Revisiting the Feasibility of Public Key Cryptography in Light of IIoT Communications

Digital certificates are regarded as the most secure and scalable way of implementing authentication services in the Internet today. They are used by most popular security protocols, including Transport Layer Security (TLS) and Datagram Transport Layer Security (DTLS). The lifecycle management of digital certificates relies on centralized Certification Authority (CA)-based Public Key Infrastructures (PKIs). However, the implementation of PKIs and certificate lifecycle management procedures in Industrial Internet of Things (IIoT) environments presents some challenges, mainly due to the high resource consumption that they imply and the lack of trust in the centralized CAs. This paper identifies and describes the main challenges to implement certificate-based public key cryptography in IIoT environments and it surveys the alternative approaches proposed so far in the literature to address these challenges. Most proposals rely on the introduction of a Trusted Third Party to aid the IIoT devices in tasks that exceed their capacity. The proposed alternatives are complementary and their application depends on the specific challenge to solve, the application scenario, and the capacities of the involved IIoT devices. This paper revisits all these alternatives in light of industrial communication models, identifying their strengths and weaknesses, and providing an in-depth comparative analysis.This work was financially supported by the European commission through ECSEL-JU 2018 program under the COMP4DRONES project (grant agreement N∘ 826610), with national financing from France, Spain, Italy, Netherlands, Austria, Czech, Belgium and Latvia. It was also partially supported by the Ayudas Cervera para Centros Tecnológicos grant of the Spanish Centre for the Development of Industrial Technology (CDTI) under the project EGIDA (CER-20191012), and in part by the Department of Economic Development and Competitiveness of the Basque Government through the project TRUSTIND—Creating Trust in the Industrial Digital Transformation (KK-2020/00054)

How to Survive Identity Management in the Industry 4.0 Era

Industry 4.0 heavily builds on massive deployment of Industrial Internet of Things (IIoT) devices to monitor every aspect of the manufacturing processes. Since the data gathered by these devices impact the output of critical processes, identity management and communications security are critical aspects, which commonly rely on the deployment of X.509 certificates. Nevertheless, the provisioning and management of individual certificates for a high number of IIoT devices involves important challenges. In this paper, we present a solution to improve the management of digital certificates in IIoT environments, which relies on partially delegating the certificate enrolment process to an edge server. However, in order to preserve end-to-end security, private keys are never delegated. Additionally, for the protection of the communications between the edge server and the IIoT devices, an approach based on Identity Based Cryptography is deployed. The proposed solution considers also the issuance of very short-lived certificates, which reduces the risk of using expired or compromised certificates, and avoids the necessity of implementing performance expensive protocols such as Online Certificate Status Protocol (OCSP). The proposed solution has been successfully tested as an efficient identity management solution for IIoT environments in a real industrial environment.This work was supported in part by the Spanish Ministry of Science and Innovation through the National Towards zeRo toUch nEtwork and services for beyond 5G (TRUE-5G) Project under Grant PID2019-108713RB-C53, in part by the European Commission through the Electronic Components and Systems for European Leadership-Joint Undertaking (ECSEL-JU) 2018 Program under the framework of key enabling technologies for safe and autonomous drones' applications (COMP4DRONES) Project under Grant 826610, with the national financing from France, Spain, Italy, The Netherlands, Austria, Czech, Belgium, and Latvia, in part by the Ayudas Cervera para Centros Tecnologicos Grant of the Spanish Centre for the Development of Industrial Technology (CDTI) through the Project EGIDA under Grant CER-20191012, and in part by the Basque Country Government through the Creating Trust in the Industrial Digital Transformation (TRUSTIND) ELKARTEK Program Project under Grant KK-2020/00054

Clustered Federated Learning Architecture for Network Anomaly Detection in Large Scale Heterogeneous IoT Networks

There is a growing trend of cyberattacks against Internet of Things (IoT) devices; moreover, the sophistication and motivation of those attacks is increasing. The vast scale of IoT, diverse hardware and software, and being typically placed in uncontrolled environments make traditional IT security mechanisms such as signature-based intrusion detection and prevention systems challenging to integrate. They also struggle to cope with the rapidly evolving IoT threat landscape due to long delays between the analysis and publication of the detection rules. Machine learning methods have shown faster response to emerging threats; however, model training architectures like cloud or edge computing face multiple drawbacks in IoT settings, including network overhead and data isolation arising from the large scale and heterogeneity that characterizes these networks. This work presents an architecture for training unsupervised models for network intrusion detection in large, distributed IoT and Industrial IoT (IIoT) deployments. We leverage Federated Learning (FL) to collaboratively train between peers and reduce isolation and network overhead problems. We build upon it to include an unsupervised device clustering algorithm fully integrated into the FL pipeline to address the heterogeneity issues that arise in FL settings. The architecture is implemented and evaluated using a testbed that includes various emulated IoT/IIoT devices and attackers interacting in a complex network topology comprising 100 emulated devices, 30 switches and 10 routers. The anomaly detection models are evaluated on real attacks performed by the testbed's threat actors, including the entire Mirai malware lifecycle, an additional botnet based on the Merlin command and control server and other red-teaming tools performing scanning activities and multiple attacks targeting the emulated devices

Gotham Testbed: a Reproducible IoT Testbed for Security Experiments and Dataset Generation

The scarcity of available Internet of Things (IoT) datasets remains a limiting factor in developing machine learning based security systems. Static datasets get outdated due to evolving IoT threat landscape. Meanwhile, the testbeds used to generate them are rarely published. This paper presents the Gotham testbed, a reproducible and flexible network security testbed, implemented as a middleware over the GNS3 emulator, that is extendable to accommodate new emulated devices, services or attackers. The testbed is used to build an IoT scenario composed of 100 emulated devices communicating via MQTT, CoAP and RTSP protocols in a topology composed of 30 switches and 10 routers. The scenario presents three threat actors, including the entire Mirai botnet lifecycle and additional red-teaming tools performing DoS, scanning and various attacks targeting the MQTT and CoAP protocols. The generated network traffic and application logs can be used to capture datasets containing legitimate and attacking traces. We hope that researchers can leverage the testbed and adapt it to include other types of devices and state-of-the-art attacks to generate new datasets that reflect the current threat landscape and IoT protocols. The source code to reproduce the scenario is publicly accessible

Improving efficiency and security of IIoT communications using in-network validation of server certificate

The use of advanced communications and smart mechanisms in industry is growing rapidly, making cybersecurity a critical aspect. Currently, most industrial communication protocols rely on the Transport Layer Security (TLS) protocol to build their secure version, providing confidentiality, integrity and authentication. In the case of UDP-based communications, frequently used in Industrial Internet of Things (IIoT) scenarios, the counterpart of TLS is Datagram Transport Layer Security (DTLS), which includes some mechanisms to deal with the high unreliability of the transport layer. However, the (D)TLS handshake is a heavy process, specially for resource-deprived IIoT devices and frequently, security is sacrificed in favour of performance. More specifically, the validation of digital certificates is an expensive process from the time and resource consumption point of view. For this reason, digital certificates are not always properly validated by IIoT devices, including the verification of their revocation status; and when it is done, it introduces an important delay in the communications. In this context, this paper presents the design and implementation of an in-network server certificate validation system that offloads this task from the constrained IIoT devices to a resource-richer network element, leveraging data plane programming (DPP). This approach enhances security as it guarantees that a comprehensive server certificate verification is always performed. Additionally, it increases performance as resource-expensive tasks are moved from IIoT devices to a resource-richer network element. Results show that the proposed solution reduces DTLS handshake times by 50–60 %. Furthermore, CPU use in IIoT devices is also reduced, resulting in an energy saving of about 40 % in such devices.This work was financially supported by the Spanish Ministry of Science and Innovation through the TRUE-5G project PID2019-108713RB-C54/AEI/10.13039/501100011033. It was also partially supported by the Ayudas Cervera para Centros Tecnológicos grant of the Spanish Centre for the Development of Industrial Technology (CDTI) under the project EGIDA (CER-20191012), and by the Basque Country Government under the ELKARTEK Program, project REMEDY - Real tiME control and embeddeD securitY (KK-2021/00091)

Industrial Data Homogenization and Monitoring Scheme with Blockchain Oracles

Research efforts on Distributed Ledger Technologies (DLTs) for industrial applications have constantly been increasing over the last years. The use of DLTs in the Industry 4.0 paradigm provides traceability, integrity, and immutability of the generated industrial data. However, Industry 4.0 ecosystems are typically composed of multiple smart factory clusters belonging to several companies, which are immersed in constant interaction with other business partners, clients, or suppliers. In such complex ecosystems, multiple DLTs are necessarily employed to maintain the integrity of the data throughout the whole process, from when the data is generated until it is processed at higher levels. Moreover, industrial data is commonly heterogeneous, which causes compatibility issues, along with security and efficiency issues in the homogenization process. Thus, the data needs to be pre-processed and homogenized in a secure manner before being exploited. Consequently, in this work, we address the issues mentioned above by providing an industrial raw data pre-processing and homogenization process according to a standard data model. We employ decentralized blockchain oracles to guarantee the integrity of the external data during the homogenization process. Hereafter, we design an interoperable plant blockchain for trustworthy storage and processing of the resulting homogenized data across several industrial plants. We also present a prototype implementation of the aforementioned scheme and discuss its effectiveness. Finally, we design a monitoring scheme to overview the usage the performance of the architecture processes and identify possible performance and security issues.This work has been financed by the European Commission through the Horizon Europe program under the IDUNN project (grant agreement number 101021911). It was also partially supported by the Ayudas Cervera para Centros Tecnológicos grant of the Spanish Centre for the Development of Industrial Technology (CDTI) under the project EGIDA (CER-20191012), and by the Basque Country Government under the ELKARTEK program, project ELKARTEK program, project REMEDY - REal tiME control and embeddeD securitY (KK-2021/00091)

Interoperable Semantic & Syntactic Service Matching for Ambient Computing Environments

International audienceThe inherent heterogeneity of ambient computing environments and their constant evolution requires middleware platforms to manage networked components designed, developed and deployed independently. Such management must also be efficient to cater for resource-constrained devices and highly dynamic situations due to the spontaneous appearance and disappearance of networked resources. For service discovery protocols (SDP), one of the main functions of service-oriented architectures (SOA), the efficiency of the matching of syntactic service descriptions is most often opposed to the fullness of the semantic approach. As part of the PLASTIC middleware for ambient computing environments, we present in this paper an interoperable service matching and ranking platform, which is able to process service descriptions from both semantic and syntactic service description languages. To that end, we define a generic, modular description language able to record service functional properties, potentially extended with semantic annotations. An evaluation of the prototype implementation of our platform demonstrates that multi-protocols service matching supporting various levels of expressiveness can be achieved in ambient computing environments

The MegaM@Rt2 ECSEL project: MegaModelling at runtime-scalable model-based framework for continuous development and runtime validation of complex systems

A major challenge for the European electronic components and systems (ECS) industry is to increase productivity and reduce costs while ensuring safety and quality. Model-Driven Engineering (MDE) principles have already shown valuable capabilities for the development of ECSs but still need to scale to support real-world scenarios implied by the full deployment and use of complex electronic systems, such as Cyber-Physical Systems, and real-time systems. Moreover, maintaining efficient traceability, integration and communication between fundamental stages of the development lifecycle (i.e., design time and runtime) is another challenge to the scalability of MDE tools and techniques. This paper presents “MegaModelling at runtime – Scalable model-based framework for continuous development and runtime validation of complex systems” (MegaM@Rt2), an ECSEL–JU project whose main goal is to address the above mentioned challenges. Driven by both large and small industrial enterprises, with the support of research partners and technology providers, MegaM@Rt2aims to deliver a framework of tools and methods for: (i) system engineering/design and continuous development, (ii) related runtime analysis, and (iii) global model and traceability management.This project has received funding from the Electronic Component Systems for European Leadership Joint Undertaking under grant agreement No. 737494. This Joint Undertaking receives support from the European Union’s Horizon 2020 research and innovation program and from Sweden, France, Spain, Italy, Finland & Czech Republic

La encuadernación artística catalana 1840-1929

S'ha intentat reunir en aquest petit estudi, la major informació, exacta i precisa del funcionament dels tallers amb nom propu que exercien una tasca professional a Barcelona.Se ha intentado reunir en este pequeño estudio, la mayor información, exacta y precisa del funcionamiento de los talleres con nombre propio que ejercían una labor profesional en Barcelona.In this small study we have attempted to gather the greatest amount of exact and precise information on workshops with proper names performing professional work in Barcelona

La encuadernación artística catalana 1840-1929

S'ha intentat reunir en aquest petit estudi, la major informació, exacta i precisa del funcionament dels tallers amb nom propu que exercien una tasca professional a Barcelona.Se ha intentado reunir en este pequeño estudio, la mayor información, exacta y precisa del funcionamiento de los talleres con nombre propio que ejercían una labor profesional en Barcelona.In this small study we have attempted to gather the greatest amount of exact and precise information on workshops with proper names performing professional work in Barcelona