Security for Industrial Internet of Things – Machine to Machine
Secure communication of equipment, machines and systems
Industrial companies will need to implement increasingly complex IT infrastructures in the future for more efficient and flexible processes from ordering up to production and delivery. This progressive digitalization means networking more devices, systems and equipment than ever before and integrating office IT such as ERP systems and even mobile devices into production networks.
IT security is an important quality factor and should include secure, encrypted communications between all networked components and strong authentication. Unauthorized access to data can have disastrous consequences in automated industrial IT infrastructures. These range from the loss of sensitive data and the manipulation of production data to an entire plant shutdown. Especially critical infrastructures such as US and European energy companies have been compromised by malware in the past years. 225,000 customers have been affected by a power outage in December 2015 that was caused by a cyber-attack on an Ukrainian power station.
Secure machine communication through secure NCP software components
NCP has developed software components for secure data communication for Industrial Internet of Things (IIoT) scenarios. Several components at different points throughout the infrastructure bring back control and secure data encryption.
- IIoT Remote Gateway for secure communication of plant, machinery or systems
- Central IIoT Gateway for secure connection to IIoT Remote Gateways
- IIoT Management for administration, monitoring and integration into existing infrastructures
IIoT Remote Gateway can be installed and used directly on systems or machinery, while the central IIoT Gateway encrypts data from the IIoT Remote Gateway for upstream processing.
Encrypted connections ensure that IIoT Remote Gateway and the central IIoT Gateway are linked securely. Additional connections can be set up, for example to transmit video streams to the control room.
System manufacturers or operators benefit from more than encrypted communication: they gain back control over the configuration of security parameters and can commission systems more easily.
Thanks to its multi-client capability, the management system is predestined for cloud environments or IIoT infrastructure which links several production sites or divisions via a a common platform. Administrators can only access the production sites they need to manage and cannot access external data or protected areas.
Encryption and authentication
All connections between the end devices and the gateways are encrypted with advanced algorithms (for example using Suite B cryptography). For additional security, all machine certificates are managed in a Public Key Infrastructure (PKI). This ensures unique authentication for all end devices. During each connection, device certificates are checked for validity and trustworthiness (signed by a trusted Certification Authority [CA]) and whether the certificate has been blocked by an online or offline CA.
- centrally managed machine certificates
- advanced Suite B Cryptography; for state-of-the-art data encryption and transfer
- standards compliant
- easy integration into existing infrastructures
- centralized management of all components
- platform ready
- strong authentication
- support for virtualization
Connected Cars – Fleet management
NCP has implemented digital fleet management for field staff vehicles with a linux-based black box which connects to a backend system. The black box and user’s device (for example a tablet) can connect to the company headquarters via VPN to communicate the distance traveled or order data securely.
Bank ATM networks must be encrypted due to the sensitivity of financial data. This project involved implementing VPN clients on ATMs which operate in headless mode and are hidden from the customer while providing a high level of encryption and security.
A secure solution was needed for mobile display screens in supermarkets, which allows employees to change the location of the device without any technical knowledge. NCP achieved this by using VPN clients with the seamless roaming feature that maintains the secure VPN connection without interruption even if the connection type (LAN/Wi-Fi/3G/4G) is changed. This technology is suitable for all types of digital signage, including hotels, medical practices, pharmacies and advertising displays.