
Think HMI
Intra-machine
Think HMI
Think HMI
Intra-machine
Sense Intra-machine
Act
Sense Act
2014-Nov-13 © 2014 RTI 6

7. IIoT Unique Requirements
• Real-time performance
• Safety
• Security
2014-Nov-13 © 2014 RTI 7

8. Four Keys to Securing the IIoT

9. #1: Decentralized Architecture

10. Consumer Internet of Things
Centralized, Hub and Spoke
Information Technology Systems
Premises or Cloud
2014-Nov-13 © 2014 RTI 10

11. Consumer IoT and Traditional IT
• Limited scalability and performance
• Centralized ESB, Message
Broker or Server
• E.g.: MQTT, XMPP, AMQP,
CoAP, Web Services
– Intermediary = poor latency and determinism
– Centralized broker/server is bottleneck and choke point
– Expensive to scale: need more servers
– Capacity constrained by individual links and switch ports
• Poor robustness
– Single point of failure/failover
– Tied to server maintenance and failures
– Single point of vulnerability
• Lessens capabilities and utility
– Single centralized “brain”
– No autonomy or intelligence at the edge
2014-Nov-13 © 2014 RTI 11

12. IIoT Needs Analytics & Control at the Edge
IT/Cloud
• Lower latency control for faster response
• Highly resilient, no single point of failure
• Analyze orders of magnitude more data
2014-Nov-13 © 2014 RTI 12

13. #2: Access Control

14. Can’t Rely on Physical Security or
Limited Access
Unit DataBus
Unit DataBus
Cloud
Enterprise LAN
Unit LAN Segment
Think HMI
Sense Intra-machine
Act
2014-Nov-13 © 2014 RTI 14

15. Q4 2013 Reported Cyber Incidents to
U.S. Critical Infrastructure
http://ics-cert.us-cert.gov/monitors/ICS-MM201312
2014-Nov-13 © 2014 RTI 15

16. Threats
2014-Nov-13 © 2014 RTI 16

17. Threats
Alice: Allowed to publish topic T
Bob: Allowed to subscribe to topic T
Eve: Non-authorized eavesdropper
Trudy: Intruder
Trent: Trusted infrastructure service
Mallory: Malicious insider
1. Unauthorized subscription
2. Unauthorized publication
3. Tampering and replay
4. Unauthorized access to data by
infrastructure services
2014-Nov-13 © 2014 RTI 17

18. #3: No Dependence on TCP or
Transport Layer Security

19. Problems with TCP and IP
• TCP
– No control over latency
– No multicast: inefficient onemany and
manymany communication
– Requires reliable network with reasonable
bandwidth
• IP can also be inefficient…
– Over very low bandwidth networks(e.g., satellite)
– Over high speed interconnects (e.g., shared
memory and RDMA)
2014-Nov-13 © 2014 RTI 19

20. Transport Layer Security (TLS/SSL)
1. Authenticate
– Verify identity
2. Securely exchange cryptographic keys
3. Use keys to:
– Encrypt data
– Add a message authentication code
App 1 App 2
2014-Nov-13 © 2014 RTI 20

21. Limitations of Transport Security:
No Inherent Access Control
• You’re authenticated or you’re not
• Less an issue for centralized systems
– E.g.: non-real-time IT and consumer IoT systems
– Broker centrally manages access control
App App App
Device
Message
Broker
Device Device
• Poor performance
and scalability
• Single point of
failure/failover
2014-Nov-13 © 2014 RTI 21

22. Limitations of Transport Security:
Overall Poor Performance and Scalability
• No multicast support (even with DTLS over UDP)
– Broad data distribution is very inefficient
• Usually runs over TCP: poor latency and jitter
• Requires a network robust enough to support IP
and TCP
• All data treated as reliable
– Even fast changing data that could be “best effort”
• Always encrypts all data, metadata and protocol
headers
– Even if some data does not have to be private
• Security is at a very gross level
2014-Nov-13 © 2014 RTI 22

23. #4: Interoperability (Open Architecture)

24. Need for Interoperability
• IIoT systems typically composed of
components from many suppliers
• IIoT systems have long lifecycles
– Interoperability enables modularity

25. Traditional Approach
2014-Nov-13 © 2014 RTI 25

26. Traditional Approach
2014-Nov-13 © 2014 RTI 26

27. Traditional Approach
2014-Nov-13 © 2014 RTI 27

28. Traditional Approach
• Hard coded
connections
• Up to O(n2)
• Complex
• Hard to maintain,
evolve, re-use
E.g., sockets, RPC
2014-Nov-13 © 2014 RTI 28

29. Result
Time & cost of
integration,
maintenance
and upgrades
System Scale and Age
O(n2)
2014-Nov-13 © 2014 RTI 29

30. Solution: Modularity
2014-Nov-13 © 2014 RTI 30

31. Key: Interoperability
Well-defined:
• Interfaces
• Semantics
2014-Nov-13 © 2014 RTI 31

32. Data Distribution Service
Designed for the Industrial Internet of Things

33. For loose coupling, provides:
• Discovery
• Routing
• High-availability
• QoS enforcement
• Well-define interfaces
• Standard interoperability
Protocol
Data Distribution Service
2014-Nov-13 © 2014 RTI 33

34. DDS Standard
• Interoperability and
portability
– Data model specification
and discovery
– Network protocol
– Programming interface
• Managed by Object
Management Group (OMG)
Cross-vendor source portability
Standard API
Data
Model
DDS Implementation
Standard Protocol
Cross-vendor interoperability
2014-Nov-13 © 2014 RTI 34

35. Peer-to-Peer Communication
DDS-RTPS Wire Interoperability Protocol
• Completely decentralized
• No intermediate servers,
message brokers or ESB
• Low latency
• High scalability
• No single point of failure
App or
Component
DDS Library
App or
Component
DDS Library
DDS
API
2014-Nov-13 © 2014 RTI 35

36. Easy Integration of Existing Components
Unmodified
App
Adapter
DDS Routing
Service
DDS-RTPS Wire Interoperability Protocol
Unmodified
App
Adapter
DDS Routing
Service
App or
Component
DDS Library
App or
Component
DDS Library
DDS or other protocol
DDS
API
New and Updated Applications Existing, Unmodified Applications
2014-Nov-13 © 2014 RTI 36

37. Seamless Sensor-to-Cloud Connectivity
Connect Everything, Everywhere
Data Distribution Service
Seamless data sharing regardless of:
• Proximity
• Platform
• Language
• Physical network
• Transport protocol
• Network topology
2014-Nov-13 © 2014 RTI 37

38. Example: RTI Connext Availability
• Programming languages and
environments
– C, C++, C#/.NET, Java, Ada
– Lua, Python
– LabVIEW, MATLAB, Simulink, UML
– REST/HTTP
• Operating systems
– Windows, Linux, Unix, Mac OS
– Mobile
– Embedded, real time
– Safety critical, partitioned
• Processor families
– x86, ARM, PowerPC…
– 32- and 64-bit
• Transport types
– Shared memory
– LAN (incl. multicast)
– WAN / Internet
– Wireless
– Low bandwidth
2014-Nov-13 © 2014 RTI 38

39. Foundation: Publish/Subscribe
Data Distribution Service
Commands
Control
App
Sensor Data
Sensor
Sensor Data
Display
App
Sensor Actuator
2014-Nov-13 © 2014 RTI 39

40. Support for Mission-Critical Systems
• Autonomous operation
– Automatic discovery
– No sys admin or centralized
infrastructure
• Non-stop: no single point of failure
• QoS control and visibility into
real-time behavior, system health
• Embeddable
• Proven in 100,000s of deployed
devices
2014-Nov-13 © 2014 RTI 40

41. DDS Security
• Security extensions to DDS standard
• Requires trivial or no change to
existing DDS apps and adapters
• Runs over any transport
– Including low bandwidth, unreliable
– Does not require TCP or IP
– Multicast for scalability, low latency
• Plugin architecture
– Built-in defaults
– Customizable via standard API
• Completely decentralized
– High performance and scalability
– No single point of failure
Secure DDS
library
Authentication
Access Control
Encryption
Data Tagging
Logging
Application
Any Transport
(e.g., TCP, UDP, multicast,
shared memory, satellite)
2014-Nov-13 © 2014 RTI 41

42. 2014-Nov-13 © 2014 RTI 42

43. Standard Capabilities
Authentication  X.509 Public Key Infrastructure (PKI) with a pre-configured
shared Certificate Authority (CA)
 Digital Signature Algorithm (DSA) with Diffie-Hellman and
RSA for authentication and key exchange
Access Control  Specified via permissions file signed by shared CA
 Control over ability to join systems, read or write data
topics
Cryptography  Protected key distribution
 AES128 and AES256 for encryption
 HMAC-SHA1 and HMAC-SHA256 for message
authentication and integrity
Data Tagging  Tags specify security metadata, such as classification level
 Can be used to determine access privileges (via plugin)
Logging  Log security events to a file or distribute securely over
Connext DDS
2014-Nov-13 © 2014 RTI 43

44. Protections
Protected
Objects
Domain (by domain_id)
Topic (by Topic name)
DataObjects (by Instance/Key)
Protected
Operations
Domain.join
Topic.create
Topic.read (includes QoS)
Topic.write (includes QoS)
Data.createInstance
Data.writeInstance
Data.deleteInstance
2014-Nov-13 © 2014 RTI 44

45. Control over Encryption
• Scope
– Discovery data
– Metadata
– Data
• For each:
– Encrypt
– Sign
• Optimizes performance by only encrypting
data that must be private
2014-Nov-13 © 2014 RTI 45

46. Example Domain Governance
2014-Nov-13 © 2014 RTI 46

47. Example Permissions
2014-Nov-13 © 2014 RTI 47

48. DDS Security Status
• Standard adopted March 2014
• Considered “Beta” for 1 year
• RTI chairing Finalization Task Force
• Available now from RTI
2014-Nov-13 © 2014 RTI 48

49. Security Example:
Power Grid
In Partnership with PNNL
© 2014 RTI

50. Data Security Requirements
Data Item Authentica-tion
Access
Control
Integrity Non-repudiation
Confidentiality
Control traffic X X X X X
Data
X X
Telemetry
traffic
Physical
Security Data
X X X
Engineering
maintenance
X
Source: www.sxc.hu
2014-Nov-13 © 2014 RTI 50

51. Test Environment
• Real World Environment
– Transmission switching
substation
– Real substation equipment
• PNNL powerNET Testbed
– Remote connectivity
– Local control room
demonstration environment
– Dynamically reconfigurable
2014-Nov-13 © 2014 RTI 51

52. SCADA Equipment Setup
2014-Nov-13 © 2014 RTI 52

53. RTI and PNNL Grid Security Retrofit
Control Station
DNP3
Master
Device
Transmission Substation
DNP3
Slave
Device
RTI Routing
Service
Gateway
RTI Routing
Service
ComProcessor
DNP3
Slave
Device
DNP3 over
Ethernet DNP3 over DDS
DNP3 over
RS232/485
RTI Routing
Service
Gateway
DDS
LAN
DDS
LAN
RTI Routing
Service
ComProcessor
IP
Router
IP
Router
DDS over WAN
Attack Detector
Scada
Converter
Anomaly
Detector
Secure DDS
over UDP
Display
Effective DNP3
connection
Details at http://blogs.rti.com
2014-Nov-13 © 2014 RTI 53

54. About RTI
• Market Leader
– 1,000+ projects use Connext DDS
– Over 70% DDS middleware market share1
– Largest embedded middleware vendor2
– 2013 Gartner Cool Vendor for technology and
Open Community Source model
• Standards Leader
– Active in 15 standards efforts
– DDS authors, chair, wire spec, security, more
– IIC steering committee; OMG board
• Team Quality Leader
– Stanford research pedigree
– High-performance, control, systems experts
– Top quality product, processes, execution
© 2014 RTI
1Embedded Market Forecasters
2VDC Analyst Report
2014-Nov-13 54

55. IIoT Infrastructure Trusts RTI
• World’s largest Wind Power company
• World’s largest Underground Mining Equipment company
• World’s largest Navy (all surface ships)
• World’s largest Automotive company
• World’s largest Emergency Medical System company
• World’s largest Medical Imaging provider
• World’s 2nd largest Patient Monitoring manufacturer
• World’s 2nd largest Air Traffic control system
• World’s largest Broadcast Video Equipment manufacturer
• World’s largest Launch Control System
• World’s largest Telescope (under construction)
• World’s 5th-largest Oil & Gas company
• World’s 6th-largest power plant (largest in US)
• All of world’s top ten defense companies
RTI designed into
over $1 trillion
2014-Nov-13 © 2014 RTI 55

56. RTI Named Most Influential IIoT Company
2014-Nov-13 © 2014 RTI 56

57. Four Keys to Securing the IIoT
• Decentralized architecture
• Access control
• No dependence on TCP or
Transport Security
• Interoperability (Open Architecture)
2014-Nov-13 © 2014 RTI 57

58. Next Steps – Learn More
• Contact RTI
– Demo, Q&A
• Download software
– www.rti.com/downloads
– Free trial with comprehensive tutorial
– RTI Shapes Demo
• Watch videos & webinars, read
whitepapers
– www.rti.com/resources
– www.youtube.com/realtimeinnovatio
ns
2014-Nov-13 © 2014 RTI 58

59. dds.omg.org
www.rti.com
community.rti.com
demo.rti.com
www.youtube.com/realtimeinnovations
blogs.rti.com
www.twitter.com/RealTimeInnov
www.facebook.com/RTIsoftware
www.omg.org
www.slideshare.net/GerardoPardo
www.slideshare.net/RealTimeInnovations
2014-Nov-13 © 2014 RTI 59