What makes an IoT and IIoT gateway architecture secure?

How to request support

ATTENTION: the number to call is 02 00.70.31.47

The customer requesting support must specify:

parent company
name of the requesting person – name of the person to be contacted again, if different
correct telephone number or e-mail address to reply to
ASSISTANCE CODE of 6 numbers
Product you need support for:
- version number
- security key code (if provided)
operating system
reason for the call with details of the problem

Training

The purpose of ServiTecno's training courses is to allow customers to reach an adequate level of preparation in order to make the best use of the distributed products.

The course program follows a standard lineup of topics but, always on request, it is possible to customize them according to customer requests.

With the advent of Industry 4.0 and the industrial IoT, there is a growing interest in connecting control and automation systems of machines and plants to the Cloud, in industry as in utilities.

Companies can therefore obtain detailed information on their processes and can carry out analyzes on IoT platforms in the Cloud and use the results to improve performance.

One of the methods for connecting machines to the cloud is to use OPC UA for intra-plant communications and an MQTT gateway to send your data to the cloud. While this combination provides some inherent security features, it may not meet all security needs.

To explain why, let's first look at a typical basic IoT gateway scenario and then at an advanced scenario that substantially increases plant security.

Typical scenario

A typical IoT gateway combines two types of data exchange communications: in-plant and plant-to-cloud. Let's say right away that OPC UA is often recommended for secure communications for Industry 4.0 and Industrial IoT applications.

That's because OPC UA offers multilevel security, including application-level authentication and authorization, as well as encryption and data integrity through the use of transport-level certificates.

For connections outside the plant OPC UA is not always secure as it requires a firewall port to be opened to allow an external client to connect to the plant. It is true that it is possible to use devices with DPI (Deep-Packet-Inspection) and other firewalling rules for “ad-hoc” protection, but also that implementing such techniques may not be easy (and even expensive).

For these and other reasons, MQTT is often used for connections from the plant to the Cloud.

MQTT is a useful protocol for an IoT gateway because it is supported by many cloud services such as Microsoft Azure, Google Cloud and Amazon IoT Core, etc. With MQTT it is possible to make an outgoing connection from the plant to the cloud service without opening any incoming firewall port: which is essential for the security of the plant.

So that's why an IoT software gateway solution like “DataHub IoT Gateway” by Skkynet can offer secure connectivity within the plant via its OPC UA interface and at the same time secure outbound connection to the cloud via MQTT.

An IoT software gateway must be compatible and support all OPC UA security features, furthermore, supporting secure outgoing connection of MQTT, it should support secure transport layer, with SSL certificate. With this combination, you can have a reasonably secure data path from the factory machine to the cloud.

There is one drawback, however: A typical IoT gateway that sends OPC UA data to the cloud needs a direct connection to the Internet. If the Company's security policies do not allow a direct Internet connection from the plant, it is necessary to think of something more secure

Daisy Chain connection

For a more secure IoT connection, sometimes you choose to use an isolated computer, an Edge or Communication-server, outside the plant network, located in the DMZ (De-Militarized Zone) between the OT network and the IT/Enterprise network (as contained in the ISA/IEC62443 standard). You could also choose to send a stream of data from the OT network to an IT server, through the DMZ, and then pipe the data to the cloud.

In fact, highly secure production systems typically don't have a direct connection to the Internet and therefore must route traffic to the cloud through IT or a DMZ. In any case, a multi-hop architecture, also known as a "daisy chain", is required. In a daisy chain connection, each hop must reliably retransmit all incoming data, while also monitoring downstream clients for network connection failures anywhere in the chain.

Unfortunately, neither OPC-UA nor MQTT were designed for this task and to provide these functions "as-is".

Advanced scenario

An innovative and improved scenario is that the entire data set resides on each node and it is possible to give access to that data to all customers qualified to use it. This would also allow the IT department full access to data, even those that are directly transmitted to the cloud service.

This advanced scenario can be implemented using a middleware product such as DataHub by Skkynet, installed on each node that needs to transmit and/or consult this data. DataHub can tunnel data between a node within the plant and a server in the DMZ or IT without opening any inbound firewall ports on the plant. A second DataHub, installed on the DMZ or IT server, can then transmit the data to the MQTT service to funnel the data to the Cloud.

More specifically, the DataHub-to-DataHub connection uses the DataHub Transfer Protocol (DHTP), which sends and receives data in real time using TCP over a LAN, WAN, or the Internet.

The OPC UA connection to the plant DataHub is a single hop. And the MQTT connection from DataHub to the cloud service is also a single hop. The DHCP protocol manages daisy-chain connections, mirroring the entire data set and connection status to each node. DataHub allows access to this data by enabled Clients, as well as transmitting them to the next node in the chain, thus maintaining data consistency.

The Quality of Service of the DHCP protocol ensures that any client or intermediate point in the chain will be consistent with the original data source, even if some data/events must be dropped to allow transmission with limited bandwidth. If a network connection is lost, DataHub will automatically update data QoS for all related data points to ensure that every client in the chain is immediately aware of that connection loss.

The result is that with DataHub and its DHTP protocol it is possible to configure an OPC-UA-MQTT gateway connection securely through a DMZ, via IT or another Internet node to the Cloud, which is not always possible with most products IoT gateways on the market which could therefore only be indicated in the typical basic scenario from OPC UA to MQTT.

This might be fine for consumer and non-critical IoT systems, but industrial IIoT applications require more security, reliability, and resiliency.

Bottom line: the middleware Skkynet DataHub it is a simple, safe and robust solution for those who have to send data to the cloud from machinery and plants in industry as well as in utilities.

Source.

IT/OT convergence

Control Room and HMI

Industrial Cyber Security

Remote control

Food

Building Automation

Energy

Pharmaceutical

Manufacturing

Steel sector

Transportation

Utility

GE VERNOVA

AUVESY-MDT

CLAROTY

Idus AB

Invent

Ocean Data System

ServiTecno

SKKYNET

Stratus Technologies

WIN-911

Assistance programs

Assistance programs

How to request support

For Customers without a Service Code

support@servitecno.it

For Customers with Service Code

support@servitecno.it

02 00.70.31.47

Training