- The de-coupling security provided by MQTT’s publish/subscribe methodology.
- Security models used for MQTT edge and enterprise clients.
- The increasing use of zero-trust in industrial control system security.
- The potential for software-defined networks in industry.
|Read the transcript below:|
You’ve likely heard of MQTT by now as it’s quickly become a preferred method of industrial communication. MQTT stands for message queueing telemetry transport and was developed as a way to gather data from various industrial devices by having those devices send updates about their operation, whenever they occur, to a server. Other systems or applications that need this data then subscribe to this server to get the devices’ data. In this publish/subscribe setup, the apps and systems needing this information are not directly connecting to the production devices, which can create adverse effects on those pieces of equipment and potentially disrupt production. This publish/subscribe method also inherently creates a level of security by decoupling the plant floor devices from the systems that access their data. But of course, this doesn’t completely secure MQTT communications.
Arlen Nipper, president and chief technology officer at Cirrus Link and co-creator of MQTT, explains that both the MQTT edge and enterprise clients use the same security models. He said they each initiate an outbound connection over the TCP/IP network using TLS, or transport layer security, with security certificate credentials from a certificate authority.
TLS uses a set of public and private security certificates where the MQTT clients must establish a connection to the MQTT server that is authenticated by the certificate authority. Nipper said this is the same level of security used in banking systems today and is considered best practice by the National Institute of Standards and Technology.
This configuration used on an edge device is the same as the one used with the MQTT servers.
But the servers also have additional security measures through MQTT level usernames, passwords, and an access control list. Nipper said the access control list limits which devices will be allowed to connect into the MQTT server. This list also controls what topics a given username and password pair can publish and subscribe to, which provides additional security.
During his presentation at Rockwell Automation Fair this year, Paul Didier from Cisco, noted three prominent trends in industrial networking: first is the shift from proprietary to standard networks, such as Ethernet, which we’re all pretty familiar with at this point, the second is the increasing use of zero-trust security models, and the third is the use of software-defined networks.
Zero trust basically means that devices, users, and applications on the network should be validated and only talk to other systems on the network that they’re supposed to. Didier said this secures all users and application connections and limits the ipact from any device that may be affected by malware.
And while it’s an important component of digital transformation, software defined networking is not as prevalent yet as the use of Ethernet of zero-trust security. Didier said software defined networking was originally designed to make things easier for IT in terms of automating the process of adding and configuring new devices for the network.
One reason for the lack of software defined networking use on the plant floor is that operations personnel often don’t have access to IT tools for network management. Didier said this means plant floor personnel often have poor visibility into the health of the network, which leads to uncertainty about whether a network outage is being caused by network or control system issues.
Didier said Cisco’s Cyber Vision sensor agent collects data from all network ports and analyzes the network traffic to determine what kinds of devices it originates from, who and what devices it’s communicating with, and the type of protocol being used.
Ultimately, these three networking trends highlight how industry is in the process of moving from siloed networks and connectivity-driven, end-to-end manually operated networks to controller-based policy automation and service-driven networks designed to align more closely with business objectives.
So, I hope you enjoyed this Take Five with Automation World episode. And please keep watching this space for new episodes to help keep you on top of what’s happening in the world of industrial automation.