An SDN-Enabled Architecture for IT/OT Converged Networks: A Proposal and Qualitative Analysis under DDoS Attacks
Abstract
:1. Introduction
2. Background
2.1. IT/OT Convergence
2.2. SDN for IIoT Networks
2.3. SDN Security Issues
2.3.1. Application Plane Security
2.3.2. Control Plane Security
2.3.3. Data Plane Security
2.3.4. Denial of Service in an SDN
3. Proposed Architecture
3.1. SDN-Enabled Architecture for IIoT
- Machine Layer: The bottom layer encompasses the manufacturing machines and is usually equipped with heterogeneous sensor networks. In particular, this layer does not contain any SDN equipment due to strict security requirements. Therefore, this layer generates a vast amount of data that shall be transmitted to the application layer (cloud) in real time, and the network bandwidth and real-time requirements may change depending on the different applications (the SDN controller can change the network behavior dynamically). Moreover, this layer should maintain an elevated level of security in fields where there may be dangerous situations for workers near the machines when automatic actuation is in progress.
- Operation Technology Layer: This layer involves components interacting directly with the physical machines and extracting data from them. Security in these first two levels is a key requirement, because a malicious intruder can compromise the whole operativity of production in addition to the possibility of causing extensive damage to people and the machinery. Moreover, this layer can host submodules that provide computation resources to analyze distributed IIoT data and enable the integration of SDN equipment (i.e., switches) to improve management performances. The IIoT services can include data analysis, computing, and acting as a broker. The IIoT devices are generally limited computation resources. This is why the deployment of a local data analysis service is better in terms of latency. In addition, we propose using an OpenFlow switch in this layer to connect it to the controller (i.e., IT layer). Therefore, the OT layer will be controlled and managed by the SDN controller, which makes the architecture more flexible and scalable. Finally, due to security reasons and time constraints, this level was immediately above the machine layer, and furthermore, we decided to not place SDN controllers in this layer.
- Information Technology Layer: This layer does not directly involve workers and machinery, so it is possible to have more relaxed requirements compared with the OT. Here, the SDN controllers are the glue that realizes the interaction between the machine layer and the application layer. In particular, the SDN controller represents the network control plane, and therefore, we propose the use of a distributed SDN controller that provides scalability for IIoT networks at scale. On the one hand, this layer directly manages the physical devices such as the IIoT devices via several interfaces and protocols (e.g., the southbound interface) and adapts their behavior according to the application requirements. On the other hand, this layer provides information to the application layer through the northbound interface and API. In the context of Industry 4.0, the SDN can customize the services provided according to the application requirements (e.g., data transmission rate and real time constraint).
- Application Layer: This layer provides a set of APIs that can be used to design end user applications, such as shop floor monitoring, predictive maintenance, and also providing an abstraction of data generated by the shop floors.
3.2. Use Case
4. Simulation and Experimental Results
4.1. Simulation Implementation Details
4.2. DDoS Simulation Attacks
4.3. Simulation Results
5. Conclusions and Future Work
Author Contributions
Funding
Data Availability Statement
Acknowledgments
Conflicts of Interest
References
- Taheri, J. Big Data and Software Defined Networks, ser. Computing; Institution of Engineering and Technology: London, UK, 2018; Available online: https://digital-library.theiet.org/content/books/pc/pbpc015e (accessed on 30 June 2021).
- Pal, C.; Veena, S.; Rustagi, R.P.; Murthy, K.N.B. Implementation of simplified custom topology framework in Mininet. In Proceedings of the 2014 Asia-Pacific Conference on Computer Aided System Engineering (APCASE), Bali, Indonesia, 10–12 February 2014; IEEE: New York, NY, USA, 2014; pp. 48–53. [Google Scholar]
- Kreutz, D.; Ramos, F.; Verissimo, P.E.; Rothenberg, C.E.; Azodolmolky, S.; Uhlig, S. Software-defined networking: A comprehensive survey. Proc. IEEE 2015, 103, 14–76. [Google Scholar] [CrossRef] [Green Version]
- Sisinni, E.; Saifullah, A.; Han, S.; Jennehag, U.; Gidlund, M. Industrial internet of things: Challenges, opportunities, and directions. IEEE Trans. Ind. Inform. 2018, 14, 4724–4734. [Google Scholar] [CrossRef]
- Dhamecha, K.; Trivedi, B. Article: Sdn issues—A survey. Int. J. Comput. Appl. 2013, 73, 30–35. [Google Scholar]
- Wang, S.; Wan, J.; Zhang, D.; Li, D.; Zhang, C. Towards smart factory for industry 4.0: A self-organized multi-agent system with big data based feedback and coordination. Comput. Netw. 2016, 101, 158–168. [Google Scholar] [CrossRef] [Green Version]
- Da Xu, L.; He, W.; Li, S. Internet of things in industries: A survey. IEEE Trans. Ind. Inform. 2014, 10, 2233–2243. [Google Scholar] [CrossRef]
- Zhu, R.; Zhang, X.; Liu, X.; Shu, W.; Mao, T.; Jalaian, B. ERDT: Energy-efficient reliable decision transmission for intelligent cooperative spectrum sensing in industrial IoT. IEEE Access 2015, 3, 2366–2378. [Google Scholar] [CrossRef]
- Bellavista, P.; Bosi, F.; Corradi, A.; Foschini, L.; Monti, S.; Patera, L.; Poli, L.; Scotece, D.; Solimando, M. Design guidelines for big data gathering in industry 4.0 environments. In Proceedings of the 2019 IEEE 20th International Symposium on A World of Wireless, Mobile and Multimedia Networks, Washington, DC, USA, 10–12 June 2019; pp. 1–6. [Google Scholar] [CrossRef]
- Wan, J.; Tang, S.; Shu, Z.; Li, D.; Wang, S.; Imran, M.; Vasilakos, A.V. Software-defined industrial internet of things in the context of industry 4.0. IEEE Sensors J. 2016, 16, 7373–7380. [Google Scholar] [CrossRef]
- Corradi, A.; Di Modica, G.; Foschini, L.; Patera, L.; Solimando, M. SIRDAM4.0: A support infrastructure for reliable data acquisition and management in industry 4.0. IEEE Trans. Emerg. Top. Comput. 2021, 1. [Google Scholar] [CrossRef]
- Barbosa, R.R.R.; Sadre, R.; Pras, A. Flow whitelisting in SCADA networks. Int. J. Crit. Infrastruct. Prot. 2013, 6, 150–158. [Google Scholar] [CrossRef] [Green Version]
- Mininet Team. Mininet an Instant Virtual Network on Your Laptop (or Other Pc). Available online: http://mininet.org/ (accessed on 30 June 2021).
- International Society of Automation. Available online: https://www.isa.org/ (accessed on 30 June 2021).
- Iec—International Electrotechnical Commission. Available online: https://www.iec.ch/ (accessed on 30 June 2021).
- Isa95, Enterprise-Control System Integration. Available online: https://www.isa.org/isa95/ (accessed on 30 June 2021).
- Industrial Internet Consortium. Available online: https://www.iiconsortium.org/ (accessed on 30 June 2021).
- Industrial Internet Reference Architecture. Available online: https://www.iiconsortium.org/IIRA.htm (accessed on 30 June 2021).
- Reference Architecture Model Industrie 4.0 (rami4.0). Available online: https://www.beuth.de/en/technical-rule/din-spec-91345/250940128 (accessed on 30 June 2021).
- Ministry of Industry and Information Technology. National Intelligent Manufacturing Standard System Construction Guide. 2015. Available online: https://www.cdti.es/recursos/doc/Programas/Cooperacion internacional/Chineka/Documentacionrelacionada/17668273273201814238.pdf (accessed on 30 June 2021).
- Ye, X.; Hong, S.H. Toward industry 4.0 components: Insights into and implementation of asset administration shells. IEEE Ind. Electron. Mag. 2019, 13, 13–25. [Google Scholar] [CrossRef]
- Panoramix, M. Opc Ua in the Reference Architecture Model Rami 4.0. Available online: https://opcconnect.opcfoundation.org/2015/06/opc-ua-in-the-reference-architecture-model-rami-4-0/ (accessed on 30 June 2021).
- There is no Industrie 4.0 Without Opc Ua. 2017. Available online: https://opcconnect.opcfoundation.org/2017/06/there-is-no-industrie-4-0-without-opc-ua/ (accessed on 30 June 2021).
- Industrie 4.0 Management Group at Zvei Celebrates its Fifth Anniversary and Has a Lot More to Look Forward to. Available online: https://www.zvei.org/en/subjects/industrie-4-0/industrie-40-management-group-at-zvei-celebrates-its-fifth-anniversary-and-has-a-lot-more-to-look-forward-to/ (accessed on 30 June 2021).
- Opc Foundation. Available online: https://opcfoundation.org/ (accessed on 30 June 2021).
- Opc Unified Architecture. Available online: https://opcfoundation.org/about/opc-technologies/opc-ua/ (accessed on 30 June 2021).
- González, I.; Calderón, A.J.; Figueiredo, J.; Sousa, J.M.C. A literature survey on open platform communications (OPC) applied to advanced industrial environments. Electronics 2019, 8, 510. [Google Scholar] [CrossRef] [Green Version]
- Wollschlaeger, M.; Sauter, T.; Jasperneite, J. The future of industrial communication: Automation networks in the era of the internet of things and industry 4.0. IEEE Ind. Electron. Mag. 2017, 11, 17–27. [Google Scholar] [CrossRef]
- Shu, Z.; Wan, J.; Lin, J.; Wang, S.; Li, D.; Rho, S.; Yang, C. Traffic engineering in software-defined networking: Measurement and management. IEEE Access 2016, 4, 3246–3256. [Google Scholar] [CrossRef]
- Bizanis, N.; Kuipers, F.A. SDN and virtualization solutions for the internet of things: A survey. IEEE Access 2016, 4, 5591–5606. [Google Scholar] [CrossRef]
- Qin, Z.; Denker, G.; Giannelli, C.; Bellavista, P.; Venkatasubramanian, N. A software defined networking architecture for the internet-of-things. In Proceedings of the 2014 IEEE Network Operations and Management Symposium (NOMS), Krakow, Poland, 5–9 May 2014; IEEE: New York, NY, USA, 2014; pp. 1–9. [Google Scholar]
- Hu, L.; Qiu, M.; Song, J.; Hossain, M.S.; Ghoneim, A. Software defined healthcare networks. IEEE Wirel. Commun. 2015, 22, 67–75. [Google Scholar] [CrossRef]
- Prasad, A.S.; Koll, D.; Fu, X. On the Security of Software-Defined Networks; IEEE: New York, NY, USA, 2015; pp. 105–106. [Google Scholar]
- Kumar, H.; Gupta, P. Sdn security issue and resolution. Indian J. Appl. Res. 2017, 7, 2. [Google Scholar]
- Ahmad, I.; Namal, S.; Ylianttila, M.; Gurtov, A. Security in software defined networks: A survey. IEEE Commun. Surv. Tutorials 2015, 17, 2317–2346. [Google Scholar] [CrossRef]
- Nadeau, T.; Pan, P. Software Driven Networks Problem Statement. NetworkWorking Group Internet-Draft. Available online: https://tools.ietf.org/html/draft-nadeau-sdn-problem-statement-00 (accessed on 30 June 2021).
- Wen, X.; Chen, Y.; Hu, C.; Shi, C.; Wang, Y. Towards a secure controller platform for openflow applications. In Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking—HotSDN ’13, Hong Kong, China, 16 August 2013; ACM: New York, NY, USA, 2013; pp. 171–172. [Google Scholar]
- Kreutz, D.; Ramos, F.M.; Verissimo, P. Towards secure and dependable software-defined networks. In Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics In Software Defined Networking—HotSDN ’13, Hong Kong, China, 16 August 2013; ACM: New York, NY, USA, 2013; pp. 55–60. [Google Scholar]
- Hartman, S.; Wasserman, M.; Zhang, D. Security Requirements in the Software Defined Networking Model. Network Working Group Internet-Draft. 2013. Available online: https://tools.ietf.org/html/draft-hartman-sdnsec-requirements-01 (accessed on 30 June 2021).
- Ferguson, A.D.; Guha, A.; Liang, C.; Fonseca, R.; Krishnamurthi, S. Participatory networking: An API for application control of SDNs. In Proceedings of the ACM SIGCOMM 2013 conference on SIGCOMM (SIGCOMM ’13), Hong Kong, China, 12–16 August 2013; Association for Computing Machinery: New York, NY, USA; pp. 327–338. [Google Scholar]
- Yao, G.; Bi, J.; Guo, L. On the cascading failures of multi-controllers in software defined networks. In Proceedings of the 2013 21st IEEE International Conference on Network Protocols (ICNP), Goettingen, Germany, 7–10 October 2013; IEEE: New York, NY, USA, 2013; pp. 1–2. [Google Scholar]
- Shin, S.; Gu, G. Attacking software-defined networks: A first feasibility study. In Proceedings of the Second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking (HotSDN ’13), Hong Kong, China, 16 August 2013; Association for Computing Machinery: New York, NY, USA, 2013; pp. 165–166. [Google Scholar]
- Fonseca, P.; Bennesby, R.; Mota, E.; Passito, A. A replication component for resilient OpenFlow-based networking. In Proceedings of the IEEE Network Operations and Management Symposium, Maui, HI, USA, 16–20 April 2012; pp. 933–939. [Google Scholar]
- Zhang, Y.; Beheshti, N.; Tatipamula, M. On resilience of split-architecture networks. In Proceedings of the 2011 IEEE Global Telecommunications Conference—GLOBECOM, Houston, TX, USA, 5–9 December 2011; IEEE: New York, NY, USA, 2011; pp. 1–6. [Google Scholar]
- The Transport Layer Security (TLS) Protocol Version 1.3. Available online: https://datatracker.ietf.org/doc/html/rfc8446 (accessed on 30 June 2021).
- Datagram Transport Layer Security Version 1.2. Available online: https://datatracker.ietf.org/doc/html/rfc6347 (accessed on 30 June 2021).
- Benton, K.; Camp, L.J.; Small, C. OpenFlow vulnerability assessment. In Proceedings of the second ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking—HotSDN ’13, Hong Kong, China, 16 August 2013; ACM: New York, NY, USA, 2013; pp. 151–152. [Google Scholar]
- Shevtekar, A.; Anantharam, K.; Ansari, N. Low rate TCP denial-of-service attack detection at edge routers. IEEE Commun. Lett. 2005, 9, 363–365. [Google Scholar] [CrossRef]
- Luo, X.; Chang, R.K.C. On a new class of pulsing denial-of-service attacks and the defense. In Proceedings of the Network and Distributed System Security Symposium (NDSS), San Diego, CA, USA, 20 January 2005; pp. 61–79. [Google Scholar]
- Adi, E.; Baig, Z.; Lam, C.P.; Hingston, P. Low-rate denial-of-service attacks against HTTP/2 services. In Proceedings of the 2015 5th International Conference on IT Convergence and Security (ICITCS), Kuala Lumpur, Malaysia, 24–28 August 2015; IEEE: New York, NY, USA, 2015; pp. 1–5. [Google Scholar]
- Kaspersky. Ddos Attacks in q4 2020. Available online: https://www.kaspersky.com/about/press-releases/2021_a-matter-of-profit-ddos-attacks-in-q4-2020-dropped-by-a-third-compared-to-q3-as-cryptomining-is-on-the-rise (accessed on 30 June 2021).
- Swami, R.; Dave, M.; Ranga, V. Software-defined networking-based DDoS defense mechanisms. ACM Comput. Surv. 2019, 52, 1–36. [Google Scholar] [CrossRef]
- Ali, S.; Alvi, M.K.; Faizullah, S.; Khan, M.A.; Alshanqiti, A.; Khan, I. Detecting DDoS attack on SDN due to vulnerabilities in OpenFlow. In Proceedings of the 2019 International Conference on Advances in the Emerging Computing Technologies (AECT), Al Madinah Al Munawwarah, Saudi Arabia, 10 February 2020; IEEE: New York, NY, USA, 2020; pp. 1–6. [Google Scholar]
- Yang, L.; Zhao, H. DDoS attack identification and defense using SDN based on machine learning method. In Proceedings of the 2018 15th International Symposium on Pervasive Systems, Algorithms and Networks (I-SPAN), Yichang, China, 16–18 October 2018; Institute of Electrical and Electronics Engineers: New York, NY, USA, 2018; pp. 174–178. [Google Scholar]
- Singh, J.; Behal, S. Detection and mitigation of DDoS attacks in SDN: A comprehensive review, research challenges and future directions. Comput. Sci. Rev. 2020, 37, 100279. [Google Scholar] [CrossRef]
- Raptis, T.P.; Passarella, A.; Conti, M. Data management in networked industrial environments: State of the art and open challenges. arXiv preprint arXiv:1902.06141.
- Kumar, M.; Tripathi, R.; Tiwari, S. Critical data real-time routing in industrial wireless sensor networks. IET Wirel. Sens. Syst. 2016, 6, 144–150. [Google Scholar] [CrossRef]
- 5G and the Factories of the Future. Available online: https://5g-ppp.eu/wp-content/uploads/2014/02/5G-PPP-White-Paper-on-Factories-of-the-Future-Vertical-Sector.pdf (accessed on 30 June 2021).
- Qualcomm. Ultra-Reliable Low-Latency 5G for Industrial Automation. Available online: https://www.qualcomm.com/media/documents/files/read-the-white-paper-by-heavy-reading.pdf (accessed on 30 June 2021).
- Ryu. Ryu SDN Framework. Available online: https://ryu-sdn.org/ (accessed on 13 September 2021).
- Open Source MANO. Available online: https://osm.etsi.org/ (accessed on 13 September 2021).
SDN Layer | Security Issues |
---|---|
Application Plane |
|
Control Plane |
|
Data Plane |
|
Parameter | Description |
---|---|
--flood | Flooding mode sends packets as fast as possible without taking care to show incoming replies |
--rand-source | This option enables hping to send packets with random source addresses |
<IP ADDRESS> | IP destination target of the attack |
Publisher’s Note: MDPI stays neutral with regard to jurisdictional claims in published maps and institutional affiliations. |
© 2021 by the authors. Licensee MDPI, Basel, Switzerland. This article is an open access article distributed under the terms and conditions of the Creative Commons Attribution (CC BY) license (https://creativecommons.org/licenses/by/4.0/).
Share and Cite
Foschini, L.; Mignardi, V.; Montanari, R.; Scotece, D. An SDN-Enabled Architecture for IT/OT Converged Networks: A Proposal and Qualitative Analysis under DDoS Attacks. Future Internet 2021, 13, 258. https://doi.org/10.3390/fi13100258
Foschini L, Mignardi V, Montanari R, Scotece D. An SDN-Enabled Architecture for IT/OT Converged Networks: A Proposal and Qualitative Analysis under DDoS Attacks. Future Internet. 2021; 13(10):258. https://doi.org/10.3390/fi13100258
Chicago/Turabian StyleFoschini, Luca, Valentina Mignardi, Rebecca Montanari, and Domenico Scotece. 2021. "An SDN-Enabled Architecture for IT/OT Converged Networks: A Proposal and Qualitative Analysis under DDoS Attacks" Future Internet 13, no. 10: 258. https://doi.org/10.3390/fi13100258
APA StyleFoschini, L., Mignardi, V., Montanari, R., & Scotece, D. (2021). An SDN-Enabled Architecture for IT/OT Converged Networks: A Proposal and Qualitative Analysis under DDoS Attacks. Future Internet, 13(10), 258. https://doi.org/10.3390/fi13100258