Real-Time Innovations’ (RTI) Connext DDS Secure brings policy-based security to the Data Distribution Service (DDS). RTI’s Connext DDS has been used in applications that span embedded to enterprise applications (see “Data Distribution Service Scales From Embedded To The Enterprise”). The latest version implements a plug-in oriented architecture that provides policy-based security that scales across this range (Fig. 1).
The current set of plug-ins includes:
- Access control
- Data tagging
The plug-in approach allows developers to enhance plug-ins as well as providing ones that can take advantage of resident hardware and software. For example, the encryption plug-in can utilize hardware accelerated encryption support. Encryption can applied at the field level significantly reducing encryption overhead if only some data requires high security.
The access control provides the XML policy-based support. It is scalable so it can work on low end, embedded hardware where more sophisticated access control is not required. Nodes communicating directly with each other require matching access control support. Access control can be fine grained so access to a particular field can be controlled.
DDS provides a publish/subscribe environment (see “DDS V1.0 Standardizes Publish/Subscribe”). Connext DDS allows the environment to incorporate the cloud through Internet of Things (IoT) devices. Data can flow from a publisher through the network to any number of subscribers based on their needs. It handles quality of service, replication and a host of other features that make the data transfers and communication links transparent to applications. Connext DDS is compliant with the Open Management Group’s (OMG) DDS specification.
Download this article in .PDF format
This file type includes high resolution graphics and schematics when applicable.
Data tagging allows meta data to be added to DDS data. This can be used to enhance access control. For example, access to a particular piece of data may be limited by an application. Added meta data allows the application to determine what policy to apply.
The Connext DDS support is already modular so it can provide more limited support on low end, embedded clients as well as more sophisticated support on more powerful platforms. It does not have a single point of failure and can deal with a range of communication networks and protocols. It can utilize low bandwidth, limited connectivity links as well as manage high speed networks with multicast support.
Connext DDS can be used for DDS applications without modification. Policies can be applied at a level above applications or applications can take more control over their security using Connext DDS interfaces. It can be tailored to support legacy applications that may utilize other communication methods.
Pacific Northwest National Laboratory (PNNL) worked with RTI to provide a better, more secure communication system for their Supervisory Control and Data Acquisition (SCADA ) applications (Fig. 2). SCADA is used in a variety of industrial control systems like those used by electric utilities.
In this instance, PNNL had a SCADA system that used the standard Distributed Network Protocol 3 (DNP3). Unfortunately, DNP3 is not very secure and it is point-to-point. This can make security and reliable communication more difficult.
RTI and PNNL created a DNP3 routing service interface. This allowed the SCADA applications to use Connext DDS’ communication system that can be more secure as well as more reliable. Policies can be used to control access to the SCADA data that now flows only through Connext DDS.
The implementation has the added advantage of providing access to the SCADA data via DDS in addition to replacing the DNP3 support that the system was intended to secure.
Connext DDS Secure can be used in any Connext DDS environment to improve overall security. Connext DDS Secure and Connext DDS work with most operating systems such as Windows, Linux, Android, iOS and many RTOS systems.