Objective and Outcomes
The purpose of this task will be to develop security management and services like Confidentiality, Integrity and Authentication analyzing and identifying security/cryptographic mechanisms and techniques to protect data communications, in the context of resource-constrained devices.
Its outcomes affect tasks T2.4, T3.2, T3.3, T3.6
The Internet of Things (IoT) ecosystem is dedicated to providing connectivity to physical devices enabling the collection and sharing of sensed data, and its implementation in mining industry has to face many challenges, mainly related to connectivity, especially in underground mine sites. As mining operations and relevant IoT devices become connected, several security issues could arise, e.g., considering vulnerability to cyber-attacks, which will require additional investment into security systems.
The cybersecurity management on Dig_IT project aims to provide a security layer for communication on different protocols on mobile and resource constrained devices. A security solution has been implemented with the aims to achieve a minimal impact on the current mines’ network infrastructure, along with a new and improved end users’ network infrastructure compliant with the security requirements.
In particular, task T3.5 faced the communication security between resource constrained devices, namely Smart Garments and Drone, and the network infrastructure. The identified solution aimed to provide security on MQTT and Wi-Fi protocols, the former used for Smart Garment communication and the latter used for Drone communication.
The security solution planned for the Wi-Fi communication of UAV/UAS monitoring is no longer provided, due to the loss of image quality that could affect the veracity of the 3D model, as well as the heavy weight of the images which would take a long time to send via Wi-Fi. The Smart Garment branch, instead, has been secured on MQTT link with MQTTS (MQTT over TLS), which provides encryption and authentication for MQTT communications, ensuring that data is transmitted securely and can only be accessed by authorized parties. In addition, further security measures at MQTT payload level have been adopted, integrating a Cryptographic Signature and an Integrity Code.
The cryptographic signature field has been implemented via symmetric signature (i.e., keyed hash function). In particular, HMAC has been selected in conjunction with the SHA256 hash function. The integrity code is instead implemented as CRC16 in little-endian byte ordering. The combination of these cryptographic functionalities increases the security level by providing a message-level authentication and an integrity check and anti-tampering.
Furthermore, other main Security Measures are implemented to the Dig_IT platform:
- Kafka MTLS Security: Transport Layer Security (TLS) is used to secure communication between Kafka brokers and clients. Mutual TLS (mTLS) is employed to authenticate the brokers and clients to each other using digital certificates. This ensures that data is transmitted securely and can only be accessed by authorized parties;
- SASL for User Access Management: Simple Authentication and Security Layer (SASL) is used to provide authentication and authorization for Kafka clients. This ensures that only authorized users can access the Kafka cluster and the data stored within it;
- User Management for MQTT: Access to MQTT is managed using username and password authentication. This ensures that only authorized users can access the MQTT broker and the data transmitted over it.