More Related Content Similar to The Inside Story: Leveraging the IIC's Industrial Internet Security Framework (20) The Inside Story: Leveraging the IIC's Industrial Internet Security Framework1. Introduction to the Industrial Internet Security
Framework
Stan Schneider, Ph.D., RTI CEO, IIC Steering Committee
Hamed Soroush, Ph.D., RTI Senior Research Security Engineer, IIC Security WG Co-Chair
2. ©2016 Real-Time Innovations, Inc. Permission to distribute
granted.
The smart machine era will be the most disruptive in the history of IT
-- Gartner
3. The IIoT Disruption
The real value is a common architecture that connects
sensor to cloud, interoperates between vendors, and
spans industries
You don’t compete against competitors.
You compete against market transitions.
– John Chambers
©2016 Real-Time Innovations, Inc.
4. Safe & Secure Apps in the IIoT
• RTI experience 1000+ projects
• Safety and Security critical to most
• Requirements surprisingly similar across industries
©2016 Real-Time Innovations, Inc.
5. Security is not a change driver
Security is a change gate
IIoT is the change driver
©2016 Real-Time Innovations, Inc.
7. Change Gate: DER Grid will be Secure
• The OpenFMB (Field Message Bus) architecture
integrates solar, wind, and storage into the grid
• Dozens of vendors, several utilities, and standards
organizations are building devices, user interfaces,
and analytics
• OpenFMB uses DDS for secure communications
©2016 Real-Time Innovations, Inc.
8. Change Driver: Mistakes Kill
Hospital error is the 3rd leading cause of death in the US
©2016 Real-Time Innovations, Inc. Permission to distribute
granted.
9. Change Gate: New IIoT Architecture is Secure
"GE Healthcare is leveraging the GE
Digital Predix architecture to connect
medical devices, cloud-based analytics,
and mobile and wearable instruments.
The future communication fabric of its
monitoring technology is based on RTI's
data-centric Connext DDS platform.”
-- Matt Grubis, Chief Engineer, GE
Healthcare's Life Care Solutions
http://www.rti.com/mk/webinars.html#GEHEALTHCARE
©2016 Real-Time Innovations, Inc.
10. Change Driver: Getting There is Dangerous and Slow
©2016 Real-Time Innovations, Inc. Permission to distribute
granted.
11. Change Gate: Why Drive?
• Autonomous cars (“carbots”)
– Safer, faster, easier
– Change everything
• 30% of all jobs will end or
change
• Distributed carbot/city
infrastructure will be secure
©2016 Real-Time Innovations, Inc. Permission to distribute
granted.
12. Change is Not Easy
©2016 Real-Time Innovations, Inc. Permission to distribute
granted.
Cloud Services
Sensing
Planning
Radar, LIDAR Vehicle Platform Navigation
Error
Management
Visualization
Situation Analysis
Situation Awareness
Vision Fusion
Cameras, LIDAR,
Radar
…
Data Fusion
LoggingVehicle Control
Localization
DDS Secure Databus
Traffic Maps
DDS Databus
Cars now Compete on Software
13. The Real Disruption: Culture
“If you went to bed last
night as an industrial
company, you’re going to
wake up this morning as a
software and analytics
company”
-- Jeff Immelt
GE CEO
©2016 Real-Time Innovations, Inc. Permission to distribute
granted.
14. The Future of Secure, Distributed Software
©2016 Real-Time Innovations, Inc.
“If you went to bed last
night as a software and
analytics company,
you’re going to wake up
this morning as a
networking and security
company”
-- Stan Schneider
15. The IISF
• Major contribution
• Only wide voice on
security for IIoT
• First of 3 releases from
IIC in the next few
months!
• Challenge: make it
practical
©2016 Real-Time Innovations, Inc.
16. IISF Table of Contents
• Introduction
– Overview
– Motivation
– Key System Characteristics for Enabling Trustworthiness
– Distinguishing Aspects of Securing the IIoT
©2016 Real-Time Innovations, Inc.
17. IISF Table of Contents (cont.)
• Business Viewpoint
– Managing Risk
– Permeation of Trust in the IIoT System Lifecycle
©2016 Real-Time Innovations, Inc.
18. IISF Table of Contents (cont.)
• Functional & Implementation Viewpoints
– Functional Viewpoint
– Protecting Endpoints
– Protecting Communications & Connectivity
– Security Monitoring & Analysis
– Security Configuration & Management
• Looking Ahead: The Future of the IIoT
©2016 Real-Time Innovations, Inc.
28. Connectivity Standards & Security
• Requirements for Core Connectivity Technology:
– be an open standard with strong independent, international
governance, such as IEEE, IETF, OASIS, OMG, or W3C,
– Be horizontal and neutral in its applicability across industries,
– Be applicable, stable, and proven across multiple industries,
and
– Have standard-defined gateways to all other connectivity
standards
29. Building Blocks for Protecting Exchanged
Content
• Explicit Endpoint Communication Policies
• Cryptographically Strong Mutual Authentication
Between Endpoints
• Authorization Mechanism for Enforcing Access
Control Rules from Policy
• Cryptographically Backed Mechanisms for Ensuring
Confidentiality, Integrity, and Freshness of
Exchanged Information
33. Information Flow Protection
• Network Segmentation
• Gateways & Filtering
– Layer 2, Layer ¾, Application/Middleware, Message
rewriting, Proxies, Server Replication
• Network Firewalls
• Unidirectional Gateways
• Network Access Control
38. Practical Security Needs Many Layers
• System edge
• Host
– Machine/OS/Applications/Files
• Network transport
– Media access (layer 2)
– Network (layer 3)
– Session/Endpoint (layer 4/5)
• Dataflow
– Control application interaction
©2016 Real-Time Innovations, Inc.
Secure systems need all four
39. Systems are About the Data
Data Centricity Definition
a) The interface is the data.
b) The infrastructure understands that data.
c) The system manages the data and imposes
rules on how applications exchange data.
©2016 Real-Time Innovations, Inc. Permission to distribute unmodified granted.
Database Databus
Data centric storage and
search of old data
Data centric sharing and
filtering of future data
Application
Application
Message centric
Remote Objects
SOAs
Application
Application
Data
40. Practical Security Must Match Architecture
• DDS Databus controls dataflow
• DDS Security secures dataflow
– Control r,w access to each data item for
each function
• Complete Protection
– Discovery authentication
– Data-centric access control
– Cryptography
– Tagging & logging
– Non-repudiation
– Secure multicast
• No API. No code changes.
• Plugin architecture for advanced uses
CBM AnalysisPMU Control Operator
State Alarms SetPoint
Topic Security model:
• PMU: State(w)
• CBM: State(r); Alarms(w)
• Control: State(r), SetPoint(w)
• Operator: *(r), Setpoint(w)
©2016 Real-Time Innovations, Inc.
43. IIC Testbeds!
• IIC has by far the
industry’s most
comprehensive
testbed program
• Key goals
- Ensure practical
guidance
- Make impact
- Span the
industry
©2016 OMG. Permission to distribute granted.
44. Security Claims Evaluation Testbed
• IIC Sponsor Companies
- Xilinx
- Underwriters
Laboratories (UL)
- Aicas
• Collaborating Companies
- Algotronix, EYETech,
iVeia, JUXT, PFP
Cybersecurity, RTI,
SOC-e
Endpoint - DDS
DDS Stack
For Public Release
45. ©2016 Real-Time Innovations, Inc. Permission to distribute granted.
The smart machine era will be the most disruptive in the history of IT
-- Gartner
But only if it’s secure!
46. Audience Q & A
Dr. Stan Schneider,
Chief Executive Officer,
RTI
Hamed Soroush,
Senior Research Security
Engineer,
RTI
47. Thanks for joining us
Event archive available at:
http://ecast.opensystemsmedia.com/
E-mail us at: jgilmore@opensystemsmedia.com