Securing smart maintenance services: Hardware-security and TLS for MQTT

Increasing the efficiency of production and manufacturing processes is a key goal of initiatives like Industry 4.0. Within the context of the European research project ARROWHEAD, we enable and secure smart maintenance services. An overall goal is to proactively predict and optimize the Maintenance, Repair and Operations (MRO) processes carried out by a device maintainer, for industrial devices deployed at the customer. Therefore it is necessary to centrally acquire maintenance relevant equipment status data from remotely located devices over the Internet. Consequently, security and privacy issues arise from connecting devices to the Internet, and sending data from customer sites to the maintainer's back-end. In this paper we consider an exemplary automotive use case with an AVL Particle Counter (APC) as device. The APC transmits its status information by means of a fingerprint via the publish-subscribe protocol Message Queue Telemetry Transport (MQTT) to an MQTT Information Broker in the remotely located AVL back-end. In a threat analysis we focus on the MQTT routing information asset and identify two elementary security goals in regard to client authentication. Consequently we propose a system architecture incorporating a hardware security controller that processes the Transport Layer Security (TLS) client authentication step. We validate the feasibility of the concept by means of a prototype implementation. Experimental results indicate that no significant performance impact is imposed by the hardware security element. The security evaluation confirms the advanced security of our system, which we believe lays the foundation for security and privacy in future smart service infrastructures.

[1]  Bernd Freisleben,et al.  Why eve and mallory love android: an analysis of android SSL (in)security , 2012, CCS.

[2]  P. Urien,et al.  Tandem Smart Cards: Enforcing Trust for TLS-Based Network Services , 2008, 2008 Eighth International Workshop on Applications and Services in Wireless Networks (aswn 2008).

[3]  Vitaly Shmatikov,et al.  The most dangerous code in the world: validating SSL certificates in non-browser software , 2012, CCS.

[4]  Tim Dierks,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008 .

[5]  Eugen Brenner,et al.  ESTADO — Enabling smart services for industrial equipment through a secured, transparent and ad-hoc data transmission online , 2014, The 9th International Conference for Internet Technology and Secured Transactions (ICITST-2014).

[6]  John Viega,et al.  The Security and Performance of the Galois/Counter Mode (GCM) of Operation , 2004, INDOCRYPT.

[7]  Dieter Gollmann,et al.  Industrial control systems security: What is happening? , 2013, 2013 11th IEEE International Conference on Industrial Informatics (INDIN).

[8]  Peter Priller,et al.  Case study: From legacy to connectivity migrating industrial devices into the world of smart services , 2014, Proceedings of the 2014 IEEE Emerging Technology and Factory Automation (ETFA).

[9]  Eugen Brenner,et al.  A secure hardware module and system concept for local and remote industrial embedded system identification , 2014, Proceedings of the 2014 IEEE Emerging Technology and Factory Automation (ETFA).

[10]  David Brumley,et al.  An empirical study of cryptographic misuse in android applications , 2013, CCS.

[11]  Kenneth G. Paterson,et al.  Lucky Thirteen: Breaking the TLS and DTLS Record Protocols , 2013, 2013 IEEE Symposium on Security and Privacy.

[12]  Panganamala Ramana Kumar,et al.  Cyber–Physical Systems: A Perspective at the Centennial , 2012, Proceedings of the IEEE.

[13]  Kazumaro Aoki,et al.  SEC X.2: Recommended Elliptic Curve Domain Parameters , 2008 .

[14]  Kagermann Henning Recommendations for implementing the strategic initiative INDUSTRIE 4.0 , 2013 .

[15]  Eric Rescorla,et al.  The Transport Layer Security (TLS) Protocol Version 1.2 , 2008, RFC.

[16]  Dieter Gollmann,et al.  From Insider Threats to Business Processes that are Secure-by-Design , 2011, 2011 Third International Conference on Intelligent Networking and Collaborative Systems.