Posts

Remote Control without a Direct Connection

Part 5 of Data Communication for Industrial IoT

As discussed previously, the idea of using a cloud service as an intermediary for data resolves the problems of securing the device and securing the network.  If both the device and the user make outbound connections to a secure cloud server, there is no need to open ports on firewalls, and no need for a VPN. But this approach brings up two important questions for anyone interested in remote control:

  1. Is it fast enough?
  2. Does it still permit a remote user to control his device?

The answer to the first question is fairly simple.  It’s fast enough if the choice of communication technology is fast enough.  Many cloud services treat IoT communication as a data storage problem, where the device populates a database and then the client consults the contents of the database to populate web dashboards.  The communication model is typically a web service over HTTP(S).  Data transmission and retrieval both essentially poll the database.

The Price of Polling

Polling introduces an inevitable trade-off between resource usage on the server and polling rate, where the polling rate must be set with a reasonable delay to avoid overloading the cloud server or the user’s network.  This polling does two things – it introduces latency, a gap in time between an event occurring on the device and the user receiving notification of it, and it uses network bandwidth in proportion to the number of data items being handled.  Remote control of the device is still possible through polling if you are willing to pay the latency and bandwidth penalty of having the device poll the cloud.  This might be fine for a device with 4 data values, but it scales exceptionally poorly for an industrial device with hundreds of data items, or for an entire plant with tens of thousands of data items.

Publish/Subscribe Efficiency

By contrast, some protocols implement a publish/subscribe mechanism where the device and user both inform the cloud server that they have an interest in a particular data set.  When the data changes, both the device and user are informed without delay.  If no data changes, no network traffic is generated.  So, if the device updates a data value, the user gets a notification.  If the user changes a data value the device gets a notification.  Consequently, you have bi-directional communication with the device without requiring a direct connection to it.

This kind of publish/subscribe protocol can support bidirectional communication with latencies as low as a few milliseconds over the background network latency.  On a reasonably fast network or Internet connection, this is faster than human reaction time.  Thus, the publish/subscribe approach has the potential to support remote control without a direct connection.

Continue reading, or go back to Table of Contents

Access the Data, Not the Network

Part 4 of Data Communication for Industrial IoT

The idea of a client/server relationship where the server is the source of information is ingrained strongly into the typical software available today.  As a system design that is very difficult to eliminate.  Some companies try to make this into a “secure” mechanism by trying to add a layer of security on top of the client/server connection.  That layer of security is generally a VPN or (in rare cases) a point-to-point tunnel like SSH tunneling.  Since a VPN is typically the answer, it deserves a little more examination.

The purpose of a VPN is to create a virtual IP subnet that is shared only by computers that are authorized to join that subnet.  Packets transmitted on the subnet are automatically encrypted, even if neither the sender nor receiver is consciously using encryption.  That definitely makes it harder for an outsider to intercept communication among members of the VPN.

Inside the security perimeter

The big concern with a VPN is that once a computer or device is a member of the VPN, it is effectively like being on a local area network containing all other members of the VPN.  If a computer is inside the VPN it is inside the trusted perimeter.  This exposes the other VPN members to attack from within, even if they are safe from attack from without.  This is similar to what happened in a big box store in 2013, where attackers gained access to the LAN by breaching a third-party company who had “secure” access to the store’s internal network.  The larger the number of computers on a VPN, the more points of entry through the secure perimeter you have.

In the Internet of Things, security concerns have been pushing away from VPNs for a while.  A blog posting at Microsoft from 2013 takes a look at VPNs and the issues surrounding them.  If you haven’t seen it, it’s worth a read.

When we are talking about collections of devices, plant control systems or data acquisition systems on a larger network a VPN might seem like a compelling solution, but it inevitably exposes your network to attack, either due to a compromise in a VPN member, a compromise in the VPN server or simple theft of network credentials.  Once you have any of those, every machine on the VPN becomes a sitting duck.

There is no valid reason why you should provide external access to the whole network any more than you should provide external access to an embedded device.  In exactly the same way that you protect your devices by having them transmit data outbound to a middleman you can protect any data source, like an industrial control system, using the same mechanism.  You can have remote access to your data without exposing your internal network.

In the world of IIoT you should aim to access your data, not the network.

Continue reading, or go back to Table of Contents

Industrial Speed IIoT

What does “real time” really mean in an industrial system?  And what does “real time” mean for the Industrial IoT?  For some people, updating their data within 5 seconds counts as real time.  For them, getting data updates once per second is blazingly fast.  For us, data updates for the IIoT should be as close to network latencies as possible, typically no more than a few milliseconds.

What does that look like?  Check it out.  We’ve created a SkkyHub demo page for industrial speed IIoT.  This simple demo shows how you can aggregate data from multiple data sources, visualize the data, and more importantly witness real-time Industrial IoT.

In the blue box, as you hover your mouse over the gray dot, it moves.  If you or a friend open the same page on a second browser or a phone and swap IDs, you’ll see a black dot for each other’s mouse (or finger, if it’s on a phone).  Select All, and when all other users move their mouse or finger, you’ll see their black dots move on your page and vice versa. You are participating in the IIoT, in real time.

How close to real time? You can see for yourself the latency of the SkkyHub system.  Just enter and submit your own ID.  Now when you move your mouse or finger around, you get a momentary glimpse of a black dot, shadowing each movement.  The black dot is generated by a round-trip data feed from SkkyHub.  The amount of time it takes for it to catch up to the gray dot is the latency of the data travelling round trip from your browser or phone to SkkyHub running in the cloud, and back.

Why is this useful?  The demo shows that the IIoT can be as responsive as most human operators need it to be.  There is no need to wait a few seconds for each action to have an effect.  This is most valuable for supervisory control, where an operator or manager may need to change a setting in an HMI.  The instant feedback of the SkkyHub service gives assurance to the operator that the system has picked up the change, and has responded accordingly.

At a machine-to-machine level, this kind of industrial speed, along with the ability to sustain multiple simultaneous connections, ensures that internal system activities are well coordinated.  A change in one machine or device propagates in real time to any or all connected devices.  This keeps the logic of the system intact, and ensures the smoothest possible performance.

When this kind of performance is coupled with a secure-by-design architecture and the ability to connect seamlessly to virtually any existing industrial system, then we feel confident in calling it Industrial IoT that works.

Access the Data, Not the Device

Part 3 of Data Communication for Industrial IoT

Front and center to data communication for the IIoT is the idea that IoT devices never stop talking.  They are always connected to the Internet, and always accessible.  The accepted wisdom is that for IoT devices to be accessible they must be data “servers”—always listening for somebody to contact them to request information or perform an action.  If we cannot reach the device remotely, how can we access the data it contains?  However, this presents a security problem. If the device is always listening and reachable from the Internet, it is exposing an “attack surface”—a point of contact that a hacker can try to use to compromise the device.

Client-server architecture

This thinking comes from an entrenched understanding that a client-server architecture is the right model for information sharing.  It’s the basis of the World-Wide Web, after all, and we have all seen how successful that is.  Web browsers (clients) talk to web servers.  The web servers contain the information and the clients consume it.  The analogy with IoT devices is perfect.  IoT devices contain information, and smart phones, web browsers and other IoT devices consume it.  The device is the server, right?  But, if the device is always listening for client connections then it is therefore exposing an entry point for attacks from the Internet.  The big issue, in this world view, is that device makers must do a really good job of network security.  Every device manufacturer, whether making a car or a toaster, must employ highly-specialized and rare experts in network security to ensure that hackers don’t imprint images of Elvis in your breakfast or shut off your car engine on the highway.  Alright, hackers didn’t do the toast.  But they did hack the car.

A Fundamental Misunderstanding of the Problem

Frankly, the device-as-server world view is insane.  Why would you ever need to put a web server in a car and then expose it to the cellular network?  Why must the car be listening for any connection at all, ever?   Why must IoT devices be listeners?  Why must they expose an attack surface to the Internet?  The answer lies in a fundamental misunderstanding of the problem.  You want to access the data that the device contains.  You don’t want the world to have access to it.  Just you.  So, you don’t need the device to listen for you (and the world) to contact it.  You can tell the device where to send the information and pick it up from there, so you never need to talk to the device directly.  Effectively, the device transmits its information to a middleman, and when you want to know what your device is up to, visit the middleman to find out.

Then the question becomes – who is this middleman?  That is the role of a cloud service.  It’s a secure point of contact between you and your device.  Yes, it listens for communication from both you and the device.  Yes, it exposes an attack surface to the Internet.  But it relieves that responsibility from both you and the device.  There are far fewer IoT cloud services (tens or hundreds of them) than there are devices (billions of them), thus reducing the number of rare experts we need to achieve decent security.

Using a middleman like this does not mean that you will have to put up with slow communication, or that you will be unable to control your device.  It just means that there is an extra hop in the communication chain between you and your device, eliminating the need for the device to be directly visible on the Internet.  Questions of speed and bi-directionality are answered by the design of the cloud service.

Continue reading, or go back to Table of Contents

Requirements for IIoT Data Communication

Part 2 of Data Communication for Industrial IoT

When we look at the IIoT there are three main requirements:

1. Access to device data: Our connected devices generate information that we want to use.  It can be as simple as a door sensor in a home security system or as complex as an oil drilling platform’s SCADA system.  The common theme is that remote access to the information has value. There are different scenarios within the industrial sector for this kind of access.

  • Plant to field device
  • Device to device (M2M)
  • Central office to process systems (IT to OT)
  • Central location to remote locations (data gathering, possible supervisory control)
  • Vendors / OEMs to in-plant or field devices (monitoring)

2. Remote control of the device: Sometimes it is necessary to control the system we are accessing remotely.  If a door sensor says the door is unlocked then we might like to lock it.  If our SCADA system says that a machine is malfunctioning we would like to turn it off.  Remote control should of course be optional.  The determination of whether control is allowed should be made at the device, so attempts to control the system remotely will fail if the device is not configured to allow it.

3. Security: We have all heard of security breaches in connected systems.  Hackers turn home appliances into bots on spam networks.  SCADA systems are remotely hacked to shut down or otherwise damage industrial systems.  A couple of years ago a power plant in the Ukraine was hacked.  Attackers “used stolen VPN credentials to reach the industrial control systems network, and remote access tools to control the HMIs and pull the breakers,” according to an article published on the DarkReading website, and other reports.

Commenting on the recent WannaCry attack and its implications for the Industrial IoT, Brad Hegrat in an IOActive blog wrote, “It may be time to rethink critical infrastructure cybersecurity engineering because if MS17-010 exploiting malware variants are successful, we are clearly doing something wrong.”

The security for IIoT data communication systems must be improved to prevent these kinds of attacks.  And, as we will explain later, securing an industrial system for the IoT is fundamentally different from traditional industrial network security.  A new approach is needed.  IIoT must be secure by design.

Continue reading, or go back to Table of Contents

Data Communication for Industrial IoT – Introduction

Part 1: Introduction

What is the IoT?  Is it really just a fancy word for the Internet?  Yes and no.  The Internet of Things is the promise of a world where billions of connected devices are connected to us and to each other, making decisions for us, coordinating among themselves, collecting and collating information, and generally relieving us of the mundane aspects of living in the physical world.

We’ve had the Internet for enough time now that it has become embedded in our lives.  My (adult) kids don’t remember a world without it.  The IoT is, at its most basic level, a continuation of that embedding.  Instant communication is taken for granted among people, and plenty of mature products provide it.  Is there anything really novel about devices participating in that communication alongside people?

In a word, yes.  Not novel in the sense that we need entirely new technologies to achieve this data communication among devices, but novel in the sense that a whole raft of new problems arise from it.  The IoT is going to remain nothing but a promise until those problems are solved (shameless plug here: I’m writing this from a backward-facing perspective.  We at Skkynet have solutions for the problems I will discuss in this series).

So what is the Industrial IoT (IIoT)?  Does it require a different way of thinking about IoT, relative to the “regular” IoT?  Not really, the IIoT just has greater consequences.  If somebody hacks your refrigerator, your food gets too hot or cold, or you become an unwitting source of spam email.  If somebody hacks your industrial process they could shut down an expensive line, damage equipment, injure people, or even put critical infrastructure out of service.  That said, the data communication, network security, privacy, speed, latency and accessibility issues surrounding the IoT are the same in the IIoT, just with more urgency.

On the other hand, is the IIoT simply the application of IoT technology to industrial applications?  Not really; rather, it is the application of IoT concepts to industrial applications.  This series of articles will examine some of these concepts related to communication for the Industrial IoT.  Even that is a very big topic, covering data acquisition, protocol gateways, cloud protocols, data storage, big data analysis, reliability, fault tolerance and security.  To keep things short we will narrow the conversation further to look at data acquisition, communication and security.

Continue reading, or go back to Table of Contents