On the Security of IIoT Deployments: An Investigation of Secure Provisioning Solutions for OPC UA

Kohnhäuser, Florian; Meier, David L.; Patzer, Florian; Finster, Sören

doi:10.1109/access.2021.3096062

Cited by 14 publications

(10 citation statements)

References 18 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Likewise, the owner of the IoT platforms will allocate an account in the IoT servers to deploy the CMXsafe agent [19]. The orchestrator location depends on the specifics of each IoT deployment [20]. Business-critical environments can be located on the local site, whereas in distributed IoT environments, the orchestrator can be deployed as a cloud service.…”

Section: B Cmxsafe Configuration and Operationmentioning

confidence: 99%

CMXsafe: A Proxy Layer for Securing Internet-of-Things Communications

de Hoz Diego,

Madi,

Konstantinou

2024

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

Security in Internet-of-Things (IoT) environments has become a major concern. This is partly due to a large number of remotely exploitable IoT vulnerabilities in service authentication and access control combined with the lack of timely technical support. To reduce the threat surface of remote vulnerability exploitation, we propose CMXsafe, a secure-bydesign application-agnostic proxy layer that can be updated and managed independently of the IoT device application. CMXsafe places IoT devices behind gateways operating as 4th OSI transport layer relayers to offload security concerns of IoT network communications into the proxy layer. More specifically, the proxy layer produces secure communication paths between IoT applications and platforms while enforcing mutual authentication and access control to proxied services. We evaluate the performance of our architecture on the MQTT protocol used in a standard publisher-broker-subscriber configuration provided by Eclipse Mosquitto. More specifically, we compare the performance penalty on the protocol when securing communications with TLS following a monolithic implementation and with CMXsafe. The experimental results suggest that CMXsafe outperforms integrated security by providing at least a 25% latency reduction and a 22% bandwidth improvement.

show abstract

Section: B Cmxsafe Configuration and Operationmentioning

confidence: 99%

CMXsafe: A Proxy Layer for Securing Internet-of-Things Communications

de Hoz Diego,

Madi,

Konstantinou

2024

IEEE Trans.Inform.Forensic Secur.

View full text Add to dashboard Cite

show abstract

“…Runde et al [34], Hausmann et al [30], Fischer et al [28], Danilchenko et al [45], Höglund et al [46], Astorga et al [11], and Kohnhäuser et al [51] propose mechanisms for the secure onboarding and initial equipment of devices with certificates issued by the domain of the owner or operator. These mechanisms are secured by using credentials installed on an IA component at manufacturing time.…”

Section: Approaches Presented In Research Papersmentioning

confidence: 99%

“…These mechanisms are secured by using credentials installed on an IA component at manufacturing time. Runde et al [34] contribute a comprehensive protocol proposal for PROFINET, and Kohnhäuser et al [51] refer their elaborations to OPC UA.…”

Section: Approaches Presented In Research Papersmentioning

confidence: 99%

A Survey on Life-Cycle-Oriented Certificate Management in Industrial Networking Environments

Göppert,

Walz,

Sikora

2024

JSAN

View full text Add to dashboard Cite

Driven by the Industry 4.0 paradigm and the resulting demand for connectivity in industrial networking, there is a convergence of formerly isolated operational technology and information technology networks. This convergence leads to attack surfaces on industrial networks. Therefore, a holistic approach of countermeasures is needed to protect against cyber attacks. One element of these countermeasures is the use of certificate-based authentication for industrial components communicating on the field level. This in turn requires the management of certificates, private keys, and trust anchors in the communication endpoints. The work at hand surveys the topic of certificate management in industrial networking environments throughout their life cycle, from manufacturing until their disposal. To the best of the authors’ knowledge, there is no work yet that surveys the topic of certificate management in industrial networking environments. The work at hand considers contributions from research papers, industrial communication standards, and contributions that originate from the IT domain. In total, 2042 results from IEEE Xplore, Science Direct, Scopus, and Springer Link were taken into account. After applying inclusion and exclusion criteria and title, abstract, and full-text analysis, 20 contributions from research papers were selected. In addition to the presentation of their key contributions, the work at hand provides a synopsis that compares the overarching aspects. This comprises different proposed entity architectures, certificate management functions, involvement of different stakeholders, and consideration of life cycle stages. Finally, research gaps that are to be filled by further work are identified. While the topic of certificate management has already been addressed by the IT domain, its incorporation into industrial communication standards began significantly later and is still the subject of research work.

show abstract

“…Internet-wide Industrial Security Assessments: While the security of deployments in other areas is often widely assessed, the configuration of industrial deployments relying on security features was rarely covered by research. Focusing on the secureby-design OPC UA protocol, related work showed that operators frequently fail to configure deployments securely [17], possibly due to constrained protocol implementations [26], and presented mechanisms for a more secure device provisioning [54].…”

Section: Related Workmentioning

confidence: 99%

Missed Opportunities: Measuring the Untapped TLS Support in the Industrial Internet of Things

Dahlmanns,

Lohmöller,

Pennekamp

et al. 2022

Preprint

View full text Add to dashboard Cite

The ongoing trend to move industrial appliances from previously isolated networks to the Internet requires fundamental changes in security to uphold secure and safe operation. Consequently, to ensure end-to-end secure communication and authentication, (i) traditional industrial protocols, e.g., Modbus, are retrofitted with TLS support, and (ii) modern protocols, e.g., MQTT, are directly designed to use TLS. To understand whether these changes indeed lead to secure Industrial Internet of Things deployments, i.e., using TLS-based protocols, which are configured according to security best practices, we perform an Internet-wide security assessment of ten industrial protocols covering the complete IPv4 address space.Our results show that both, retrofitted existing protocols and newly developed secure alternatives, are barely noticeable in the wild. While we find that new protocols have a higher TLS adoption rate than traditional protocols (7.2 % vs. 0.4 %), the overall adoption of TLS is comparably low (6.5 % of hosts). Thus, most industrial deployments (934,736 hosts) are insecurely connected to the Internet. Furthermore, we identify that 42 % of hosts with TLS support (26,665 hosts) show security deficits, e.g., missing access control. Finally, we show that support in configuring systems securely, e.g., via configuration templates, is promising to strengthen security. CCS CONCEPTS• Networks → Security protocols; • Security and privacy → Security protocols.

show abstract

On the Security of IIoT Deployments: An Investigation of Secure Provisioning Solutions for OPC UA

Cited by 14 publications

References 18 publications

CMXsafe: A Proxy Layer for Securing Internet-of-Things Communications

CMXsafe: A Proxy Layer for Securing Internet-of-Things Communications

A Survey on Life-Cycle-Oriented Certificate Management in Industrial Networking Environments

Missed Opportunities: Measuring the Untapped TLS Support in the Industrial Internet of Things

Contact Info

Product

Resources

About