In the past decade, the insecurity of industrial control systems (ICS) and smart grid network protocols such as IEC 60870, IEC 61850, Modbus, DNP3, etc., became a significant focus for systems operators, suppliers, and researchers. Many potential cyber vulnerabilities and risks to physical infrastructure have been identified in the research community. In more recent years these have played a role in real-world attacks, for example the CrashOverride malware is observed to have been able to interact with several ICS protocols (https://www.cisa.gov/uscert/ncas/alerts/TA17-163A).

Many protocols associated with ICS evolved from serial links by adopting TCP/IP encapsulation, for instance IEC 60870-5, which is a standard for power system monitoring and control associated with utilities such as electric power systems or water treatment. This protocol, like many others, is heavily based on data objects. For example, IEC 60870-5-101 uses Application Service Data Unit (ASDU) addresses, where data is classified into information objects, each provided with a specific logical address. Arguably, this data model lends itself more naturally to a data-oriented communication approach, rather than the host-oriented TCP/IP approach, whereby data must be encapsulated within multiple layers for transmission. This often requires various middleware and gateways to translate and repackage data, or to provide layers of security. For example, the operation of Phasor Measurement Units (PMUs) in smart grids typically relies on a hierarchy of Phasor Data Concentrator (PDC) middleboxes.

In this project we therefore consider two technology paradigms, the first is the Industrial Internet of Things (IIoT), which is a rapidly developing area that addresses the proliferation of highly interconnected and ubiquitous embedded devices in ICS. The second technology we consider is Named Data Networking (NDN), which is an approach to develop networking infrastructure that is data-centric rather than host-centric (based on connecting hosts end-to-end). Significantly for our research, NDN has security features ‘baked in’ at the network layer, offering potential advantages for IIoT.

Communication in NDN is driven by data consumers, through the exchange of two types of packets: Interest and Data. Both packet types carry a name that identifies a piece of data. All data available to the network is named and identified using hierarchical structured names, which may be local or global. For example, ‘QUB/ICS/historian/20210303’ could be the name used for some data logged on 3 March 2021. Data can be broken down into chunks, such as ‘…20210303/1’, ‘…20210303/2’, and so on. For a consumer to indicate interest in specific data, i.e. it wants a copy of this data, the consumer sends an Interest packet to the network with the name of the desired data. Routers use this name to forward the Interest toward the data producer(s).

With NDN, security is built into the data itself. The intention is to secure the content, not the container or communication channel. The security actions are performed directly at the network layer with content identification provided in data names. Each piece of data is signed together with its name, securely binding them. Data signatures are mandatory. Integrity protection guarantees the authenticity of the data bound to the name by including the producer signature of the data plus its name. Confidentiality (via data encryption) is optional, and applications can distribute data encryption keys as encrypted NDN data, limiting the data security perimeter to the context of a single application. This is an exciting concept with potential to be genuinely transformative, allowing developers to focus on data access at an application level, with security mechanisms for integrity and confidentiality handled by the network layer, agnostically and transparently.

PMUs are a key enabling technology of Smart Grids. They provide time synchronised measurements which allow system operators unprecedented visibility of electricity networks. Queen’s University Belfast has expertise and experience investigating cyber security issues related to PMU smart grid environments, having previously completed RITICS projects CAPRICA, investigating security implementations of the IEC 61850-90-5 protocol, and COSMIC, investigating secure migration of SCADA control platforms to the cloud. These projects had a significant impact in the ongoing OpenPMU project (http://www.openpmu.org) which in turn led to the spin-out Phasora Ltd.

PMUs enable novel real-time operational control methodologies which facilitate integration of low carbon technologies, including renewable generation, electric vehicles, heat pumps, which are considered vital to meeting international obligations related to climate change. NDN features address many of the shortfalls of current communication technology for distributed renewable energy generation. For example, IEEE and NASPI working groups have recently identified the challenges of telecoms complexity and cyber security concerns as barriers to the widespread deployment of PMU applications. One of the key weaknesses is the reliance on PDCs, requiring unpacking, refactoring and repackaging of PMU data many times in the communication path. NDN offers an opportunity to reduce this overhead and provide security features lacking in present systems.

Consequently, this project addresses these problems and investigates applying NDN to IIoT. Using PMU communications as a practical case-study, we will particularly focus on NDN’s proposed approaches to security and evaluate its suitability for low-resource embedded PMU devices. We aim to consider how do our findings apply to broader IIoT contexts, considering cyber security advantages and disadvantages, performance constraints, and barriers to adoption by industry.