Securing smart maintenance services: Hardware-security and TLS for MQTT

Increasing the efficiency of production and manufacturing processes is a key goal of initiatives like Industry 4.0. Within the context of the European research project ARROWHEAD, we enable and secure smart maintenance services. An overall goal is to proactively predict and optimize the Maintenance, Repair and Operations (MRO) processes carried out by a device maintainer, for industrial devices deployed at the customer. Therefore it is necessary to centrally acquire maintenance relevant equipment status data from remotely located devices over the Internet. Consequently, security and privacy issues arise from connecting devices to the Internet, and sending data from customer sites to the maintainer´s back-end. In this paper we consider an exemplary automotive use case with an AVL Particle Counter (APC) as device. The APC transmits its status information by means of a fingerprint via the publish-subscribe protocol Message Queue Telemetry Transport (MQTT) to an MQTT Information Broker in the remotely located AVL back-end. In a threat analysis we focus on the MQTT routing information asset and identify two elementary security goals in regard to client authentication. Consequently we propose a system architecture incorporating a hardware security controller that processes the Transport Layer Security (TLS) client authentication step. We validate the feasibility of the concept by means of a prototype implementation. Experimental results indicate that no significant performance impact is imposed by the hardware security element. The security evaluation confirms the advanced security of our system, which we believe lays the foundation for security and privacy in future smart service infrastructures.