Security for IIoT Apps on Nebbiolo fogOS™

Infrastructure for Secure Development and Deployment of

Smart-Factory Apps with network, VM and container isolation

AUG 2017

Nebbiolo Technologies Inc. 860 Hil l View Court, Suite 310 Milpitas, CA 95035

Nebbiolo Technologies© 1

1. Challenges in securing a Smart-Factory

Connectivity of sensors and manufacturing equipment to a new breed of AI applications for real-time analytics, condition monitoring, fault isolation and productivity is a key element of the Smart-Factory. However there are several challenges in securing the Smart-Factory for customers. a) Field bus networks, PLCs and Windows OS are not built with security in mind. b) Conventional IT technology such as an IoT gateway or linux server when introduced into a factory, comes with security vulnerabilities at several levels – including the operating system, network, application and authentication stacks. This leads to management with different consoles and passwords. c) Connectivity to a private cloud/data center is done over a VPN connection which is wide open to malware. d) Multi-cloud access needs to be thought in advance. For an advanced OT-IT integration, each public cloud comes with a different sign-in scheme and its own attack surface. e) Data ownership management is not done uniformly. Each application may have its own controls. f) Operational complexity and burden to take care of the above These challenges require advanced IT skills to be brought to the OT floor to resolve. In addition security attacks such as StuxNet and Wannacry are increasing in variety and sophistication. To address these challenges an integrated approach is required with a well thought out design, such as provided by the Fog Architecture [1].

2. Nebbiolo fogOS Introduction

Nebbiolo fogOS enables industrial applications to be run on the manufacturing floor in a secure manner while preventing attacks like Petya, Wannacry, Mirai and others. This differentiates it from other IIoT offerings which send data to the cloud or do not address security adequately.

Nebbiolo fogOS comprises of a fog System Manager (fogSM) running in the cloud and a the secure software stack on fogNodes running in the manufacturing floor.

The deployment of industrial apps to the manufacturing floor is managed from the fogSM running in the cloud. The fogSM is protected against unauthorized access using Security Groups, Authentication and Role Based Access Control. The applications that are uploaded

Nebbiolo Technologies© 2

to the fogSM must be signed. Signature verification is done both on fogSM and on the fogNodes.

The fogNodes provided a secure execution context for the industrial apps on the manufacturing floor as described in [1] and [2]. The fogNode design includes a secure root of trust using a TPM and network level IT/OT separation. It implements a data diode functionality to only allow connections to be created in an outbound manner. Apps are isolated to a container or a VM execution context. Windows applications are run in a Virtual Machine which allows patching and rollback. Blockchain based identification and attestation are supported.

fogOS security controls are further described below.

3. Security Architecture Overview

The Nebbiolo Security Architecture is divided into 5 layers shown in Fig.1 :

(a) fogSM to UX and API clients security (IT)

(b) fogSM Internal security (IT)

(c) fogNode to Nebbiolo System Manager(fogSM) connection security (IT/OT)

(d) fogNode security including app isolation, local access and inter-fogNode (OT/OT) network and firewall separation

(e) Sensors and devices to fogNodes (OT) network segmentation

Nebbiolo Technologies© 3

Figure 1. Five layers of the Nebbiolo Security Architecture

Nebbiolo Technologies© 4

4. Layers of Nebbiolo Security

The Nebbiolo layered security architecture provides defense-in-depth and allows security best practices be built and managed at each layer, yet offering flexibility and ease of management and access. Here’s a list of the controls at each layer.

4.1 fogSM (cloud) to UX, Websocket and clients security The administrator can upload signed applications from the UX to be deployed on the fogNodes. He can view the status of the fogNodes and the applications deployed.

Security controls include

• Authentication Domains. Root, OAuth2 Internal and External IDPs for federated access.

• Role based Access Control designed for restricting access to inventory, apps or data

• OAuth2 client credentials and resource owner flows. Signed short-lived tokens are used

• Multitenant access for access to machine data in different factories

4.2 fogSM (cloud) Nebbiolo System Manager Security Security controls include

• Security Groups limit reachability of the fogSM to desired IP ranges

• Secure Virtual Private Cloud(VPC) provides defense in depth of key resources.

• Lockdown and complex passwords for internal resources and servers

4.3 fogNode to Cloud (Nebbiolo System Manager) Security controls include

• Connections are outbound only and use TLS to port 443, instead of VPN

• Data diode prevents incoming connections and traffic

• TLS Includes seamless Certificate Management and Certificate checking.

Nebbiolo Technologies© 5

• A cryptographic Key Manager is used to create and manage credentials for remote access from the fogNode to the fogSM.

4.4 fogNode Security Controls FogNode internal security architecture is shown in Figure 2 below. Controls include

• IT/OT segmentation. No direct TCP connection is possible on OT to IT bridge

• SELinux, TPM enabled, Measured boot obviate malware attacks.

• Key Management, Cryptfs, Complex passwords limit unauthorized access to data

• Signed VMs and signed containers isolate applications

• Windows VMs allows hosting of Windows based PLCs and ICS apps securely.

Blockchain based identification (e.g. Uniquid) and attestation can be enabled.

4.4.1 fogNode to Local UX Controls For access there is a hardened management interface

Role based Access Control for access to specific data streams for Operator apps and Local Analytics

4.5 Device to fogNode Security Controls

• OT network traffic segmentation.

• Data Bus and Firewalls for controlling traffic between IT networks.

• Inspection of inter-network traffic.

Nebbiolo Technologies© 6

Figure 2. Integrated networking and security in the Nebbiolo fogNode.

5. Secure Update Processes

The IT and ICS environments are dynamically changing and so there is a need to update the software resources based on new application requirements, vulnerabilities and system software changes. The Nebbiolo System includes mechanisms for secure updates of its resources. It can also be used to securely update resources connected to it.

6. Summary

Nebbiolo allows deployment of applications to the Industrial Internet of Things in a highly secure manner. This is to assure the data is not leaked and to prevent occurrences of malware and ransomware attacks which are an increasing problem in the industry. Nebbiolo fogOS will continue to extend its security functionality to meet customer requirements.

Nebbiolo Technologies© 7

7. References

[1] OpenFog Consortium Reference Architecture Exec Summary https://www.openfogconsortium.org/wp-content/uploads/OpenFog-Reference-Architecture-Executive-Summary.pdf

[2] NIST Guide to Industrial Control Systems (ICS) Security http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-82r2.pdf

[3] Industrial Internet Consortium Security Framework http://www.iiconsortium.org/IISF.htm