Some Linux, Raspberry PI and MQTT are patched together –and another IoT product for internal deployment or even distribution is ready. However, what about IT security?

Technology image created by Creativeart - Freepik.com: https://www.freepik.com/free-photos-vectors/technology

Secure IIoT Connectivity

With their ambitions to digitalization, enterprises develop new products and services daily. The new digital sector provides an enormous potential for new solutions in various industries. It‘s a simple task to purchase low-priced hardware and to merge it with freely available open source applications. Some Linux, Raspberry PI and MQTT are patched together –and another IoT product for internal deployment or even distribution is ready. However, what about IT security?

It‘s easy to imagine that many of these new products and devices are directly connected to the internet, or even establish a bridge from the internet to the company‘s internal network. Furthermore it‘s well known that the connection points of public networks are sensitive. They should only be used by trustworthy devices. But is this trust appropriate for devices only built according to functionality –without using any security guidelines or a security framework? A comparison with functional safety is necessary. Nowadays it‘s difficult to imagine that a new appliance will be developed without a safety risk analysis, or by using safety elements without corresponding certifications. In fact, standards and norms regulate how security components have to be designed and deployed. Within information technology, such regulations don‘t exist yet. With Security by Design comparable methods are known, but still need to be applied.

One example on how Security by Design was done by a IIoT product is the Edge Gateway of MB Connect Line. It is based on a data diode, that hardware-technically allows communication only in one direction – from the field to the secure net. Technically it‘s impossible to connect with the site from the outside to steal data or to manipulate. The reverse channel is electrically disconnected and can only be activated for configuration purposes via key switch. Due to the real hardware-based disconnection, the usual weak spots of security hardware are impossible: faulty configuration through the user or security gaps in the firmware of the device.

An essential factor of the concept is that the Edge Gateway is for Integration into existing plants as well as for new installations. This means that the devices are flexible in the Fieldbus interface (e.g., MPI, PROFINET, Modbus) and modular in the communication layer to the Internet (e.g., cellular, WIFI). If you look today in classic factories you will find very often networked but unprotected control systems. These control systems were originally not developed for a high grade Networking and had their focus on the operational control function. This poses a high security risk, especially when it comes to retrofitting of Industry 4.0 in existing systems and the resulting connection to the Internet. Likewise, usually at the plants no Changes are made.

The Edge Gateways are simply integrated in addition, without changing any configuration of the control system or PLC. For these existing systems you have to use Communication Fieldbus Systems which allow for subsequent integration, e.g. Master-Master communication like MPI, Profibus or Modbus systems. The connectivity to these legacy systems is on task the other task is the connectivity to a cloud system. Most of these clouds have so called API’s and mostly interfaces like MQTT or OPC-UA. For connecting to this cloudservices it is very common to use the open source application Node-Red, which is based on Node.JS runtime. This package comes with a very handy graphical interface and helps to pre-compute the data from the fieldbus before sending it to the cloud. Together with Docker and Portainer it is a secure framework to handle data from factory floor and pushing them to the cloud.

Docker is an open platform for developers and sysadmins to build, ship, and run distributed applications, whether on laptops, data center VMs, or the cloud. Portainer is a lightweight management UI which allows you to easily manage your Docker host or Swarm cluster.

The Edge Gateway bring countless advantages to the user. Independent of Location, the user can query and connect individual machines via a secure connection access important data such as function, productivity and utilization. Through history data you can check the availability of the respective machine in the daily / weekly rhythm. In addition, fault analyzes can be carried out to machines with high downtime to identify. The solution is also suitable for in-house applications to data collect and securely interrogate by tablet or smartphone.

The software architecture of the Edge Gateway consists of the mbOS which is an embedded Linux based operating system. On top there is Docker & Portainer to support 4 additional User containers and one Node-Red container from MB Connect Line. The User containers can run individual User applications based on Linux and written in common programming languages. The most powerful tool is the Node-Red application. This already supports different interfaces to the world like MQTT, OPC-UA, Twitter, Email and much more. This tool is based on the idea how data flows, so it has input and output nodes. Between these nodes you can edit operations like addition and subtraction to manipulate the data. In our use case we are reading data through our data diode from the fieldbus and can easily push it to the cloud.