Security and Access Control within Unified Namespaces with Sparkplug B

Written By Adrienne Harvey

With the rise of Industrial Internet of Things (IIoT) technologies, there is an increasing need for secure communication between devices and data sources within a network. One way to ensure secure communication is to use Sparkplug B, an open-source specification for MQTT. Sparkplug B defines a standard for the message payload and a communication protocol for industrial devices.

However, it is not just enough to use Sparkplug B; security and access control mechanisms must be put in place to ensure only authorized devices and users can access and exchange data within the network. This post will cover the basics of security and access control within unified namespaces using Sparkplug B.

 
open lock and computer keyboard keys
 

Unified Namespace

Before diving into security and access control, it is important to understand the meaning of unified namespace. A unified namespace is a naming convention ensuring every device, tag, or data point within a network has a unique and consistent name across all devices and applications.

A unified namespace can be achieved leveraging Sparkplug B’s hierarchical structure for device and tag names—or metrics as they are called in the MQTT world. The hierarchy is represented by a series of topics that can be organized in a tree-like structure. Each topic in the tree represents a level of the hierarchy, and the names of the topics are separated by forward slashes (/).

For example, if we have a device named "Tank1" with two values named "Level" and "Temperature", the unified namespace for these tags would be under the topic:

spBv1.0/Corso Systems/Message Type/Treatment Plant/Tank 1

The 2 tags would then be sent as part of the MQTT payload defined as:

{
"timestamp": 1486144502122,
"metrics": [{
"name": "Level",
"alias": 1,
"timestamp": 1479123452194,
"dataType": "Int16",
"value": 75
},
{
"name": "Temperature",
"alias": 2,
"timestamp": 1479123452194,
"dataType": "Int16",
"value": 82
}],
"seq": 2
}

Security

MQTT provides security mechanisms to ensure only authorized devices and users can access data within the network. The security mechanisms include:

  1. Transport Layer Security (TLS): This is a protocol that provides encryption and authentication for data in transit. It ensures that data exchanged between devices is encrypted and cannot be intercepted by unauthorized users.

  2. User Authentication: Sparkplug B supports user authentication to ensure that only authorized users can access the network. Users can be authenticated using a client ID plus options usernames and passwords, or using certificates.

  3. Role-based Access Control (RBAC): Sparkplug B also supports RBAC, which is a mechanism that ensures that users only have access to the data that they are authorized to access. RBAC works by assigning roles to users and restricting their access based on those roles.

Access Control

Access control in Sparkplug B ensures only authorized devices can publish and subscribe to data within the network. Access control is achieved by using a security policy that defines the access control rules for each topic in the unified namespace.

The security policy is implemented using access control lists (ACLs). An ACL is a list of rules that define the access control for a specific topic. Each rule in the ACL specifies the type of access that is allowed or denied for a specific device or user.

For example, the following ACL allows device "Tank1" to publish data to the "Level" tag and subscribe to data from the "Temperature" tag:

{
"allow": [
{
"type": "device",
"value": "Tank1",
"operations": ["publish"],
"topic": "/Tank1/Level"
},
{
"type": "device",
"value": "Tank1",
"operations": ["subscribe"],
"topic": "/Tank1/Temperature"
}
]
}
 
Tanks and/or silos
 

Wrapping Up

Security and access control are essential components of a secure IIoT network. Sparkplug B provides mechanisms for secure communication between devices. The use of a unified namespace ensures that data is consistently named across all devices and applications.

By using transport layer security, user authentication, and role-based access control, Sparkplug B ensures that only authorized users and devices can access data within the network. Access control is further enhanced by using ACLs to define the access control rules for each topic in the unified namespace.

In summary, when implementing security and access control within unified namespaces with Sparkplug B, it is important to:

  1. Use a unified namespace to ensure consistent and unique naming across all devices and applications.

  2. Implement transport layer security (TLS) to encrypt and authenticate data in transit.

  3. Authenticate users using username and password or certificates.

  4. Use role-based access control to ensure that users only have access to the data that they are authorized to access.

  5. Define access control rules for each topic in the unified namespace using ACLs.

By following these best practices, you can ensure that your IIoT network is secure and that only authorized devices and users can access and exchange data within the network. Does your project need to be secure? Corso Systems can help, contact us today!

Adrienne Harvey
Previous

Inductive Automation Ignition Maker Edition Jetson Nano Installation Tutorial, 2023
Next

Ignite Your Manufacturing Efficiency: How MES Systems and an Ignition Integration Unlock Profitability