Making  the  Jump  to  Connext  DDS  Secure  The  Industrial  Internet  of  Things  Connec<vity  Company™  

#RSAC

Niheer  Patel  

Niheer  Patel,  Product  Manager,  RTI,  has  over  11  years  of  experience  in  embedded  soFware  and  distributed  systems.  Niheer  has  a  Computer  Science  and  Engineering  degree  from  the  University  of  California,  San  Diego  and  a  Master  of  Business  Administra<on  degree  from  University  of  California,  Berkeley.      

#RSAC

Agenda  

•  Speaker  Introduc<on  •  Industrial  Internet  and  Security  Frameworks  •  DDS  Security  Highlights  •  Connext  DDS  Secure  Pre-­‐Requisites  &  Configura<on  •  Connext  DDS  Secure  Shapes  Demo  –  Integrity  –  Confiden<ality  

•  Addi<onal  Resources  •  Q&A  

©2017  Real-­‐Time  Innova<ons,  Inc.      

#RSAC

Industrial  Internet  Consor<um:  250+  Companies,  25+  Countries  IIC  Founding  and  Contribu/ng  Members  

#RSAC

Industrial  Internet  Reference  Architecture  

•  IIRA,  recently  released  v1.8  •  Comprehensive,  high  level  architecture  guidance  •  Standards  based  approach  to  Industrial  IoT  Systems.  

h\p://www.iiconsor<um.org/IIRA.htm  

#RSAC

Industrial  Internet  Connec<vity  Framework  

•  IIRA  defines  the  “layered  databus  architecture”  •  IICF  defines  proper<es  for  core  connec<vity  pla`orms  

h\p://www.iiconsor<um.org/IICF.htm  

#RSAC

Industrial  Internet  Security  Framework  

•  Extends  from  IIRA  •  Guidance  for  security  in  the  context  of  an  IIoT  system  architecture  •  Reference  for  testbeds  that  provide  con<nual  feedback  on  security  frameworks  

h\p://www.iiconsor<um.org/IISF.htm  

#RSAC

Industrial  Internet  Security  Framework  

#RSAC

Communica<ons  and  Connec<vity  Protec<on  

#RSAC

Securing  System  Boundaries  

•  System  Boundary  •  Network  Transport  

–  Media  access  (layer  2)  –  Network  (layer  3)  security  –  Session/Endpoint  (layer  4/5)  security  

•  Host  –  Machine/OS/Applica<ons/Files  

•  Data  &  Informa<on  flows  DDS  Security  

©2017  Real-­‐Time  Innova<ons,  Inc.      

#RSAC

Threats  in  a  Pub/Sub  System  

•  Unauthorized  Subscrip<on  •  Unauthorized  Publica<on  •  Tampering  &  Replay  •  Unauthorized  access  by  infrastructure  services  

Alice  Bob  

Eve  Trudy  

Trent  Mallory  

Local  machine  is  assumed  to  be  trusted  

©2017  Real-­‐Time  Innova<ons,  Inc.      

#RSAC

Connext  DDS  Secure  •  Based  on  DDS  Security  specifica<on  •  Access  control  without  a  broker  or  server  

–  Fine-­‐grain,  integrated  and  peer-­‐to-­‐peer  •  Far  more  scalable  and  efficient  than  TLS  

–  Fine  grain  control  over  over  topics  and  message  segments  –  Mul<cast  support  for  efficient  1:many  and  many:many  –  TLS/DTLS  support  available  for  simple  use  cases  

•  Preserves  Real-­‐Time  QoS  –  Not  dependent  on  TCP  

•  Transport  flexibility  –  Does  not  require  IP  –  Secures  data  over  any  transport,  including  shared  memory  

•  Add  security  with  li\le  or  no  change  to  exis<ng  DDS  apps  •  Plugin  SDK  allows  for  custom  solu<on  

©2017  Real-­‐Time  Innova<ons,  Inc.      

Connext  DDS    Library  

Authen<ca<on  

Access  Control  

Encryp<on  

Logging  

Applica<on  

Any  Transport  (e.g.,  TCP,  UDP,  mul<cast,  

shared  memory…)  

Data  Tagging  

#RSAC

Create  Domain  

Par<cipant    

Create  Endpoints  

Discover  remote  

Endpoints  

Send/Receive  data  

Discover  remote  DP  

Authen<cate  DP?  Yes  

Domain  Par<cipant  Create  Fails  

No  

Plugins  In  Ac<on  –  What  is  really  happening?  

Access  OK?  Endpoint  

Create  Fails  No  

Authen<cate  Remote  DP?  

Ignore  Remote  DP  

No  

Yes  

Message  security  

Access  OK?  Ignore  remote  endpoint  

No  

DP  =  Domain  Par<cipant  Endpoint  =  Reader  /  Writer  

©2017  Real-­‐Time  Innova<ons,  Inc.      

#RSAC

Domain  Governance  Document  

Shared  CA  Cer<ficate  

Permissions  CA  

Cer<ficate  

P2  Iden<ty  Cer<ficate  

P2  Private  Key  

P2  

P2  Permissions  File  

P1  Iden<ty  Cer<ficate  

P1  Private  Key  

P1  

P1  Permissions  File  

•  Keys.  Each  par<cipant  has  a  pair  of  public  &  private  keys  used  in  authen<ca<on  process.  Public  keys  are  embedded  in  the  iden<ty  cer<ficate  of  each  par<cipant.  

•  Shared  CA  that  has  signed  par<cipant  public  keys.  Par<cipants  need  to  have  a  copy  of  the  CA  cer<ficate  as  well.  

•  Permissions  File  specifies  what  domains/par<<ons  the  DP  can  join,  what  topics  it  can  read/write,  what  tags  are  associate  with  the  readers/writers    

•  Domain  Governance  specifies  which  domains  should  be  secured  and  how  •  Permissions  CA  that  has  signed  par<cipant  permission  file  as  well  as  the  domain  governance  document.  

Par<cipants  need  to  have  a  copy  of  the  permissions  CA  cer<ficate.  

Configuring  &  Deploying  DDS  Security  Signed  by  Permissions  CA  Signed  by  Shared  CA  

©2017  Real-­‐Time  Innova<ons,  Inc.      

#RSAC

QoS  Configura<on:  “SecureAllowAll”    

/Applica<ons/r<_connext_dds-­‐5.2.6/resource/xml/RTI_SHAPES_DEMO_QOS_PROFILES.xml    

•  QoS  Elements  encapsulated  within  the  <property>  tag.  

©2017  Real-­‐Time  Innova<ons,  Inc.      

#RSAC

Permissions  File  

/Applica<ons/r<_connext_dds-­‐5.2.6/resource/xml/RTI_SHAPES_DEMO_PERMISSIONS.xml    

•  Define  individual  par<cipant  permissions  rules  

•  “AllowAll”  PERMISSIONS:  •  No  restric<ons  on  what  

can  be  published  or  subscribed  

•  “SecureDenyPubCircles”  •  No  restric<ons  except  

that  Circle  topics  cannot  be  published.  

©2017  Real-­‐Time  Innova<ons,  Inc.      

#RSAC

Governance  File  

/Applica<ons/r<_connext_dds-­‐5.2.6/resource/xml/RTI_SHAPES_DEMO_GOVERNANCE_MAX.xml    

•  Iden<fy  ac<ons  for  discovery,  liveliness,  RTPS  protec<on,  etc.  

•  Define  access  control  rules  for  topics  using  regular  expressions  

•  GOVERNANCE_MAX.xml  •  All  topics  encrypted  •  Except  Circles  

©2017  Real-­‐Time  Innova<ons,  Inc.      

#RSAC

Upgrading  Systems  under  Development  Upgrade  Steps   Impact/Behavior  

Rebuild  applica/ons  that  require  DDS  APIs  with  Connext  DDS  Security  Plugins.  

No  performance  impact  as  security  features  are  not  yet  enabled.  

Enable  authen/ca/on  but  configure  domain  to  allow  unauthen/cated  par/cipants  

Some  impact  to  discovery  behavior;  Introduc/on  signed  governance  files  requires  PKI  &  CA  to  be  in  place.  

Enable  protec/on  (confiden/ality,  authen/city,  and  integrity)  of  individual  topics.  

Performance  impact  during  run/me  due  to  introduc/on  of  encryp/on.  Fine  grained  security  now  in  place.    

Enable  protec/on  of  RTPS-­‐level  and  Liveliness  fields  

Very  liUle  impact  to  system  performance.    

#RSAC

Upgrading  Deployed  Systems  –  Rou<ng  Service  

©2017  Real-­‐Time  Innova<ons,  Inc.      

Secure  DDS  Domain  

Non-­‐secure  DDS  Domain  

Par<cipant   Par<cipant  

Par<cipant  

Par<cipant  

Par<cipant  

Par<cipant  

Par<cipant  

Par<cipant  

Security  Demo  

#RSAC

References  •  Industrial  Internet  Reference  Architecture  

–  h\p://www.iiconsor<um.org/IIRA.htm  •  Industrial  Internet  Connec<vity  Framework  

–  h\p://www.iiconsor<um.org/IICF.htm  •  Industrial  Internet  Security  Framework  

–  h\p://www.iiconsor<um.org/IISF.htm  •  OMG  DDS  specifica<on  

–  h\p://www.omg.org/spec/DDS/1.4/PDF  •  OMG  DDS  Security  specifica<on  

–  h\p://www.omg.org/spec/DDS-­‐SECURITY/1.0/PDF  •  RTI  Technology  Whitepapers  

–  h\ps://www.r<.com/resources/whitepapers  

#RSAC

Resources  

 h\ps://www.r<.com/gexngstarted        h\p://community.r<.com      h\ps://www.r<.com/connext-­‐dds-­‐seminar-­‐sd-­‐2017    

Q&A  

Thank  you!