Keeping Today’s (and Tomorrow’s) Networks Safe with DDS Reply

Recent Ars Technica articles covered these topics:

Headlines like these scream securitySecuritySECURITY!

With the RSA and NDSS conferences around the corner, expect to read more and more about securing the next wave of computing: machine-to-machine (M2M) networking. Connecting all kinds of devices to each other and the internet promises to remake global industry; it also brings an entirely different set of engineering challenges.

  • The industrial internet (inter)connects many more devices than ever before.
  • All these devices and users must be connected in a secure manner.

How do you protect the Illinois water systems from attack? How do you guarantee confidentiality of your medical information as you are connected to a variety of medical devices and move throughout a hospital from the emergency room, to the operating room to the CT scanner? How do you make sure that the flight path orders of a UAV have not been altered or that a patient gets the right doses of insulin?

RTI helps solve these kinds of challenges. RTI Connext DDS has been the core nervous system of hundreds of mission-critical distributed systems of different scale. We have the key technology to turn up the volume to 11 on the number of devices and amount of data, while maintaining reliability and determinism. RTI goes beyond securing merely the transport (e.g., using TLS/DTLS transports). We also provide support for authentication, authorization, access control, confidentiality, integrity and nonrepudiation for all data sent over DDS. We are well under way implementing the OMG draft DDS Security specification.

The current draft of the OMG DDS Security specification defines the DDS security model and six service plugin interfaces (SPIs). Together, these bring information assurance to DDS systems.

  • The Authentication Service Plug-in provides the mechanism to verify the identity of the application and/or user that invokes operations on DDS to join a domain. Joining a DDS domain is a prerequisite to publish, subscribe or perform any other DDS operation.
  • The Access Control Service Plug-in provides the means to enforce policy decisions on what DDS related operations an authenticated user can perform. E.g., which domains it can join or which Topics it can publish or subscribe to.
  • The Cryptography Plug-in implements all cryptographic operations, including encryption, decryption and digital signatures.
  • The Key Management Service Plug-in provides key distribution and access services. It allows DDS implementations to access the necessary keys given the identity and access control policies.
  • The Logging Service Plug-in supports auditing of all DDS security-relevant events.
  • The Data Tagging Service Plug-in provides a way to add tags to data samples.

Note that this specification is still work in progress and the plugin architecture may evolve.

OMG DDS Security, September 2013 – 6rd revised submission presented by Gerardo Pardo-Castellote

We’re hiring!
If you have background in security and a passion for large-scale distributed real-time systems, come join us! We are looking for talented security engineers to join the development of RTI Connext DDS Secure, and security researchers to lead advanced research in secure real-time middleware.
Hiring Security Engineers and Researchers

Hiring Security Engineers and Researchers

Submit a comment

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s