Skip to main content

Advertisement

SpringerLink
Log in

A Secure IIoT Gateway Architecture based on Trusted Execution Environments

  • Published:
Journal of Network and Systems Management Aims and scope Submit manuscript

Abstract

Industrial Internet of Things (IIoT) gateways are affected by many cybersecurity threats, compromising their security and dependability. These gateways usually represent single points of failure on the IIoT infrastructure. When compromised, they can disrupt the entire system, including the security of the IIoT devices and the confidentiality and privacy of the data. This paper introduces a Secure IIoT Gateway Architecture that encompasses Trusted Execution Environment concepts and consolidated security algorithms to achieve a secure IIoT environment. Sensitive procedures of the IIoT, like device admission, bootstrapping, key management, authentication, and data exchange among operational technology (OT) and information technology (IT) are handled by the gateway inside the secure execution domain. The bootstrapping does not require devices to have any pre-stored secret or a pre-established secure channel to any trusted third party. Moreover, our architecture includes mechanisms for IIoT devices to safely interact with the Cloud without assuming the integrity of the gateways between them, enabling continuous verification of gateway integrity. A formal proof of the proposed solution security is provided. Finally, the security of the proposed architecture is discussed according to the specified requirements.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6

Similar content being viewed by others

Notes

  1. A platform like this, with the same assumptions and mechanisms, can also be used for OT devices. However, since OT are isolated from the IT by the gateway, trustfulness is often regarded as a function of design, implementation, and operation of such devices and their coordination in an IIoT segment.

  2. The ECDH’s key pair is generated using an elliptic curve, which makes it 10 times more efficient than the traditional Diffie-Hellman for 256 bits ECDH keys [32]. Moreover, this difference increases whenever we increase the size of the key. In [33], the performance of the ECDH algorithm was assessed on an embedded platform featuring a 32-bit, 26MHz ARM7TDMI-S processor with 128kB of flash memory and 96kB of RAM, with execution time in the granularity of a few seconds, which demonstrates the ability of this simple platform to perform such operations. Finally, this key generation is only required once in the proposed bootstrap process, therefore, further key generation will happen very sporadically given the key management procedure.

  3. \(64KB-1B\) is the maximum Data length supported by TSTP [26].

References

  1. Diro, A.A., Chilamkurti, N., Kumar, N.: Lightweight cybersecurity schemes using elliptic curve cryptography in publish-subscribe fog computing. Mobile Netw. Appl. 22(5), 848–858 (2017). https://doi.org/10.1007/s11036-017-0851-8

    Article  Google Scholar 

  2. Cionca, V., Newe, T., Dădârlat, V.T.: Configuration tool for a wireless sensor network integrated security framework. J. Netw. Syst. Manage. 20(3), 417–452 (2011). https://doi.org/10.1007/s10922-011-9219-8

    Article  Google Scholar 

  3. Kolias, C., Kambourakis, G., Stavrou, A., Voas, J.: DDoS in the IoT: Mirai and other botnets. Computer 50(7), 80–84 (2017). https://doi.org/10.1109/mc.2017.201

    Article  Google Scholar 

  4. Lyu, M., Sherratt, D., Sivanathan, A., Gharakheili, H.H., Radford, A., Sivaraman, V.: Quantifying the reflective DDoS attack capability of household IoT devices. In: Proceedings of the 10th ACM Conference on Security and Privacy in Wireless and Mobile Networks—WiSec ’17, pp. 46–51. ACM Press (2017)

  5. Bali, R.S., Jaafar, F., Zavarasky, P.: Lightweight authentication for MQTT to improve the security of IoT communication. In: Proceedings of the 3rd International Conference on Cryptography, Security and Privacy. ICCSP ’19, pp. 6–12. Association for Computing Machinery, New York, NY (2019)

  6. The Things Network.: LoRaWan security, sponsored by The Things Industry. Retrieved from https://www.thethingsnetwork.org/docs/lorawan/security.html. Accessed 03 Nov 2020

  7. Naoui, S., Elhdhili, M.E., Saidane, L.A.: Lightweight and secure password based smart home authentication protocol: LSP-SHAP. J. Netw. Syst. Manage. 27(4), 1020–1042 (2019). https://doi.org/10.1007/s10922-019-09496-x

    Article  Google Scholar 

  8. Pinto, S., Gomes, T., Pereira, J., Cabral, J., Tavares, A.: IIoTEED: an enhanced, trusted execution environment for industrial IoT edge devices. IEEE Internet Comput. 21(1), 40–47 (2017). https://doi.org/10.1109/mic.2017.17

    Article  Google Scholar 

  9. Ukil, A., Sen, J., Koilakonda, S.: Embedded security for Internet of Things. In: 2011 2nd National Conference on Emerging Trends and Applications in Computer Science, pp. 1–6. IEEE (2011)

  10. Lesjak, C., Hein, D., Winter, J.: Hardware-security technologies for industrial IoT: TrustZone and security controller. In: IECON 2015—41st Annual Conference of the IEEE Industrial Electronics Society. IEEE, p. 2589–2595 (2015)

  11. Panchal, A.C., Khadse, V.M., Mahalle, P.N.: Security issues in IIoT: a comprehensive survey of attacks on IIoT and its countermeasures. In: 2018 IEEE Global Conference on Wireless Computing and Networking (GCWCN), pp. 124–130. IEEE (2018)

  12. Togay, C., Mutlu, G., Kurtulus, D., Özgür, F.: Secure gateway for the internet of things. Avrupa Bilim ve Teknol. Dergisi (2019). https://doi.org/10.31590/ejosat.524783

    Article  Google Scholar 

  13. Navarro-Ortiz, J., Sendra, S., Ameigeiras, P., Lopez-Soler, J.M.: Integration of LoRaWAN and 4G/5G for the industrial internet of things. IEEE Commun. Mag. 56(2), 60–67 (2018). https://doi.org/10.1109/mcom.2018.1700625

    Article  Google Scholar 

  14. Lin, I.C., Hsu, H.H., Cheng, C.Y.: A cloud-based authentication protocol for RFID supply chain systems. J. Netw. Syst. Manage. 23(4), 978–997 (2015). https://doi.org/10.1007/s10922-014-9329-1

    Article  Google Scholar 

  15. Kuo, F.C., Tschofenig, H., Meyer, F., Fu, X.: Comparison studies between pre-shared and public key exchange mechanisms for transport layer security. In: Proceedings IEEE INFOCOM 2006. 25TH IEEE International Conference on Computer Communications, pp. 1–6. IEEE (2006)

  16. Bienhaus, D., Ebner, A., Jäger, L., Rieke, R., Krauß, C.: Secure gate: secure gateways and wireless sensors as enablers for sustainability in production plants. Simul. Model. Pract. Theory 109, 102282 (2021). https://doi.org/10.1016/j.simpat.2021.102282

    Article  Google Scholar 

  17. Sebastian, D.J., Agrawal, U., Tamimi, A., Hahn, A.: DER-TEE: secure distributed energy resource operations through trusted execution environments. IEEE Internet Things J. 6(4), 6476–6486 (2019). https://doi.org/10.1109/JIOT.2019.2909768

    Article  Google Scholar 

  18. Lee, S., Heo, M., Park, K., Kim, B., Hong, J.: Enhancing the security of IoT gateway based on the classification of user security-sensitive data. In: Proceedings of the Conference on Research in Adaptive and Convergent Systems. RACS ’19, pp. 241–243. Association for Computing Machinery, New York, NY (2019)

  19. Ling, Z., Yan, H., Shao, X., Luo, J., Xu, Y., Pearson, B., et al.: Secure boot, trusted boot and remote attestation for ARM TrustZone-based IoT Nodes. J. Syst. Architect. 119, 102240 (2021). https://doi.org/10.1016/j.sysarc.2021.102240

    Article  Google Scholar 

  20. Tange, K., De Donno, M., Fafoutis, X., Dragoni, N.: A systematic survey of industrial internet of things security: requirements and fog computing opportunities. IEEE Commun. Surv. Tutor. 22(4), 2489–2520 (2020). https://doi.org/10.1109/COMST.2020.3011208

    Article  Google Scholar 

  21. Li, J., Tang, X., Wei, Z., Wang, Y., Chen, W., An Tan, Y.: Correction to: Identity-based multi-recipient public key encryption scheme and its application in IoT. Mobile Netw. Appl. (2020). https://doi.org/10.1007/s11036-020-01512-8

    Article  Google Scholar 

  22. Lucena, M., Scheffel, R.M., IoT, Fröhlich. A.A..: Protocol, gateway integrity checking. In: IX Brazilian Symposium on Computing Systems Engineering (SBESC), vol. 2019, pp. 1–8. IEEE (2019)

  23. Needham, R.M., Schroeder, M.D.: Using encryption for authentication in large networks of computers. Commun. ACM 21(12), 993–999 (1978). https://doi.org/10.1145/359657.359659

    Article  MATH  Google Scholar 

  24. Dolev, D., Yao, A.C.: On the security of public key protocols. In: 22nd Annual Symposium on Foundations of Computer Science (sfcs 1981), pp. 350–357. IEEE (1981)

  25. Hu, P., Ning, H., Qiu, T., Song, H., Wang, Y., Yao, X.: Security and privacy preservation scheme of face identification and resolution framework using fog computing in internet of things. IEEE Internet Things J. 4(5), 1143–1155 (2017). https://doi.org/10.1109/JIOT.2017.2659783

    Article  Google Scholar 

  26. Resner, D., Fröhlich, A.A.: Design rationale of a cross-layer, trustful space-time protocol for wireless sensor networks. In: 2015 IEEE 20th Conference on Emerging Technologies & Factory Automation (ETFA), pp. 1–8. IEEE (2015)

  27. Scheffel, R.M., Fröhlich, A.A.: FT-TSTP: a multi-gateway fully reactive geographical routing protocol to improve WSN reliability. In: 2018 IEEE International Conference on Advanced Networks and Telecommunications Systems (ANTS), pp. 1–6. IEEE (2018)

  28. IEEE: IEEE standard for a precision clock synchronization protocol for networked measurement and control systems. In: IEEE Std 1588–2002, pp.1–154, 31 Oct. 2002. https://doi.org/10.1109/IEEESTD.2002.94144

  29. Resner, D., Fröhlich, A.A.: Speculative precision time protocol: submicrosecond clock synchronization for the IoT. In: 21st IEEE International Conference on Emerging Technologies and Factory Automation (ETFA 2016), pp. 1–8. Berlin, Germany (2016)

  30. IEC. Industrial Communication Networks—Fieldbus Specifications—Part 1: Overview and Guidance for the IEC 61158 and IEC 61784 Series. International Electrotechnical Commission, Geneva (2019)

  31. Isobe, T., Shibutani, K.: Preimage Attacks on Reduced Tiger and SHA-2. In: Fast Software Encryption, pp. 139–155. Springer, Berlin (2009)

  32. National Security Agency: The case for elliptic curve cryptography (2005, October 13). Retrieved from https://web.archive.org/web/20051013062853/http://www.nsa.gov/ia/industry/crypto_elliptic_curve.cfm. Accessed November 3, 2020

  33. Resner, D., Augusto, Fröhlich, A.: Key establishment and trustful communication for the Internet of Things. In: Proceedings of the 4th International Conference on Sensor Networks—SENSORNETS,. INSTICC, pp. 197–206. SciTePress (2015)

  34. Certicom Research: SEC 2: recommended elliptic curve domain parameters (2010, January 27). Retrieved from https://www.secg.org/sec2-v2.pdf. Accessed November 3, 2020

  35. Aziz, B., Hamilton, G.: Detecting man-in-the-middle attacks by precise timing. In: 2009 Third International Conference on Emerging Security Information, Systems and Technologies, pp. 81–86. IEEE (2009)

  36. Bernstein, D.J.: The Poly1305-AES message-authentication code. In: Proceedings of Fast Software Encryption, pp. 32–49. Paris, France (2005)

  37. Resner, D.: Performance Evaluation of the Trustful Space-Time Protocol [M.Sc. Thesis]. Federal University of Santa Catarina. Florianópolis (2018). https://repositorio.ufsc.br/handle/123456789/189296

  38. Carlos, M.C., Martina, J.E., Price, G., Custódio, R.F.: An updated threat model for security ceremonies. In: Proceedings of the 28th Annual ACM Symposium on Applied Computing. SAC ’13, pp. 1836–1843. Association for Computing Machinery, New York, NY (2013). https://doi.org/10.1145/2480362.2480705

  39. Costan, V., Devadas, S.: Intel SGX explained. IACR Cryptol. ePrint Arch. 2016, 86 (2016)

    Google Scholar 

  40. Götzfried, J., Eckert, M., Schinzel, S., Müller, T.: Cache Attacks on Intel SGX. In: Proceedings of the 10th European Workshop on Systems Security. EuroSec’17, pp. 1–6. Association for Computing Machinery, New York, NY (2017)

  41. Fröhlich, A.A.: SmartData: an IoT-ready API for sensor networks. Int. J. Sens. Netw. 28(3), 202 (2018). https://doi.org/10.1504/ijsnet.2018.096264

    Article  Google Scholar 

Download references

Funding

This study was financed in part by grants 2020/05142-1, 2021/02384-7, and 2021/02385-3, São Paulo Research Foundation (FAPESP).

Author information

Author notes

  1. Antônio Augusto Fröhlich, Leonardo Passig Horstmann and José Luis Conradi Hoffmann have contributed equally to this work.

Authors and Affiliations

  1. Software/Hardware Integration Lab, Federal University of Santa Catarina, Florianópolis, Santa Catarina, 88040-900, Brazil

    Antônio Augusto Fröhlich, Leonardo Passig Horstmann & José Luis Conradi Hoffmann

Authors
  1. Antônio Augusto Fröhlich
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Leonardo Passig Horstmann
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. José Luis Conradi Hoffmann
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

AAF: Conceptualization, Writing—Review & Editing, Supervision. LPH: Conceptualization, Formal analysis, Writing—Review & Editing, Investigation. JLCH: Conceptualization, Formal analysis, Writing - Review & Editing, Investigation.

Corresponding author

Correspondence to José Luis Conradi Hoffmann.

Ethics declarations

Conflict of interest

The authors have declared no conflicts of interest.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Fröhlich, A.A., Horstmann, L.P. & Hoffmann, J.L.C. A Secure IIoT Gateway Architecture based on Trusted Execution Environments. J Netw Syst Manage 31, 32 (2023). https://doi.org/10.1007/s10922-023-09723-6

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • DOI: https://doi.org/10.1007/s10922-023-09723-6

Keywords

Search

Navigation