Toward a Safe and Secure Medical Internet of Things
transport level that it uses. A fundamental research question here is whether such widely used,
communication protocols provide acceptable security and performance for ICE.
While transport-level security provides typically reasonable protection against external
attackers, it is not without limitations. Transport-level solutions do not provide any mechanism
for granular access control. Even though these solutions protect the communication channel
from external eavesdropping or packet injection, they do not provide any access control
mechanism for data streams happening within the same protected link. Consequently, solutions
based on them are vulnerable to insider attackers, as we demonstrate in our second prototype.
Transport-level security is also not sufficiently flexible to balance security versus performance.
All messages that pass through the established secure link will be encrypted and authenticated,
imposing an overhead that may not be necessary in many use cases. For example, risk analysis of
an ICE system might conclude that encrypting temperature values from a sensor in a public room
is not required and it is only needed to make sure sensor readings are authenticated. Being able
to fine-tune security measures based on risk is especially important for resource-constrained
devices or large-scale ICE or MIoT systems with bandwidth or delay sensitive applications.
Further, such fine-tuning should ideally happen with minimal, if any, changes to the code base,
as the code may not be available for modification or too costly to be modified.
Another issue with widely used transport-level security solutions such as TLS and DTLS is the lack
of support for multicast. Multicast support has proven extremely useful for efficient and scalable
discovery and information exchange in industrial systems.
4.3
Second Prototype: OpenICE Using RTI Connext DDS Secure
In the second prototype, we integrated OpenICE with RTI’s implementation of the beta version
of DDS Security Specification as the Network Controller. We also made sure that the integrated
solution works with RTI Routing Service, acting as an intelligent gateway connecting multiple ICE
environments. Such integration would ease adoption of ICE in fragmented hospital networks or
in cases where ICE systems belong to different administrative domains.
RTI Routing Service is a software solution that provides the ability for unmodified new and legacy
applications to interoperate, even if they were not originally designed to work together. It can be
used to integrate different system or bridge to legacy messaging and networking technologies. It
is used to form logical partitions for DDS systems across LANs or WANs or to bridge non-DDS
systems provided that appropriate DDS adapters are linked to it [10]. Utilizing the Routing Service
as an intelligent gateway enables a variety of security administration use cases in ICE. An example
would be to segregate insecure legacy medical devices into separate administrative domains
without disconnecting them from the secure ICE environment. This allows for a different, likely
more strict, set of security policies to be applied to the legacy devices, while still keeping them
connected to ICE.
- 12 -
June 2016