Many companies want to migrate their IT infrastructure to cloud platforms. However, in some cases security issues hampers such a process of migration. This is particularly true for the Critical Infrastructure (CI) domain, which represents a fundamental branch of societies. CIs enclose assets essential for the functioning of all countries' fundamental facilities such as energy, telecommunications, water supply, transport, finance, and health. Unlike other sectors, cloud technologies are still far from being widely adopted in CIs. CIs are increasingly target of terrorist cyber-attacks as demonstrated in last years (e.g. "Black Energy 3" in 2015, or "Havex" in 2014). The disclosure or manipulation of CIs sensitive data may have a devastating impact on the society at large. Hence, in order to migrate CIs to the cloud, new advanced hardening mechanisms are certainly needed.
In the context of SERECA project, we demonstrate how Intel SGX jointly with Vert.x can provide unprecedented security for a CI use case: a Water Supply Network Monitoring application (namely RiskBuster). The WSNM administration (EIPLI) is in charge of the management of seven dams in southern Italy. They want to migrate the monitoring infrastructure to the cloud, but they need guarantees regarding data condentiality and, most important, data integrity.
In such a scenario, Vert.x and Intel SGX are a perfect and suitable combination. SERECA provide the platform able to leverage them. The WSNM is: 1) Easily deployable among the dierent dams and the cloud environment; 2) Highly scalable in front of sensors measurements peaks 3) Highly available in front of failures; 4) High performing in the process of sensors data collection, processing and provision.
From a security point of view, instead, the WSNM leverage the security features of Intel SGX, e.g, the encryption/decryption and the sealing of sensitive measurements into an enclave without leaving the CPU package.
The reported figure shows the overall architecture of the WSNM pilot application. On the dam-side, a data collector verticle interfaces, through a ModBus protocol, with a data logger equipment responsible for providing all the sensors data. Then, the acquired measurements are sent encrypted to the registered cloud-verticles through the Vert.x Secure Event Bus. On the cloud-side, the registered verticles receives the data and, based on their duties, take a specic action on it. Four verticles are implemented, which communicate among them through the Secure Event Bus. Some of these need to run security sensitive operations and, consequently, make use of Intel SGX.