DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable...
-
Upload
trinhkhanh -
Category
Documents
-
view
235 -
download
0
Transcript of DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable...
![Page 1: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/1.jpg)
11/16/2017 Copyright © 2017 OMG. All rights reserved. 1
DDS Security Nina Tucker Twin Oaks Computing VP Technology March 2018
![Page 2: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/2.jpg)
• DDS is a Data-Centric Communications Middleware • Distributed Data Communications – no brokers required • System Components are Decoupled • Robust infrastructure for critical systems • Scalable from edge to cloud, from bare metal to servers
Data Distribution Service
3/18/18 Copyright © 2017 OMG. All rights reserved. 2
Publisher Subscriber
Client
Publisher
Service
Subscriber
![Page 3: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/3.jpg)
• DomainParticipant
• Associated with a Domain
• Communicates with other DomainParticipants in the same Domain
• Contains DataWriters, DataReaders, Topics
• DataWriters and DataReaders are “matched” during Discovery
• DataWriter publishes data on a Topic
• DataReader subscribes to a Topic
• Each Topic has a defined Data Type
DDS Architecture and Terminology
3/18/18 Copyright © 2017 OMG. All rights reserved. 3
![Page 4: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/4.jpg)
• Automatic • No configuration of IP address, port numbers, servers, or brokers • Peers may be on the same machine or across a network • Simply indicate your intent to publish or subscribe, and start writing/reading
• Dynamic • Peers may come and go, or move at any time • Publishers and Subscribers may be created an deleted • Networks may be disconnected and reconnected
DDS Discovery
3/18/18 Copyright © 2017 OMG. All rights reserved. 4
![Page 5: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/5.jpg)
DDS Configurability: QoS
3/18/18 Copyright © 2017 OMG. All rights reserved. 5
![Page 6: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/6.jpg)
Cyber Threats Real World Examples
6
![Page 7: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/7.jpg)
Example Threat Analysis
3/18/18 Copyright © 2017 OMG. All rights reserved. 7
![Page 8: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/8.jpg)
SWARMS Case Study
3/18/18 Copyright © 2017 OMG. All rights reserved. 8
Corrosion Prevention
Pollution Monitoring Plume Tracking
Seabed mapping Berm Building
![Page 9: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/9.jpg)
• Threat Analysis
• Take over of unmanned and autonomous vehicles • Oil / gas lines • Military / civilian vessels
• Unauthenticated drone infiltrating swarm
• Release of Confidential Information
• Information on drone mission, capability • Nature of items found on sea floor (weapons, e.g.) • Environmental data
SWARMS Case Study
3/18/18 Copyright © 2017 OMG. All rights reserved. 9
![Page 10: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/10.jpg)
Duke Energy Emerging Technology Office
OpenFMB Cyber Security Overview
Example Threat Analysis
3/18/18 Copyright © 2017 OMG. All rights reserved. 10
![Page 11: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/11.jpg)
OpenFMB Case Study
3/18/18 Copyright © 2017 OMG. All rights reserved. 11
Node
3G, LTE, Wi-Fi, Fiber,
Ethernet, RF ISM, or PLC
Node
Key Observations: 1. Single-Purpose Functions 2. Proprietary & Silo’ed systems 3. Latent , Error-prone Data 4. OT/IT/Telecom Disconnected 5. No Field Interoperability!
UTILITY CENTRAL OFFICE
Head End A
Vendor A Solution Private Carrier
R
Head End C
Vendor C Solution
Public Carrier
900MHz ISM
Enterprise Service Bus
Head End B
Vendor B Solution Proprietar
y Network
R UTILITY CENTRAL OFFICE
Head End A
Head End B
Head End C
Enterprise Service Bus
Open Field Message Bus
Any Medium
CIM DNP3
61850+CIM IoT Pub/Sub
Key Observations: 1. Multi-Purpose Functions 2. Modular & Scalable HW&SW 3. End-to-End Situational Awareness 4. OT/IT/Telecom Convergence 5. True Field Interoperability!
Sunspec Modbus
C12.22 or CoAP
MESA DNP3
61850 GOOSE
![Page 12: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/12.jpg)
• Loss of power, small areas to wide scale • Loss of life • Safety and Security Issues • Failure of critical infrastructure operation
• Masquerade / Takeover control applications • Control the Switch / Breaker / Recloser / Voltage Regulator / PCC • Spoof Status • Change Setpoints, Disable Protection • Drive Distributed Denial-of-Service attack (DDoS)
OpenFMB Case Study
3/18/18 Copyright © 2017 OMG. All rights reserved. 12
![Page 13: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/13.jpg)
Cyber Security Elements
13
![Page 14: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/14.jpg)
Identification and Authentication
3/18/18 Copyright © 2017 OMG. All rights reserved. 14
• I&A: Identification & Authentication
• Who is this participant on the network?
• Do I trust this participant is who he claims?
• Is this participant authorized to be part of these communications?
![Page 15: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/15.jpg)
Access Control
3/18/18 Copyright © 2017 OMG. All rights reserved. 15
• Access Control
• Is checked after Identification & Authentication
• Does this participant have permission to join the network?
• Does this participant have read and/or write access on the network?
![Page 16: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/16.jpg)
• Integrity • Has the data been tampered with?
• Confidentiality
• Hide the data, keep it secret
Integrity and Confidentiality
3/18/18 Copyright © 2017 OMG. All rights reserved. 16
![Page 17: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/17.jpg)
DDS Security The Basics
17
![Page 18: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/18.jpg)
• Secure communications solution fully integrated into the DDS architecture
• Standardized API and wire protocol for Portability and Interoperability
• Covers all aspects of secure communications, including: • Authentication • Integrity • Confidentiality • Access Control
• Plug-in model
• Standardized • User defined
DDS Security
3/18/18 Copyright © 2017 OMG. All rights reserved. 18
Unauthorized Publisher
Unauthorized Subscriber
Packet Sniffer
Authorized Publisher
Authorized Service
Authorized Subscriber
![Page 19: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/19.jpg)
19
![Page 20: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/20.jpg)
• DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms • Powerful configurability
• Scalable high-performance Security
• Topic-by-Topic configuration (not transport-level configuration)
Why DDS Security
3/18/18 Copyright © 2017 OMG. All rights reserved. 20
Periodic Data Control Data
Config Data
Periodic Data
Control Data
Config Data
Topic Level Configuration Transport Level Configuration
![Page 21: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/21.jpg)
Who Uses DDS Security
3/18/18 Copyright © 2017 OMG. All rights reserved. 21
• Military: • Avionics • Naval • Unmanned Vehicles • Ground Stations
• Commercial:
• IIoT Systems • Avionics • Automotive • Consumer Electronics • Energy Solutions / Smart Grid • Medical Devices
![Page 22: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/22.jpg)
DDS Security: Plug-in Architecture
3/18/18 Copyright © 2017 OMG. All rights reserved. 22
• Standardized API • Interface between modules
and DDS Security protocols • Modules may be Standard
or Custom • Includes all aspects of
secure communications
• Standardized modules • Interoperable • Use common crypto
algorithms
Logging Plugin
Authentication Plugin
Access Control Plugin
Cryptographic Plugin
Stan
dard
ized
Plu
gin
API
Security
![Page 23: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/23.jpg)
3/18/18 Copyright © 2017 OMG. All rights reserved. 23
• Standardized Plugin Modules • PKI + GCM + GMAC • AES 256 • ECDH Key Derivation
• Interoperable
Logging Plugin Security Events
Authentication Plugin
PKI Crypto
Access Control Plugin
Fine grain Control Data Tagging
Cryptographic Plugin
GCM/GMAC AES 256
ECDH Key Derivation Forward Secrecy St
anda
rdiz
ed P
lugi
n AP
I Security
![Page 24: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/24.jpg)
• Apply security policies • Integrity / Encryption / Access Controls
• With fine grained controls • Individual Topics • Application Data, Discovery Data, Liveliness Data
DDS Security: Configurability
3/18/18 Copyright © 2017 OMG. All rights reserved. 24
Periodic Data: Discovery Open, Data Integrity
Control Data: Discovery Open, Data Encrypted
Config Data: Discovery Encrypted, Data Encrypted
![Page 25: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/25.jpg)
DDS Security Components
3/18/18 Copyright © 2017 OMG. All rights reserved. 25
Secure Subscriber
Secure Publisher
Permissions Certificate
Authority (CA)
Domain Governance
Identity
Permissions Permissions Identity
Identity Certificate
Authority (CA)
![Page 26: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/26.jpg)
DDS Security Live Demonstration
26
![Page 27: DDS Security - omg.org · • DDS Security is still DDS • Decoupled, Flexible, Scalable architecture • Eases development of distributed systems across disparate computing platforms](https://reader034.fdocuments.us/reader034/viewer/2022052213/5beec4e309d3f2112f8bda8e/html5/thumbnails/27.jpg)
DDS Security Overview
3/18/18 Copyright © 2017 OMG. All rights reserved. 27
• Covers all Aspects of secure communications • Authentication • Access Control • Integrity • Confidentiality
• Full Configuration Flexibility on a Topic-by-Topic basis
• State-of-the-art Security Technologies • PKI Crypto • GCM/GMAC, AES • Forward Secrecy
• Maintains key benefits of DDS:
• Distributed Data Communications – no brokers required • System Components are Decoupled • Robust infrastructure for critical systems • Scalable from edge to cloud, from bare metal to servers
Unauthorized Publisher
Authorized Subscriber
Unauthorized Subscriber
Authorized Subscriber,
Unauthorized Publisher
Unauthorized Packet Sniffer
Authorized Publisher