Security Framework
9: Protecting Communications and Connectivity
The figure below shows prominent communication and connectivity standards at different OSI layers. An in-depth discussion of connectivity assessment is provided in the‘ Industrial Internet Connectivity Reference Architecture’.
Figure 9-3: Example of IIoT core Communication & Connectivity Standards
9.1.4 CRYPTOGRAPHIC PROTECTION FOR DIFFERENT COMMUNICATIONS AND CONNECTIVITY PARADIGMS
Different information exchange patterns have different security requirements. Widely used patterns in IIoT systems include request-response pattern and publish-subscribe pattern.
The request-response pattern can be used at any layer of the stack. Protocols using this pattern include Java Remote Method Invocation( Java RMI), Web Services / SOAP, Remote Procedure Call over Data Distribution Service( RPC-over-DDS), Open Platform Communication( OPC), Global Platform Secure Channel Protocol and Modbus. They vary in their support for security; For example, Modbus can’ t suppress broadcast messages, doesn’ t provide message checksums and lacks support of authentication and encryption.
The primary types of threats for publish-subscribe communication pattern are unauthorized subscription, unauthorized publication, tampering and replay and unauthorized access to exchanged data. Some implementations of this pattern( e. g., classic MQTT and AMQP) rely on intermediary message brokers store-and-forward messages, but the message broker could be a single point of failure. An alternative approach is broker-free, peer-to-peer implementations such as the DDS standard.
IIC: PUB: G4: V1.0: PB: 20160926- 85-