Thanks to the Internet of Things, the era for building distributed big data industrial applications has dawned. Power companies are working hard to build the smart grid by melding IT technology with electricity services. Oil companies are integrating their machinery into digital oil fields. Photovoltaic technology is being developed as a consumer product, to integrate with the smart grid centralised solar farms, and distributed residential solar stations. Urban environments are deploying monitoring systems for public security and accountability, while intelligent transportation systems are preparing for a future where cars drive themselves, and those that don’t are advised by traffic systems that communicate instructions relevant to one’s location and destination, to reduce or eliminate bottlenecks and jams.
Yet each of these future systems faces one significant challenge: data security, not just for user-space input/output, but for protection of low-level OS integrity – including the boot loader and BIOS – as well. Moreover, unlike IT environments, where AAA security protocols (authentication, authorisation, and accounting) may be served from machines located behind a very large physical security layer, for these industrial cloud deployments the computers and networking devices that will serve them must be located in public and commercial spaces, or in private residences – places where the actual owners of the devices (say, the electrical company) have no real control over their physical security. This makes the physical security of these cloud devices an easy attack vector, and is the one layer that traditional IT has not much addressed.
Enhancing conventional wireless security
At the same time, there remain the conventional challenges of securing data across the open Internet, and over local wireless links like 3G cellular, or Wi-Fi. Electrical smart meters must not be corruptible by simple home hacks. ITS systems must not be vulnerable to wireless DoS or man-in-the-middle attacks. Residential and public data must maintain appropriate standards of confidentiality, and not be liable to unauthorised manipulation. As data travels from remote, edge devices like traffic monitors, smart meters, and mobile devices, the information will often first travel through wireless gateways and then be forwarded over the open Internet. Fortunately, IT solutions already provide trustworthy guarantees for these links: wireless encryption of wireless links into WPA2, backbone communications over encrypted virtual private networks (VPN), and strong packet filtering with fully implemented AAA protections. Before exploring how to integrate data security into the device’s physical layers, let’s first examine how packet filtering and VPNs work together to build highly secure networks.
Packet filtering and firewalls
Packet filtering and firewalls are a relatively simple consideration. Essentially, network engineers must cut off all available entry points to a client, and restrict communications between it and the server to only those packets and ports which are absolutely necessary. Some features are a requirement, today: stateful and application-aware firewalls are a must, for most cloud applications, for instance. Fortunately, there are very powerful tools freely available to help implement these technologies. The Linux-based Netfilter/IPtables package is a stateful, application-aware firewall that is among the most widely used on the Internet. Netfilter’s modular design, flexible configuration options, and scalability allow for practically limitless deployment and feature expansions. The only drawback to using Netfilter/IPtables is doing the hard work of designing multiple layers of packet filtering security over a widely distributed computing architecture. Widely distributed networks like those found in the industrial cloud will require multiple layers of overlapping security zones, and while Netfilter admirably fulfils its role as the only packet filter you will ever need, the task of designing a highly secure filtering layer into a network composed of thousands of devices will require a lot of time-consuming and minutely detailed design and testing.
Firewalls strive to keep unauthorised intruders and services from gaining network access. In contrast, a virtual private network, or VPN, strives to keep communications across the open Internet a private affair, giving remote clients full access to a private network by wrapping all communications between the two sides in a heavily encrypted stream managed by a dedicated VPN gateway. IPsec is currently the most commonly used form of VPN encryption, a strong algorithm with full AAA functionality. By using a proven VPN suite, network engineers may configure a remote device to connect to a server using either IPsec or TLS, making it very, very difficult for malicious attackers to intercept or interfere with the data stream.
The basics of VPN tunnelling
On a VPN’s server side, cryptographic keys (or passwords) are set up to allow remote clients to identify themselves and connect to the central network. The clients’ cryptographic keys are kept secret by a process similar to what occurs with wireless encryption, and allow the server not only to authorise the device to connect, but also to verify the integrity of all data received from it. These two aspects represent the mix of authorisation (determining what – if anything – the client may do on the network), accounting (keeping track of what packets have been sent, what have been received, and whether any packets in the stream have been tampered with), and authentication (verifying that the device and its data stream are what they claim to be) that makes a VPN so powerful. When clients are configured with strong (256 bit) cryptographic keys, a VPN data stream is uncrackable by brute-force means. Additionally, VPNs may be easily integrated with Radius or Diameter servers, as well, which provide additional, powerful accounting protocols that log and report on resource usage by remote clients — very useful for around-the-clock services like utilities, or ITS.
While VPNs provide some very useful security and accounting features, their deployment does demand a bit more planning and care, and can affect your final network design. For instance, the reliability of a VPN is dependent upon the quality of the connection maintained by the service provider. If high reliability is a requirement, network engineers will need to work closely with the ISP to guarantee the quality of the network connections or else compensate by designing the network using distributed redundancies over shorter segments. Similarly, to guarantee future scalability, care must be taken to either use established open standards – which may be freely expanded as needed – or be at peace with the idea that future expansions may require expensive proprietary alternatives that cannot be easily integrated with the original system.
The power of trusted platform computing
While VPNs and packet filtering are a necessary part of any industrial cloud deployment, these elements only satisfy part of the requirements. As described above, industrial computing platforms that are deployed into commercial, residential, or public areas require strong guarantees for the physical security of the edge devices. Fortunately, there exists a powerful, currently under-utilised tool that fulfils just this need: the Trusted Platform Module, or TPM.
For those who aren’t familiar with it, TPM was developed by a consortium of IT corporations called the Trusted Computing Group (TCG), who worked with the ISO and IEC to establish a means of developing highly secure computing platforms that provide strong encryption and security guarantees for use in large enterprise networks where every computing station on the network must be secured against tampering. First composed of a core group of industry giants AMD, Cisco, Hewlett-Packard, IBM, Intel, Microsoft, and Wave Systems Corp, today the TCG continues to evolve, with input from over 105 participating members, all of them world-class enterprise IT manufacturers. Consequently, TPM has typically been associated with the IT industry, and not least because up until recent years there has never been much of a need for encrypting data on industrial networks. Where enterprise networks were responsible for storing and manipulating sensitive, strategic business data that could be exploited by hostile competitors, IA networks were responsible solely for localised input/output, monitoring processes, and remote control. Yet in today’s era of distributed big-data industrial systems, this is now changing: the types and amounts of information available on industrial systems present a very real security risk for everyone, both individually and as a society. Data encryption is today as necessary in industrial networks as it is in IT networks.
While already quite common on enterprise IT hardware, TPM has rarely been applied to embedded RISC computers. Bringing these two tools together gives system integrators and industrial engineers a powerful new tool in their security arsenal. The virtue of TPM is that it defines a hardware standard that permanently incorporates cryptographic keys into a device’s physical composition. By outfitting each hardware system with a unique, hardcoded cryptographic key, it becomes possible to give every computing platform or networking device virtually unbreakable encryption and AAA layers that protect not only all software and data, but also the physical composition of the device, including chipsets and peripherals. Because each cipher is unique to each device, TPM allows the integration of the very lowest levels of device software and firmware with physical-layer security, allowing for the possibility of creating computing platforms that can detect any physical alteration or interference in the device’s normal functioning, and issue emergency shutdown orders.
To get an idea of how TPM can work, imagine the VPN situation described above. When a client requests access to a VPN, the server responds using an encrypted, asymmetric handshake that keeps all root keys (or “passwords”) hidden from public view. Using this asymmetric process, the VPN server and the client exchange encrypted messages that authenticate the client and allow the server to authorise access to the remote network, all without ever exposing the private, cryptographic keys they are using to confirm the login. What TPM does is create a specific cryptographic key for each individual device, hardcoded within the platform itself. Devices may then use this key to both generate more keys, and to authenticate hardware components within the system. For instance, to verify that a read-only operating system has not changed, TPM can create a hash of the drive image, encrypt this using its highly secure cryptographic key, and store it locally, in a hardware-based platform configuration register (PCR). From that point on, TPM will be able to detect any changes in the operating system. Similarly, TPM can use the same method to test things like the BIOS, chipsets, MACs, and so forth.
Software support for TPM is already robust, with established vendors like Microsoft and Cisco providing solid, feature-filled (but closed) end solutions. At the same time, open source projects in GNU/Linux also provide numerous software packages which may be freely adapted, enhanced, and integrated to provide whatever combination of features is needed. These software systems empower TPM to take a variety of emergency security actions that range from ordinary corrective maintenance to alarms and full system shut-down. TPM can be put to many uses: password management, disk encryption, or binding and sealing of the entire platform (hardware plus software), and it can also be configured and administered using remote, mass deployment software. Generally speaking, TPM brings only strong benefits to the industrial user.
Locking down the inputs
There is one other feature that should be standard on any embedded computing device intended for deployment in wide area industrial networks: the device should be able to be fully locked down from any input interfaces. That means that all console and USB interfaces must be able to be turned off so that they cannot be used, thereby shutting down any possibility of infection from viruses, or cracking exploits. Once this has been achieved, pretty much the only possible way to further increase security would be to disconnect the computer from the Internet and lock it away in a strong box.
Bringing it all together
A RISC platform that features TPM, a kernel-authenticating secure boot feature, strong encryption, VPN tunnelling, and full interface control delivers a strongly secure device suitable for deployment in residential and commercial settings. An embedded computer featuring carefully engineered security of this sort may be used in smart metering applications, residential solar solutions, intelligent transportation systems, and any number of wide area industrial cloud applications. To find out more how these features come together to give you a powerful, compact, small-footprint embedded computing platform, visit the Moxa website and read up on the UC-8100 universal computer for distributed computing applications.
Tel: | +27 11 781 0777 |
Email: | [email protected] |
www: | www.rjconnect.co.za |
Articles: | More information and articles about RJ Connect |
© Technews Publishing (Pty) Ltd | All Rights Reserved